It had to happen eventually. At some stage in the last 2 weeks, some of my older wordpress installs on my old server appear to have become compromised in some form. I’ll bet dollars to donuts that it was over the Bank Holiday weekend at the end of the last month; right when I paused my server migration process.
If I’m honest with myself, I’ve been lucky with some of the sites that this hasn’t happened before. Ofcourse, I’ve taken every precaution availible and even being critical of myself I can hand on heart say that security on my WordPress installs has improved dramatically in the last 18 months; but a mixture of older WordPress versions, bbpress legacy code, custom code and the great unknown, the website user, have finally conspired against me.
The realism is, I include basic WordPress upgrades in my support package after I build or host a website, save for a few caveats. Errors in my custom code/themes/plugins that I take ownership of are fixed free of charge, while non-forseeable errors are offered at a cost rate to clients. Even with the 3 “vulnerable” WordPress versions installed (due to supporting older versions of bbPress), I’d be surprised if they were to blame (given that only 1 of them has appeared vulnerable).
No, the real culprit here appears to be the website owner/administrator/user. Using the admin account, a weak password, not signing out, not moderating spam, disabling some of my plugins to allow easier access etc. And that’s why I am quietly confident of the exact weekend when these attacks finally breached the website security – I was away for 5 days and my cron job to compare code against my beta site was alerted to accepting errors as I upgraded to WordPress3.0 nightly build.
Until I can guarentee that these websites are completely free of issues, I shall be extending their maintenance mode until the end of the month (don’t worry, there is a clause in the contract for this). Every site will be upgraded to WP3.0, and bbPress will be upgraded to 1.0.2, all on my brand new server (it’s well lush).
Lessons have been learned, hopefully on all sides, and I’ll take this as an oppertunity to level the playing field for both my clients and I again. Plus it’ll keep me busy this weekend, avoiding hearing the English talking about how they’re going to win the World Cup if they beat Algeria!!