Last updated on April 13th, 2015 at 01:57 pm
I was looking at several ex-clients over the week-end and noticed that many of them had moved to WordPress related sites, presumably done so that they could update the content of the sites themselves (or maybe because this was what their new designer felt was the easiest way to build a website for them – I’ve even seen in the past comments on forums that have said that you have to use WordPress to build websites).
Now, while this is certainly a good, fast, and easy way to build sites there are some things that you need to be aware of if you have a WordPress related the site. These range from the true ability to optimise the site correctly, something that is possible but a little more difficult than a hand built site in my experience, through to the dangers of running your site on out of date software. It’s this latter problem that this blog posting is about.
WordPress basically is a series of scripts written in a language called PHP that runs on the server and reads a database to generate pages on demand. This means that the scripts are only as good as the programmer that wrote them (most WordPress programmers are very good and this article isn’t here to complain about them). The problem is that any, and all, programmes can have bugs in them – speaking as someone that built large computer programmes for a living for over 25 years I know that there is no way you can test every route though a piece of code and there is always going to be something that will catch you out, possibly years after the code was built and after years of running successfully. The reason that not all routes through a programme can be tested is simple, most programmes will contain statements (rules) that say “if this it true do this section of code but if it’s not true do that section of code”. As you can imagine, you only need a few of these before the code can become very complex.
Now, that’s fine, if not a little annoying, if the bugs that arise are to do with the display of a page (or maybe on a WordPress site/blog that the Categories pages don’t always list everything) but imagine if the bug is a security hole that will let someone hack into your site. Many of the WordPress updates are related to security issues as this page shows for example the blog post for the most recent update at the time of writing specifically says “Version 3.4.1 also fixes a few security issues and contains some security hardening.”
Many WP sites also use plug-ins which are small chunks of code designed to do a specific task (this could be to make the site more SEO friendly, generate sitemaps, capture spam comments or one of myriads of other things). Again, these are possible holes that will allow someone to hack your site.
The good news is that WordPress and many plug-in developers issue updates when they find problems, the bad news is that there are a lot of sites out there that don’t apply the patches and upgrades. This seems to be for several reasons, because they can’t be bothered / they don’t know about them / they paid their designer to build a site and not for maintenance or their designer doesn’t think that it needs doing. This then puts the site at risk of being hacked, your content changed or destroyed and the bad publicity that can ensue if someone looks at your site while it’s been hacked.
Having done some research there are videos on the net showing how to hack an old WordPress blog/site in under 2 minutes using software and as this blog says there are at least 7 ways to get into a WordPress blog that is not up to date or secured using other methods. While many of the problems mentioned in that article are to do with passwords (and are good advice generally) the first two are directly related to keeping both WordPress and the plugins up to date.
You may remember I opened with the comment that I was looking at ex-clients – bearing in mind that at the time of writing WordPress is on version 3.4.1 I was amazed to see sites that had versions as old as 3.0.1 (that’s the version that was released in July 2010 and has been updated 18 times since then). Imagine the bugs that have been fixed since then! ** Update : In August 2013 version 3.6 was released following on from another 4 versions and still there are some sites running WordPress version 3.0.1 ! ** You can see the WP version history here.
And before you feel that it’s only WordPress that have these updates the same thing applies to all CMS (Content Management Systems) that are currently available ( for example I run a Joomla site for a client and this has regular updates as do Drupal and others ) and other web software such as forums – the updates may not be a frequent as WordPress but they are still released for a good reason.
Please, please, if you run a site that uses something like WordPress check what version you are running and if its not the latest version either update it yourself or get your designer/developer to do it for you – yes, it may cost you money if you don’t have a maintenance agreement or the designer doesn’t take the approach that its something they should do anyway but it should make your site much less “hackable”, remember that just updating the software after a successful hack doesn’t always work as there are often extra programmes called “back-doors” installed by the hacker to allow them back in again later.
I’d be interested to hear from you if your site has been hacked – how long did it take to recover and did it cost you lost sales?