my site was hacked through an old wordpress installation

[Jake Bunce]

I had completely forgotten about it, but some one found it and exploited the old version.

If you have old software on your site that you aren't using you should remove it. The same goes for addons that you aren't using.

 

[wang]

I am sorry to hear that you got hacked sir. The same thing has happened to me and a friend of mine a few months back with an old Joomla installation.

Excellent advice about older unused software and add ons. Or at the very least, to update them, even if one is not using them anymore.

 

[Nudaii]

a client i work with had same issue last week, what was the wp version/wp plugin exploited in your case @Jake Bunce?


for my client it was gravity forms

 

[Jake Bunce]

what was the wp version/wp plugin exploited in your case

wordpress 3.4.2

 

[naia]

Wordpress is an unauthenticated remote shell that, as a useful side feature, also contains a blog.

 

[Kintaro]

Wordpress is an unauthenticated remote shell that, as a useful side feature, also contains a blog.

wow do you think is really non-secure like this?

 

[LPH]

wow do you think is really non-secure like this?

Yes. WordPress is very insecure and always a target. Enabling automatic updates is usually a good idea. This updates the site any time WP developers release a new version or a security patch.

 

[Nelson T.]

Someone hacked my church's wordpress site that I put up for them, and it really sucked.
I got that alarm program, and wordfence, and it helped some, but not totally.

 

[Xon]

Yes. WordPress is very insecure and always a target. Enabling automatic updates is usually a good idea. This updates the site any time WP developers release a new version or a security patch.

Enabling automatic updates is vital to keeping Wordpress secure.

 

[HostDash]

wow do you think is really non-secure like this?

WordPress is extremely great for what it does though it is a very big target given the number of websites running it. Should always be kept up to date (plugins also) and implement the other recommended security measures to help.

 

[eva2000]

Enabling automatic updates is vital to keeping Wordpress secure.

+1 very true.. for my wordpress auto installer i lock it down tight including auto wordpress updating http://centminmod.com/nginx-wordpress-installer.html

 

[Xon]

WordPress is extremely great for what it does though it is a very big target given the number of websites running it. Should always be kept up to date (plugins also) and implement the other recommended security measures to help.

Not just plugins, but theme updates too!

 

[M@rc]

Not just plugins, but theme updates too!

Even if they're deactivated?

 

[rainmotorsports]

Even if they're deactivated?

If there is code that can be exploited to gain access, it being active or not often doesn't make a difference. Depends.

 

[HostDash]

Even if they're deactivated?

Better safe than sorry .

 

[M@rc]

If there is code that can be exploited to gain access, it being active or not often doesn't make a difference. Depends.

I guess it's time to delete the default WP themes I don't use then.

 

[Xon]

I guess it's time to delete the default WP themes I don't use then.

You don't want to run the risk of accidently (or otherwise) of switching to an unmaintained theme and then being compromised less than 24 hours later by automatic bots.

 

[rainmotorsports]

I guess it's time to delete the default WP themes I don't use then.

Hell I took those out just because. You can always get them again.