Firstly a bit of a confession. Although I do go to the trouble of keeping all my OS packages up-to-date (which is actually very easy with Ubuntu), I’ve neglected keeping WordPress up-to-date.
I guess that the reason for this is that Ubuntu has done so well in making patching the OS so easy that it’s easy to forget the applications that are outside of the dpkg system. Anyway, it’s been some time since I updated it, and I noticed as a security bug appears to have been exploited allowing someone to put some spam on my site.
This scum – whoever they are – added a load of links to my webpages. The links were all hidden, but pointed at some websites. As these were hidden I believe this was an attempt to gain improved ranking on the search engines.
I believe that these sites may have already been blacklisted, but I have not clicked on any of the links or verified that.
Another reason for not upgrading (or at least delaying it until I have some time on my hands) is that I have some scripts than access the Database directly and changes to the database schema break my scripts. I didn’t realise, but it was actually at 2.3 where they made these changes (over 6 months ago), rather than in version 2.5.
Normally it would be better to try and use the built-in wordpress functions to access the pages, but as this is from a different server completely it’s not quite so easy. Anyway I have now updated these to use the new database schema and it’s all working again – and hopefully keeping the hackers at bay.
This site is just something I keep together in my spare time, but it highlights something for those in a commercial environment. If you do not have a plan to get your patches installed, or if that plan misses out software then it’s likely to get you in trouble. Make it your number one priority to make sure that patches are applied as an when they become available (allowing for testing of course).