From the BBC:
A security flaw in the WordPress blogging software has let hackers attack and deface tens of thousands of sites.
One estimate suggests more than 1.5 million pages on blogs have been defaced.
The security firm that found the vulnerability said some hackers were now trying to use it to take over sites rather than just spoil pages.
WordPress urged site owners to update software to avoid falling victim.
. . . .
The vulnerability is found in an add-on for the WordPress blogging software that was introduced in versions released at the end of 2016.
. . . .
In a blogpost, WordPress said it delayed going public about the flaw so it could prompt hosting firms to update their software to a fixed version.
The patched version of WordPress was formally released on 26 January and led to many sites and blogs automatically applying the update.
However, many blogs have not followed suit leaving them open to defacement attacks.
Security firm WordFence said it had seen evidence that 20 hacker groups were trying to meddle with vulnerable sites. About 40,000 blogs are believed to have been hit.
Link to the rest at the BBC and thanks to Jan for the tip.
PG says if you have a blog that uses WordPress, make certain both WordPress and all of your plugins are updated.
WordPress should automatically update itself (but not plugins) for major releases under most circumstances. However, if you want to check on the status of updates, you’ll need to be signed in as an administrator, then click on (or hover over) the Dashboard button in the left column, then click Updates.
I run four WP sites, and I keep them updated myself, not really a lot of work. WordFence is part of my standard protection.
Nate: I believe the twenty ten theme can be made mobile friendly with Jetpack. I might be wrong… Thanks for the suggestion.
I don’t like the jetpack solution – it doesn’t look good and it’s not worth the performance penalty when we already have an alternative that looks similar and does the job.
I’ve been firefighting back end code across five sites I run since New Year’s Day and it’s been a major hassle.
Apart from keeping WordPress and all plugins updated, another thing to do is delete all unused themes from your site. Out of date themes can be that open window at the back of your house that the burglars target.
Speaking of themes, you should really replace the theme on rachnoboards.com. The twenty ten theme is not mobile friendly.
My recommendation is that you switch to the “Colinear” theme. It looks similar to the twenty ten theme and is mobile friendly.
I assume this applies only to private domains using WordPress.org rather than the free, WordPress.com software?
Correct.
Unless you have enough income (preferably from your books), it may not be cost effective to use a WordPress.org site.
I trust that the .com site will have actual WordPress experts keeping Akismet running, and the obvious threats blocked, as well as having the latest updates of their own software.
As a tiny provider, this is far safer.
The wp.com pro account is only $99/yr, and is well worth it to keep from having to be blog janitor.
Thanks for the info but I think the prices have gone up. Personal plan = $3.99/month, Premium is #10.75/month and business is way out of my price range, lol.
As I already buy extra storage for my free plan, the only other item of value [for me] on the premium plan is the monetizing option. At the moment, however, I doubt I’d be making enough to break even.
The one thing that still isn’t clear is the issue of maintenance. If the 3 paid for plans require your own domain, then is WP actually hosting those domains or do you have to host elsewhere and simply use the WP engine to create your website?
Nope. It’s all hosted at WP, your domain just points there. I pay by the year, so I get the discount.
That certainly reduces the headaches, but it also limits what you can do with the site.
Hosting a site on WP.com means no plugins, no custom themes, and limited pop-ups.
I think paying $45 a year for hosting is worth the extra features.
there’s a lot of restrictions to a wordpress.com blog, like no affiliate links, and they will delete your blog at the drop of a hat (just like Amazon, if someone complains you’re violating copyright, they just delete the blog without even checking that it’s a valid complaint).
“if someone complains you’re violating copyright, they just delete the blog without even checking that it’s a valid complaint”
Nope. Wrong.
Automattic does not do that to blogs hosted on wordpress.com. Yes, they might remove a single post, but they do not simply delete the entire blog. And now Automattic is a lot pickier about which DMCA notices they will accept:
https://www.theguardian.com/technology/2013/aug/13/wordpress-straight-pride-uk
That’s precisely what they were doing very recently, regardless of what their policy is. I’m sure it’s just like amazon, they can write down whatever policy they want, but the people who actually enforce it simply delete blogs.
I’ve found iThemes Sync (https://ithemes.com/sync/) to be very useful for keeping up with updates on WordPress sites. It alerts you whenever an update is available and allows you to cover several sites from one dashboard.
This is very important, and I’m glad you thought to include this.
This article from Wordfence describes how they’re defacing pages. In essence, these are script kiddies using automated software, so it’s on a par with a vandal spray-painting the side of your house.
All you need to do (like the article says) is make sure your WordPress site is updated to version 4.7.2 and you’ll be fine.