blogio blogging blog

Keeping your WordPress installation, or any other software installations for that matter, up to date should be high on your to-do list. No matter how well programs are planned, there will almost always be bugs and security holes that are only discovered after the software has been released. They are often patched by software updates as soon as the issue has been discovered and a fix has been created.

It’s these known, and fixed, software issues, that cause the most problems. There are a lot of wanna-be hackers around, that are too stupid to figure out how to hack websites by themselves. Instead they just exploit the known bugs to gain access and impress their wanna-be-hacker-friends with their l33t h4cker 5killz.

If you keep your software up to date, you will probably have a more than 99% less chance of getting your website hacked. Here’s what happened to one of my WordPress blogs, that I didn’t upgrade:

I have a blog that has been laying dormant for well over a year. At one time I just didn’t have the time to post updates and I never got back to writing on that blog again. It was still making some money from a few scattered AdSense clicks, nothing major, but enough to cover the years domain registration and hosting fees. I figured I’d keep the site and maybe one day start writing on it again.

Recently I started getting email from the hosting company, notifying me that the site was nearing its bandwidth limit. Checking the website statistics I found a sudden rise in traffic back in August. The number of visitors and page views has been steady, but the used bandwidth went up. Not just a little: in July 2008 the site used 68 MB of bandwidth, which is about the normal monthly usage for the website throughout the rest of the year, but in August the traffic jumped up to 994 MB, in September the bandwidth usage was over 5 GB and the highest peak was this past November with nearly 10 GB of traffic!

I had my email alerts for the site set to 10 GB. So, nearing this amount of traffic triggered the system to notify me on the site usage. Checking the stats, I noticed visitors finding my website through search terms that I’m not even going to mention here, just open up your average spam email and you know what terms I mean.

I went to look at the site and everything appeared to be normal, but the little icon in the top right hand corner of my browser, which indicates the page is being loaded, wouldn’t stop spinning, even though my screen showed the complete site already. Looking at the source code of the page, I found a lot of links at the bottom of the page. I didn’t count them, but there where literally thousands!

I requested a free sample from each site linked to, so I could make my friends envy me for the rest of my life. Well, actually, I just removed the links and went to bed. The next morning they where all there again! I must have forgotten to save the file after removing the links. I removed them again and double checked the site. All looked good, but a few hours later the links had been put right back into my source code files.

This WordPress installation had been installed in January 2006 and hadn’t been upgraded since, so I decided to install one of my favorite WordPress plugins: WordPress automatic upgrade. With my installation being almost 3 years out of date, I wasn’t expecting the plugin to work, but it worked perfectly, upgrading my WordPress installation to the latest and greatest release with just a few clicks (sorry Keith, I should have known better!)

The links didn’t come back, but I’m still worried about a Google penalty my site might have received for having all these links on there. I’m glad big G didn’t close my AdSense account that was displaying ads on the spammed pages.