That makes the fact that many websites are not keeping up to date with new releases a huge concern. These sites are playing fast and loose with known vulnerabilities. This is how you get hacked.<\/span><\/p>\n To perform our survey, we created a tool to crawl the homepages of every website in the Quantcast Top 10,000<\/a>. The crawl was performed on April 5th<\/sup>, 2018\u2014two days after the release of WordPress 4.9.5. With 48 hours since the official release, any site configured to update automatically would have already done so.<\/p>\n Of the Quantcast top 10,000, 17% of website homepages were running on WordPress. The total number of sites that may use WordPress for their blogs or on other portions of their sites it obviously much higher, but owing to the complexity and time-consuming nature of such a scan, we opted to stay with just the homepages.<\/p>\n Here are our key findings:<\/p>\n Let\u2019s talk about why this is so crucial. And before we go any further, understand that this a universal problem. Organizations are constantly weighing the need to patch, update and harden their systems with the costs associated, both in terms of price, and downtime\/interruptions to business. That’s not just limited to WordPress sites, either.<\/p>\n \u201cMany people forego WordPress updates because they are worried that they will impact the stability of the site,\u201d says Paul Bischoff, a security expert and privacy advocate for Comparitech.com<\/a>. \u201cWordPress plugins can stop working, for example. If you made changes to a theme but didn’t put those changes into a child theme, those changes might get wiped in the next update. If you’re running an online business of some sort, the prospect of downtime can seem more costly than the risk of malware or attack.”<\/p>\n Senior web developer and WordPress expert Ken Dawes<\/a> is quick to warn site owners that WordPress needs constant attention.<\/p>\n \u201cThe biggest problem in WordPress security (or any other kind of site) is getting people to realize that having a WP website is like having a puppy,\u201d says Dawes. \u201cIf you don’t take care of it – feeding, grooming, vaccinations and the like – You’re going to have problems.\u201d<\/p>\n Taking care of it means regularly updating to the latest version and keeping your plugins up to date, too.<\/p>\n<\/span><\/span>\n Just like pretty much any other software, WordPress releases updates on a regular basis. While these updates also provide new features, it\u2019s the security improvements that are critical. And cybercriminals are paying attention to what gets fixed.<\/p>\n \u201cPeople don’t realize that hackers often don’t find vulnerabilities in software all on their own,\u201d says Bischoff. \u201cWhen a software publisher like WordPress puts out a patch that includes a security update, it tips off hackers to the fact that a vulnerability will exist on any WordPress installation that didn’t perform said update. If you don’t update, you’re a target. The longer you wait, the more vulnerable you are.\u201d<\/p>\n That nearly half of the WordPress sites in the Quantcast Top 10,000 aren\u2019t on the most recent update is alarming. The fact that over one-third, 33.58% are multiple versions behind is outright dangerous.<\/p>\n \u201cOnce your website is hacked it\u2019s very difficult to repair. Essentially, hackers who get in to your website will create new hidden entry points and unless you close them all, it\u2019s easy for them find a way back in. The results are horrible for the business,\u201d says Mazdak Mohammadi, head of Canadian WordPress Design Studio, BlueBerryCloud<\/a>.<\/p>\n \u201cThe good news is that WordPress makes it very easy to update the installation along with plugins through the WordPress Admin dashboard. Your web developer should be able to do this for you, otherwise you can ask for access and figure it out yourself. It\u2019s not rocket science and also, should the update fail, WordPress automatically takes your website to back to the point in time before you started the update.\u201d<\/p>\n Small and medium-sized businesses are not immune to being hacked. That\u2019s a common misconception that is not backed up by statistics. In fact, Symantec\u2019s 2017 Threat Report<\/a> says that 74% of SMBs were targeted last year. And the National Cyber Security Alliance<\/a> reports that 60% of SMBs go out of business within six months of a data breach.<\/p>\n \u201cAnecdotally, you’ll find website owners who say, “I haven’t updated anything in years and I haven’t gotten hacked! So what’s the big deal?” or… “I’m just a little guy, they won’t bother with my site,” says Dawes. \u201cIt’s a game of numbers. All sites get attacked randomly every day by hack-bots. The bots just go through lists of IP addresses and attack using lists of known, exploitable vulnerabilities. All a company needs is for their site to be vulnerable to the right bot at the wrong time.