This morning I woke up to 3 email messages and 2 Skype messages from people telling me my site was hacked. I’ve had better mornings, as you can imagine. Luckily, through CodeGuard, I was able to determine what had changed in the last period. You know what? It was my own stupid fault: I hadn’t updated a theme.
I run a couple of WordPress instances on this server. This website, which you’re looking at, but also a MultiSite install in /bugs/, running WooThemes’ FaultPress. Now had I been paying attention, I would have read this post on the WooThemes blog a month ago, telling me to upgrade their WooFramework to fix vulnerabilities. I didn’t, I was slacking. This morning I found out that was stupid, as that exact vulnerability was used to hack my server.
The issue is bigger though: so many of you don’t upgrade regularly. You see, security breaches happen. I have helped quite a few plugin authors fix security issues in their plugins, and I myself have been helped by the likes of Jon Cave and Andrew Nacin to fix security issues in my own plugins. When I update a plugin though, it’s very rare to see more than 20% of the users update within a week. We, as a community, need to get better at that.
Now, I’m on both sides of this fence, I’m a user and a developer. As a developer, I started thinking about how I could get more of you to upgrade. I know Genesis has a feature in their backend that’s quite cool:
You just drop your email in there and you get an email when an update is available. I’m going to add something like that to my own bigger plugins, though I have to think a bit about what the best way to do this is…
The moral of this story is quite simple though: don’t let this happen to you: upgrade your core, themes & plugins very regularly!