It's not been a great week for many people (churches included) whose sites are running on WordPress. After the disclosure last week of a vulnerability in the core version of WordPress, - nearly 1.5 million websites have been defaced. You might even have been one of them!
But here's thing - it's a thing that would have been pretty easy to avoid. All you have to do is keep your WordPress up to date.
Responsible disclosure and an update
You see - the vulnerability wasn't a surprise. Here's how this kind of thing works...
Usually the vulnerabilities are discovered by someone without ulterior motives (in this case it was Sucuri - a WordPress Security company doing regular testing for vulnerabilities). They work with the WordPress team to fix the vulnerability, and an update is released including the fix. Everyone update's their WordPress, and everyone is happy.
What goes wrong?
Except not everyone updates their site. Then the people with ulterior motives discover there is a vulnerability in un-updated sites and start targeting them. That's what happened in this instance - they started looking for sites that weren't running the latest update of WordPress - knowing they could exploit them.
So what should you do?
The moral of the story is pretty clear. Keep your WordPress installation up to date. And it doesn't just go for the core application either. It's important to keep your plugins up to date as well - to give yourself the best chance of remaining secure.