Safety first!

No one is immune to hacks. It doesn’t matter if you are a small business with 10 employees or a huge business with 10,000 employees. This was proven again when this past Wednesday the Microsoft site, digitalconstitution.com, was found to contain numerous spam pages and links in its website. The site, according to zdnet, was running an older version of WordPress which made it susceptible to the attack. This should also serve as a sobering reminder to all of us.

When was the last time you looked at the plugins you were using on your site? How about your themes? Do you really need all of them? Are there any just sitting there, not updated and disabled? Many of the exploits and hacks that happen today to WordPress sites are a direct result of outdated themes and plugins. If you are unlikely to ever use that really neat slider plugin that you never got around to playing with then why do you still have it? How about those 10 different themes you uploaded when you were thinking about redesigning the site? Seriously, are you ever going to use them? If the answer to any of those questions is no, then get rid of them.

How about the plugins you do use? Is there any reason that you are still using an old outdated and unmaintained plugin that hasn’t been supported in years? Is the functionality so crucial that you are willing to risk your site’s security on it? Is it worth the time, the energy, lost business, and lost sleep that will inevitably come when your site is exploited and redirects everyone to an offshore pharmacy? With 38,461 plugins in the WordPress.org repository at the time of this entry there are probably at least several that will provide the same purpose but that are updated and rated to work with the current version of WordPress.

Let’s also not forget about the core WordPress software. WordPress doesn’t release new versions just to release something. They contain security fixes, bug patches, and, yes, even some new functionality or improvements. If you are running an outdated version of WordPress, then you likely have holes in your website’s security.

Sure, it’s tempting to poke fun when the big guys get egg on their face. But learn from their mistakes. Maintain your website. Update your software, themes, and plugins. The difference between the big guys and you is this: They have a team that will fix their site for them if they get hacked. You have you, and if you’re lucky, a much smaller team. A little updating and maintenance now will prevent you from being the next statistic.

Did you enjoy this post? Share it!

Comments

84 Comments
  • Thanks for the reminder Tim!

  • Indeed, very sage advice. I have been called fanatical when it comes to updating but it really is the only way to truly protect yourself and your site from attack.

  • Thanks to WordFence I am notified when plugs need upgrading.

    Regarding outdated themes that aren't activated, how do you delete them? There's no delete option visible.
    Please advise.

    • It's hidden, actually. Go to your Appearance > Themes, then hover your mouse over a theme. It should say Theme Details in the middle. Click on it. It will show the details, and in the lower right hand corner, you'll see "Delete". Click that, and then confirm, and that theme will go byebye! :)

      • Thanks Karen - I wondered how that was done.

    • Deana,

      when you hover over a theme a black box will say "theme details". Click that and in the lower right corner is a delete button.

      • Got it! Thanks a bunch!

    • @Deana - Under Appearance, Themes, click on the theme to see the details. At the bottom right there should be a "delete" link in red.

    • In order to delete the redundant theme:
      1) Go to the themes page
      2) View more details of the theme by clicking on it
      3) Look to the bottom right hand corner of the pop out - a discrete red 'delete'.
      Voila

    • Just click on the theme you want to delete Under Appearance menu and you will see the Theme details When the popup comes there will be a DELETE button bottom right.

    • Click on the theme when it's in the row of themes that you're not using. There is a delete button that shows up but only after you click on the theme you want to delete.

  • Tim, thanks for the sobering reminder, indeed! I'm going to my admin section NOW to update and delete those unused plugins.

  • Excellent comments. Couldn't agree more. Keep up the good work.

  • Just goes to show that complacency really is rife, from the single site owner to multi-nationals when it comes to WordPress. With all the services out there (including WordFence of course) it beggars belief that a company like Microsoft could let this happen to one of their sites.

    Great article Tim, and hopefully a wakeup call for everyone!

  • Great post!

  • I run an update for my plugins everyday and update everything which has an updated version. What I worry about is a unmaintained plugin that hasn’t been supported in years. Looks like it is time to replace them with an alternative, current version.

  • Another timely reminder that this affects all wp users. It makes the headlines when the big guys get hacked but unfortunately many people still think their site is too small to be of interest to the hacker. In fact its probably more valuable to the hacker than to its owner.

  • Thanks Tim,

    Sometimes the sheer number of updates to plug ins can appear overwhelming to some users so we try wherever possible to do them for our clients. Having seen what a hacker can do to a site and the work we need to do to repair it I'd rather spend five minutes updating plug ins and themes than five hours rebuilding a site!

