Reuters, a highly respected news agency based in London, recently had their blogging platform compromised. This resulted in false stories posted on their website, including a made-up interview with a Syrian rebel leader. Adding insult to injury, Reuters was attacked again just a few days later, and this time hackers got control of their Twitter account, posting more dubious stories about how the U.S. supports Al Qaeda and that Obama ceased funding to 9/11 investigations.
How did this happen?
It is widely suspected that hackers were able to exploit weaknesses in the widely-used WordPress blogging platform. These weaknesses have been patched, but Reuters simply failed to update to the latest version of the software, using 3.1.1 instead of the 3.4.1, and this mistake purportedly brought down their entire website. 3.1.1 is well-known for having security issues and WordPress insisted that everyone update immediately once patches had been developed.
These attacks could have been easily been prevented if only Reuters’ engineers had clicked at the notification which appears at the top of every WordPress dashboard (its admin panel) when new updates are available, which take seconds to install. The oversight is odd, understandable only if Reuters made many customizations to their WordPress installation or was using plugins that might be incompatible with the latest version.
Even more incredibly, after the hacking incident broke, bloggers posted screenshots showing that Reuters still had not updated their WordPress installation for some time after the attack! (This has since been rectified.)
The importance of using the latest version of software
It is very important for users to always update to the latest version of WordPress software, because it is the pre-eminent blogging platform, used by huge media companies and individual bloggers alike. This makes WordPress a choice target for hackers, similar to the way Microsoft products are so often targeted due to their ubiquity.
Reuters is not the first company to have gotten hacked through the use of an older version of WordPress. Recently, over 30,000 websites were hacked to redirect traffic to fake antivirus software. Over 90 percent of these websites were using outdated versions of WordPress or its plugins, pointing to this as a probable contributing factor.
Hacks are not always as serious as the Reuters incident and manufactured news on a respected news site read by million is pretty serious. In some cases, hackers simply want to create fake user accounts on blogs in order to post comments with backlinks to spammy sites. But for WordPress sites that have sensitive user information, such as e-commerce sites with customer databases, even seemingly innocuous penetrations might allow further access down the road.
To sum up, simply keep your software up to date. As mentioned, WordPress and its numerous plugins are very painless to update, and the price of not doing so is a loss of productivity, traffic and revenue. Responsibility for maintaining a website lies not with WordPress, which is a free, open-source platform, but with the IT managers and webmasters that use the platform. Learn from the Reuters incident to safeguard your own sites
About the author: Dirk Reagle has been covering all things tech for many years as a freelance writer. When he’s not busy reviewing mobile web designers in Chicago including Orbit Media, you can find Dirk producing music and touring with his band NightHawk/DayHawk.