Recently we’ve been asked to look at a few sites built in WordPress, and have been surprised to find the software is years – yes, years – out of date.
Allowing your WordPress website to drift like this is a bad move that can leave your site open to hackers who could bring it down or worse.
Your site could be taken off search results, your reputation could be damaged but most of all it will take a lot of time to clean up the mess.
WordPress is the most popular website platform in most of the world with good reason.
It’s free for a start, but also it can be extended with the help of plug ins, which allow custom functions like photo galleries or forums – just about anything you want.
Another reason for its success is that WordPress is constantly moving forward, with a new version featuring improvements released every three to four months – the latest (3.5) was just last week – and sub versions to fix bugs and security issues in between.
Every major update also means the plug ins have to change, too.
That popularity means lots of people who like to hack websites devote a lot of time to finding holes in WordPress. Hackers share information and once they find a hole they will tell lots of other hackers.
When this has happened in the past the WordPress community has been quick to close the security hole by rolling out a new update that fixes the problem.
Asking for trouble
But if you don’t apply the update your site is basically sitting there waiting to be hacked. And the hackers will be looking for you.
Now we are not trying to scare you, or put you off using WordPress, but if you or your web designer ignore this aspect of using WordPress then you are asking for trouble.
WordPress itself does its best to warn users of new versions, but it’s amazing how many people ignore the warnings.
Even Google started warning website owners if they were running out of date WordPress versions, and there were plenty of examples of people being caught out who should have known better.
For example the Reuters blog, which was hacked earlier this year and found to be running a version of WordPress that was two years out of date.
The result: Your website can be home to nasty software, advertising dodgy online drugs, hosting one of those fake banking/phishing sites or just taken over by someone else. In most cases you may not even know anything is wrong.
This can get your website blacklisted and removed from search results and the damage to your reputation can be immense.
Sometimes the fault here lies with web companies themselves who sell a website to a customer but don’t explain that the software it runs on must be kept up to date.
One company we know of even told a customer to ignore the prompts to update the plug ins and WordPress version – and warned them that if they updated and things went wrong they would be on their own.
In this case it seems the web company involved simply didn’t understand how to keep WordPress up to date – or the importance of doing so.
A Stitch in Time Saves Nine
Some customers are put off by the idea their website will need to be maintained that there will be a small cost associated with this but skipping this is a false economy.
After all doing the necessary back-ups and keeping everything up to date is a finite task that shouldn’t take long if done regularly.
Fixing a hacked website can be a long and involved process that could cost a lot – in time and money – to put right.
Or to put it another way, keeping WordPress and your plug-ins up to date is the equivalent of taking your vitamins, but putting a hack attack right is open heart surgery.
Ask your web company
So if you already have a WordPress site find out what your web company is doing about back-ups and software updates. If you look after your own site then don’t ignore the warnings.
And if you’re thinking about having a WordPress site built for you, ask your web company what they are going to do about updating it and its plug-ins. If they don’t have an answer, then you might be better going somewhere else.
Otherwise there could be a lot of time and expense waiting for you down the road.
How to Keep WordPress Secure by Matt Mullenweg, co-founding developer of WordPress
WordPress Security: Seven Ways I Could Hack Into Your WordPress Site – Mark Maunder