  • I disclose this to all of my clients until I'm blue in the face and most heed my caution..but a lot continue to believe that we Web guys are just using an excuse to make money. We offer a very affordable web maintenance package which includes three layers of security and malware scanning. Thanks for a great article. R

  • Wordfence has blocked many hacking trial in my Wordpress website. Expecially as Admin. It's a great tool. Thank you to the Wordfence team.
    Kind regards Herbie

  • Thanks, Tim. It's so easy to get caught up in the day-to-day. We use WordFence (paid version) for our clients and love how well it works. Thanks!

  • I have to say I'm amazed that Microsoft was running an outdated version of WordPress. As you say, a big dollop of egg on the face of somebody but a very valuable reminder that if you have a site on the web you're at risk.

    My clients are sick of hearing me talk about security, updates and backups but even after my pep talks I still notice that many leave updates outstanding!

  • I'm in our site every day checking and updating. I don't use a plugin from the WordPress "store" unless it shows constant updates, support, and is compatible with my version of WordPress. This will limit your choices to a precious few, which is a good thing, and help to keep you safe. But no site should be without WordFence!! It is remarkable to see how many times every day it stops hackers from logging into our site, not to mention how great a job it does keeping us updated with plugin changes, etc.

    Always enjoy your blog, keep up the good work...please!

  • Perhaps a feature that WordFence could help me with is reporting severely outdated plugins that have been abandoned by the authors. I can't manually check all my plugins to know when they were last updated by the plugin author, but maybe WordFence could. Say if a plugin hasn't been modified by the author in a year, then I start getting alerts about it? I might go find a new plugin that is better maintained.

  • Excellent advice Tim!

    This is the reason why I use Wordfence!

    Not to mention all those outdated and/or unused plugins, themes and widgets slow-up sites, which in-turn hurts rankings.

  • It is very troublesome to see how many people don't pay attention to the updates. It takes the smallest amount of knowledge for a hacker to find what version of WordPress you are running and then find the security exploits for these outdated versions. At a minimum everyone needs to be using a security plugin like Wordfence!

  • Update -update- update, clean back end with no rubbish lying around no old themes or deactivated plugins. Get rid of the rubbish. You have just read what happens when you don't, always use security apps, use have restrictions on login attempts. Tighten everything up please

  • Damn creepy. Hopefully, those I trust to handle this sort of thing have my back.

  • Well here comes the fun part.... Some idiots from the Palestine hacked my website yesterday... They removed my complete website so i contacted my hosting provider to see if they could resolve my problem.. Lucky for me i have daily backups and was able to restore my complete website... The hackers group is called Holako.

  • Good advice Tim! It also soothes my mind – thought I am the only ones who is paranoiac about updating and clearing redundant stuff. It not only is a security risk but affects site speed.

  • I had the same thing happen to my first website. The person who created it didn't put security on the site. I had to completely redo my site, but found wordfence and have it on all my sites now.

    Since I had to start over, going through several bad designers, I ended up doing the work myself. The theme I bought never has had an update. Does that mean it has vulnerabilities? If so, what do you recommend?

    • All themes and plugins that are maintained have updates which could either be for bug fixes, security patches or simply compatible with the latest core Wordpress version.

  • How can you tell when an theme has an update (other than the standard WordPress themes)?

    • You'll know by the version number for the theme. There's also an update log for each theme.

  • Great post, thanks

  • For those who are curious about what kind of spam pages were created on the Microsoft blog, please see the cached version on Google: https://www.google.co.uk/search?q=site%3Adigitalconstitution.com&gws_rd=ssl

    The Microsoft blog's hackers created hundreds (or even thousands) of casino pages on the Microsoft website (I'm pretty sure they fired the one responsible with the website administration), so they can link back to another casino website from a high authority website. I've got more than 200 WP websites, and I've seen this done on many of my websites

    . For any WP website owner: KEEP THOSE PLUGINS UP TO DATE, KEEP THAT WORDPRESS UP TO DATE, and I would fully recommend the pro version of Wordfence, most notably because of it's country blocking feature.

    I'm using it to block any country outside EU and US (for my UK websites), and if you don't want to go to that extreme, make sure you block some high risk countries that I've detected many hacking attempts from:

    Russia
    Ukraine
    Moldova
    Belarus
    Afghanistan
    Iran
    Kazakhstan
    Kiribati
    and the list can go on, but the ones above are on the top of the list.

    I hope it helps ;)

    • You block *everything* outside the EU & US? That's pretty extreme. Not sure what your UK Websites are but remember there's a lot of UK people who live outside the UK - for instance here in New Zealand which by the sounds of it you block too...

