One of the worst things to have to do as a web host, is explain to a client why their website has been hacked or defaced. It happens from time to time, and no matter how good a web host’s security is, it can still happen and here’s why.
As a general principle, your security is only as strong as your weakest link. Imagine your web hosting account as a building. The web host has a key, they give you a key, and you give WordPress a key, too. As a CMS, WordPress becomes a critical link in the security chain. To complicate matters, each theme and each plugin you install also become a link in the chain. Even though WordPress is an excellent system, it’s almost inevitable that at some point security flaws will be discovered, and the same goes for themes and plugins.
When a flaw is discovered in WordPress, it often becomes public knowledge and WordPress will patch the flaw as quickly as possible. The same applies to themes and plugins, however, it’s up to the theme’s or plugin’s author to fix the flaw. At this point it’s critical that you update your website so that these flaws will be patched up.
What happens if you don’t? Unfortunately, there are millions of bots and bad actors on the internet trying to gain access to websites for various reasons, and they are constantly trying to search for and take advantage of domains that have security flaws. If you don’t update, someone will eventually come across your site and take advantage of the unpatched security flaw. Once they get in, they usually try and infect as many files as possible to make it as difficult as they possibly can for the website’s owner to block their access. For this reason, it’s usually not viable to try fix a compromised site, and the best course of action is to load a backup that is known to be free of any compromises.
Why do these bots and attackers do this? There are so many reasons, but some of the most common ones are:
- To use your domain to carry out phishing attacks in a way that is untraceable to them.
- To use your domain to send our spam.
- To use your domain as a part of their botnet – another system that they can use to find and exploit other vulnerable websites.
- To try take advantage of security flaws in the operating systems of people visiting your website.
- Because they can.
As you can see, there are many incentives for cyber-criminals to pounce on vulnerable websites. Unfortunately, it’s not a matter of if, but rather when a website running outdated software will be hacked.