50,000 sites hacked through WordPress plug-in vulnerability


Abuse Compliance Officer
Staff member
Reaction score
Update your themes as well (lots of folks forget that the theme can contain php code too), and think carefully about what plugins you have - the more plugins you have, the more risk there is, since not all plugins are programmed by users who actually know and understand security. If a plugin isn't absolutely critical to the blog, ditching it prevents exploitation for a security hole.

This is coming from the abuse compliance officer who's had to tell more than a handful of users over the years that their compromises were so destructive the site could not be saved. If it's not needed, ditch it, and for the love of the sacred MAKE BACKUPS so you don't have to start from nothing more than a fresh install with a broken database.

Side note, if anyone reading this is on a Wordpress version more than about 2 versions old (I.E. 3.9.2 or earlier), put some serious debate into reinstalling the install from fresh, vendor supplied files rather than just updating. There's a lot of "old" hacks popping up recently that I've seen where users were actually compromised several weeks or months ago, but the malicious shells uploaded were left to sit until more recently when the hackers decided to attempt to use them. Patching the old install won't fix a compromise that's already happened.