  • Hi Tim - Occasionally I get a little lackadaisical about updates. Thank you very much for that reminder / word of caution.

  • Wordfence has blocked many hacking tries in my WordPress website. Especially as Admin.
    Keep up the good work.

  • I'm sorry, but I have to disagree, partly. I always wait, at least a few days, but preferably at least 2 weeks to update a plugin. Too many times I've experienced that a fresh update of a plugin breaks this or that, only to be fixed by the next update. So, no, I do NOT update plugins (or even the WordPress core) immediately when available.

    • Frizz -
      I follow the same practice. I usually wait 2-3 days, then test the update on a staging site, then update the live site.Smaller dev shops just don't have the resources to always do extensive testing on their own updates, and can often cause a conflict with other plugins.

      Jeff

  • Thanks Tim. I am guilty of this very thing sometimes. I'm very grateful to the folks at Wordfence. You guys have an awesome service that very well may have saved my butt on several occasions.

    Two years ago I had a hacker take down my entire WP blog. It put me out of business for months and changed my attitude about security entirely. It made me realize tat no matter how small or seemingly insignificant your blog, that you are constantly a target for hackers. I now run three security programs whereas before I only had one.

    I was wondering if you guys had any articles on what to look at as far as your attempted login logs were concerned? I often find it difficult to determine if a login attempt was innocent or malicious in intent, as some of the referral URLS out there on the web can get pretty weird looking. In looking at my logs, are there any legitimate reasons that anyone would attempt to access your website from URLs that begin with "/wp-content/"? I sure don't name any of my pages with that? Any articles on your site that can be helpful with that?

    Thanks for all your efforts.

    David B.

    • I suggest looking for country of origin and the number of attempts from the same ip address. Even 2 attempts is suspicious because the hackers may try twice per day and then change the ip to a similar ip address on other days. Hackers buy proxy ip addresses in blocks and many of them are similar ip addresses or they rotate them.

      It would be nice if the logs showed how many times an ip address was used to visit a site since they rotate them to keep under the radar of unsuspecting Wordpress targets.

  • Re Deleting Unused Themes

    I recommend also learning how to remove themes and plugins via File Transfer Protocol (FTP) ala the old days of web serving.

    As a web owner or developer you will learn what makes up the WordPress system--what files are in the core, what files are in content, etc. It's one thing to read the docs about this in WordPress.Org, actually working with the files directly gives it real understanding. Useful for those times when things simply go wrong.

    Please continue using auto updates and the Dashboard UI to do maintenance but learn this to increase your knowledge and effectiveness.

    Aloha,
    /ev

    • Eugene -
      While I agree that becoming familiar with the standard WP files and folder structure is greatly important to understanding how your site actually operates, I do not see any advantage for using SFTP (yes, we should all be using the secure version of FTP, regardless of sensitive info or not) to remove plugins and themes, as you suggest. However, since I have quite a few plugins that I only use for occasional maintenance, I use SFTP to move them into an "Unused Plugins" folder until I need them. Since they do not reside in the standard WP Plugins folder, they do not appear in the Admin Dashboard and are therefore not accessible unless someone happens to know the exact name of that folder. As I do not advocate I am an expert in WP security, I welcome any comments on this practice. I hope I am not giving myself false hope here.

      Cheers, and happy designing/programming,
      Jeff

      • Jeff,

        That probably helps, but it's something we call 'security by obscurity'. You're only slowing a determined hacker down slightly. Even if the plugins are only for occasional maintenance, and you have moved them to a different folder, please make sure they are updated. Isn't a quick update now better than several hours cleaning a hacked site later?

        tim

  • Things do not always work the way they are supposed to. I manage 6 websites for one client all using the Flexsqueeze theme. I love the theme and would recommend it to anyone. A brand new version came out a few months back and I installed it on all the sites.
    For security reasons I decided to remove the old themes from all the sites. I should have removed the old theme from one site and then tested the site to see if there were any problems... But I did not. I removed the old theme from all the sites only to discover something had gone wrong and most of the image files were gone from all 6 websites!
    The moral to the story is this;

    Don't just start deleting stuff without considering Murphy's Law. Again...
    Don't just start deleting stuff without considering Murphy's Law.

    Sincerely,
    Robert McCulloch

    • Good advice, but we'd add that if you aren't keeping it updated you are leaving the door open for someone to hack your site. The problem occurs when people have old themes on their site and don't bother updating them when a new version is released.

      tim

  • I myself have been victim to hacking on several WordPress sites in the past, and like mentioned in the article, the best defense is updating plugins and core on a regular basis. Also I've found it to be a good idea to choose a website host carefully. The newer Managed WordPress plans are pretty good at beefing up security, and 1 click restores should the worst happen. Happy blogging everyone!

