Major Microsoft WordPress Site Hacked
The fact that everything can be hacked and compromised was once more proved, when past Wednesday, Microsoft owned website, digitalconstitution.com was hacked. The hack was initiated by adding numerous spam pages and links in digital constitution’s website. According to Zdnet, the site was using old WordPress making it vulnerable to previously discovered vulnerabilities. This definitely reminds us that updating your system is important and it doesn’t matter what you run WordPress, Joomla, Windows, OSX or even Linux.
When was the last time you looked at the plugins you were using on your site? How about your themes? Do you really need all of them? Are there any just sitting there, not updated and disabled? Many of the exploits and hacks that happen today to WordPress sites are a direct result of outdated themes and plugins. If you are unlikely to ever use that really neat slider plugin that you never got around to playing with then why do you still have it? How about those 10 different themes you uploaded when you were thinking about redesigning the site? Seriously, are you ever going to use them? If the answer to any of those questions is no, then get rid of them.
Leading WordPress security plugin Wordfence recommends to review you plugins:
Is there any reason that you are still using an old outdated and unmaintained plugin that hasn’t been supported in years? Is the functionality so crucial that you are willing to risk your site’s security on it? Is it worth the time, the energy, lost business, and lost sleep that will inevitably come when your site is exploited and redirects everyone to an offshore pharmacy? With 38,461 plugins in the WordPress.org repository at the time of this entry there are probably at least several that will provide the same purpose but that are updated and rated to work with the current version of WordPress.
Digital Constitution is a Microsoft’s website dedicated to fighting the US government on matters of policy and surveillance. Hackers managed to inject a website with keywords” casino”, “blackjack”, and “roulette in order to gain more search engine hits and the results can be seen on this screenshot:
Some new pages have been injected to show content that embeds content from other casino-related websites. The rest of the site’s content appears to be intact. By reviewing the site’s code it was running WordPress 4.0.5, an older version of the popular blogging software released in early May. The latest WordPress version is currently at 4.2.2 which fixed major vulnerabilities in older version.