A client of mine recently contacted me, and frantically proceeded to explain to me how his hosting company contacted him stating their server had been hacked through an out-dated WordPress install they had kept on it. To make matters worse, the host did not have a recent file backup available – great. I was in for a long night. However this got me thinking as to just how often this happens. A lot of people wrongly assume that their personal online projects, if never advertised, can never be found. So I wanted to take a moment and write up this post, and hopefully help someone prevent themselves from being in a similar situation.
First off, touching base on the host’s lack of a recent file backup, I want to bring up an article I wrote a while back: “Always Keep Your Own Backups“. It applies to a lot more than just hosting if you really think about it. Maintaining a recent backup is something every website owner should be doing, and with the majority of control panels out there – such as Hepsia and cPanel – generating and downloading backups is fairly simple. Read through the article, even if you have in the past, and make sure you’re following through with your responsibilities.
Moving on we come to this out-dated WordPress install – which provided the loophole the hacker needed to get in. This is something else that you, as a website owner, have to stay on top of. You have to make sure that all your script installs are always up to date. When using script installers such as Softaculous, Elefante, and Fantastico – this task also becomes fairly simple as each one of the script installers will automatically notify you of new versions of your installed scripts.
For those that own a server with several different accounts on it, you can automate this process by utilizing some scripts. For example techsware.in has a great script posted up that will located out-dated WordPress installs on any system running cPanel, Plesk, or really any Linux box. You can also utilize a full-featured premium script like OldScriptFinder.
The point is that even if you have to do it manually – you want to make sure you do keep all of your script installs up to date. It doesn’t take much, but it does a lot for you in the long run. Apart from just server security, out-dated scripts can have broken loops – causing a severe drag on system resources – thus hurting the performance of the entire hosting account/server.