  • Wordfence has now become a 'best practices' plug-in install for clients. I try to talk them into the premium version but it's not until a major onslaught that they act sometimes. Thank you so much for all your work on this.

  • Excellent tips. I've found WordFence to be immensely helpful in protecting my sites. I'm not an IT professional (college professor) who has to support/manage a large number of sites (over 50).

    I have two suggestions that would make it even easier & better. It would be great if the email notification could come in the form of a single daily email showing all of the updates/advisories/warnings for all of my WordFence registered sites instead of having to deal with separate emails for each site.

    Second, and I'm not sure if WordFence could do this or what. Sure it's great advice to "remove unused plugins" from a site. But suppose a site has a significant # of plugins and the site has evolved over the years and has a tremendous number of pages. How can I easily tell if a plugin is actually doing anything for the site. Sure, some plugins are obvious. But many plugins are installed to do simple little tasks on a few pages or maybe to experiment and see if the plugin's desirable. Then they aren't used for new pages because a new solution comes along. Yet, it's tough to know if removing the plugin will break some posts or pages. An example I know for real is various plugins for creating/dealing with tabular/spreadsheet. I've got a couple of these installed and not sure I can remove them w/o breaking some pages. I don't really want to manually go through all pages/posts in the site to find out.

    • Thanks for commenting. If you have any suggestions or feature requests, we ask that you email them to feedback [at] wordfence.com.

      Thanks!

      tim

  • Thank you Wordfence Team for all your hard work.
    You saved my sites from various attacks daily.

    Dicky

  • can disabled themes and plugins be harmful? if yes, how?

    • Disabled themes and plugins are still in a directory that can be reached and exploited. For instance, we once had a customer contact us because their site kept getting hacked and they couldn't figure out how. We were able to determine that they had been exploited by a backup of the site in the public_html directory that hadn't been updated in a while. Plugin authors update their code often, patching security problems and fixing bugs. Even if you aren't using the site or the plugin, if it lives inside the wp-content folder, it is probably exploitable.

  • Gotta tell ya, you guys rock when it comes to security, from the product itself, to the informational reminders/warnings that you and your software put out. For new site developers, the FIRST thing that they should have on their mind, BEFORE they make their site public is having a good security package to protect the site, such as good ole Wordfence. As soon as they turn their site on, hold on for the ride, as there will be folks trying to kick the door in. Keep up the good works guys!!

  • Great post. I do keep my site up to date but you've highlighted some areas that I will definitely check. Thank you!

  • I use two layers for wordpress, of course word defense is good, I also use cloudflare

  • I'd sure like to know how a theme that is not activated, one that is just sitting there unused, can be a target. I am all ears. And, of course THANK YOU for your wonderful layer of protection.

  • Thanks for the reminder that no one is safe. I just installed the free version of WordFence on my blog and looking forward to upgrading to premium if it is as good as you guys say it is.

  • I use mainwp.com to keep all my 50+ personal and client site themes and plugins up to date with 1 click. I charge each client $25 per month for this service.

  • I was just discussing this with a colleague and letting them know to also make sure their WP Admin login is not an easy one to crack!

    Sure enough, someone figured out his pw and his site was hacked.

    Mike

    • Someone said...
      Make a unique new User and promote to admin status
      Demote "admin" to subscriber
      So I did...

  • Good ideas but you need to do more than this.
    1. Make sure your username is never shown on the site, even when hovering over an article's writer at the bottom of the post. Find out about 'nicename' , this is crucial.

    2. A foolproof plugin is the one that validates you through a continuously changing app on your smartphone. I use the Android one, I assume there is a iOS one as well.

    Obviously, install Wordfence too. Just in case you think this is overkill, my site has gotten over 650 hack attempts in one day. It's a small site, about 9,000 visitors a day or so but it's constantly under attack. Use Wordfence, get to know its Options and stay safe. It is a total PITA to get locked out by your hosting company until you get rid of the malware/spam/viruses that a hack can put up on your site.

  • Wordfence has identified and stopped lots of hacking attempts at my sites. Sometime I can't believe the number of hacking attempts. I've really examined all of my plugins and deleted all unused themes. But I think Wordpress or Wordfence could help the situation a lot by notifying owners when a plugin is no longer tested for your version of Wordpress. Although now I know better I previously thought that if I didn't receive that little flag in Wordpress telling me that an update was available I was fine. However there are many plugins that are out of date and you would never know unless you hit the details tab on the plugin page to see when the last time it was updated and if it has been tested with your version of Wordpress. Then Wordpress could start eliminating from their plugin directory plugins that are no longer being actively developed and are out of date.