\u201d<\/p>\n \u201cWhen a vulnerability is found in a version of WordPress, hackers will create an exploit for that vulnerability and then cast a wide net, usually in an automated fashion, looking to see who is not up to date,\u201d adds Greg Kelley, an EnCE and DFCP with Vestige Digital Investigations<\/a>.\u00a0\u201cRealize the importance of a \u201cwide net\u201d, they don\u2019t care who you are or what you do, just that you have a site.\u00a0 Once compromised, the hacker will then see what they can get from their site such as account information and then maybe try to use that information to attack other systems that you may have.\u00a0 At the very least, the hacker will trash your site or use it to store data of importance to them (stolen data, illegal pictures, etc.).\u00a0 The result, at the very least, is a bad public image when it is discovered that your site was compromised.\u201d<\/p>\n Or, you could go the way of nearly 60% of the SMBs that get attacked and end up going under.<\/p>\n Obviously, the biggest piece of advice you can take away from here is that you need to stay on top of your WordPress updates, both for the CMS itself and for the plugins you\u2019re running with it.<\/p>\n \u201cWhen plugin and theme vulnerabilities are discovered and remedies released, your dashboard will indicate an update is available,\u201d says Bob Herman, the co-founder and President of IT Tropolis<\/a>.\u00a0\u201cAlso, always use child themes so that you can update all themes in your installation without affecting your site. Wordfence is a great plugin to notify you of important issues in your installation. And, if you don\u2019t want to update WordPress because a plugin may not be compatible with the latest version, then it\u2019s probably not a plugin worth using.\u00a0Most widely adopted plugins are updated in sync with WordPress so that vulnerabilities can be patched as fast as possible.\u201d<\/p>\n Cohen has some additional advice, too:<\/p>\n \u201cMake sure you regularly update your passwords and make sure your hosting company is updating Linux\/Unix, Php, and MySQL libraries annually (and installing patches as needed). Delete old plugins or themes when not in use or when they\u2019re outdated. Install a service like Sucuri or Wordfence for monitoring files and access of your site.\u201d<\/p>\n But above all else, if you only take one thing from this article, don\u2019t fall into the trap of thinking that you don\u2019t need to stay on top of updates<\/a>.<\/p>\n \u201cIt’s a false economy to *not* keep everything up to date,\u201d says Dawes. \u201cIf a company doesn’t want to make updates because they are afraid that their site will break, then they need to be cognizant of the increased risk of their site becoming compromised and be willing to accept those risks that their site will be hacked. And if the company’s site contains personal information about website visitors – names, email addresses, credit card info, etc. – They better be very accepting of their legal liabilities!<\/a>\u201d<\/p>\n As always, leave any comments or questions below!<\/p>\n","protected":false},"excerpt":{"rendered":" We crawled the Quantcast top 10,000, a lot of websites need critical updates Following WordPress\u2019 recent update to version 4.9.5, we decided to do a little bit of research to…<\/p>\n","protected":false},"author":6,"featured_media":6225,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":"","tve_updated_post":"","tve_custom_css":"","tve_user_custom_css":"","tve_globals":{},"tcb2_ready":0,"tcb_editor_enabled":0,"tve_landing_page":"","_tve_header":"","_tve_footer":""},"categories":[16],"tags":[4327],"class_list":["post-6223","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-hashing-out-cyber-security","tag-wordpress","post-with-tags"],"views":35303,"jetpack_featured_media_url":"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2018\/04\/bigstock-121124858.jpg","_links":{"self":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts\/6223","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/users\/6"}],"replies":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/comments?post=6223"}],"version-history":[{"count":0,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts\/6223\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/media\/6225"}],"wp:attachment":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/media?parent=6223"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/categories?post=6223"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/tags?post=6223"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}Methodology and Key Findings<\/h2>\n
\n
![\"33%](\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2018\/04\/Capture.png\")
<\/p>\nNot Updating WordPress is a great way to get hacked<\/h2>\n
WordPress is making these updates for a reason<\/h2>\n
WordPress hacks can happen to ANYONE<\/h2>\n
![\"33%](\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2018\/04\/bigstock-Flat-Vector-Illustration-In-Ou-232915561-300x300.jpg\")
What you need to do to keep your WordPress site safe<\/h2>\n