    All the best,
    Ted

  • @Richard B

    " You block *everything* outside the EU & US? That’s pretty extreme. Not sure what your UK Websites are but remember there’s a lot of UK people who live outside the UK – for instance here in New Zealand which by the sounds of it you block too…"

    Obviously, this applies (blocking everything outside EU and US) mostly for local business websites, ex. phone repair shops, skip hire, hypnotherapysts, etc. I'm always leaving the US open as that's where that beloved Googlebot comes from :) However, people with a broader audience can leave the more developed countries opened, for ex New Zealand, AU, CA, etc.

  • Thanks everyone for teaching me how to delete the old themes.

  • I recommend changing Admin User and creating a different user. Block any user that tries to login with Admin.

  • I have to change droplet on do because 1 of my wpsite old plugin and themes. You just need auto updater for this issue.
    You know what they do? They are ddos someone else's server from mine!

  • Reading about the Double Zero-Day got me seriously worried.
    Thanks to Wordfence and its regular updates and reminders, I am at peace.

  • Good advice. I like to keep my site updated and no unwanted plugins or themes.

  • good post.Never knew this, thankyou for letting me know.

  • I'm so glad I went with your service a long time ago. Your advice and warnings should be well heeded. I'll never forget the attacks I got daily for over a year in the hundreds, maybe thousands all totaled. Then one day they stopped to maybe one every few days. They never got in.

    Thank you!

  • You wouldn't be trying to extort money off us, would you?
    You can't hack a hacker - your next on my list. Ha Ha Ha Ha.......................................
    Death to the infidels.

      • I totally agree.

  • I agree but what is really annoying and what everyone in the Internet industries should condemn, is the bashing when some technologies are hit, and the common sense when some others are hit, solely based on personal feeling and opinion (in the form of jalousy or grief 90% of the time): https://twitter.com/flexengineer/status/613677281056133120

  • Thanks, Tim, for the article. I checked all my plugins and found that Really Simple Captcha hasn't been updated in 6 months and hasn't been tested on the latest version of WP 4.2.2, but their Contact Form 7 (same author) is up to date, so should I just wait (for the captcha to be updated) or try another captcha plugin? Any recommendations? Thanks!

    • @Marie Wordfence wouldn't go that long without a release but we're kind of driven so it's not a fair comparison. :) If you aren't seeing any support requests being answered in the forums, you might attempt to contact the author and ask if the plugin is being abandoned. Likely they are busy with the other plugin and need to get back to the captcha plugin development.

      My personal litmus test is any combination of these. ,
      Is the 'works with' version of wordpress farther back than a few versions?
      Has the plugin been updated sometime in the last year or not?
      In their support forums on wordpress.org are the majority of issues unresolved or have no comments from the plugin author or staff?

      In the end, use your good judgement. Sometimes you have to go with your gut and if you feel you need to beef up your security, maybe you should.

      tim

      • Thanks Tim! Their support forum is very active and the author has been responsive to all, even this last week... and the last version of WP that their captcha was tested on is also recent (just not the latest...), so ok, I suppose I'll stay with it. After all, it works and has more than a million other users (or downloads that is), plus I've been having trouble finding other captchas to work (or understanding how to make them work) with the Contact 7 form... so thanks so much for your answer. And thanks again for your article--it opened my eyes to see how vulnerable our sites can be and what we can do about it!

  • Also worth noting that (as well as the great advice from Tim above) you need to do regular backups of your site. I use a great plugin for this - there's loads of good backup plugins on the Wordpress repository.

    A LOT of hacks come from the back end via shared servers ie. the hacker gets on to the server via another compromised account and gets your files from there. Wordfence (or any other security plugin for that matter) will NOT stop this.

    You need to maintain a good backup regime (ideally automatically moving your backups offsite to dropbox or equivalent).

    Belts and braces.... stay safe :-)

  • Microsoft out of all people should know that they need to keep their website updated and secured. If anyone has the resources to maintain a website secured, I would think it would be Microsoft. Given the subject matter of that website, I do not think they really care for it to much. If they did, they would have given that website the attention it deserves and updated it on a regular basis.

    Wordfence rocks!!!

  • Awesome wakeup call Tim - I thought I was looking after my site but today I found several plugins outdated, some by 7 years - Whoops my bad! :)