Well, yes I am. If you aren’t using it.
WordPress is the world’s most popular blog, CMS, framework, magic trick – however you classify it, it’s behind almost 20% of the world’s self-hosted websites, and that’s a lot of sites. More than 75 million, they say. So odds are you’ve installed WordPress at least once, if not half a dozen times, over the years.
But where, oh where are those WordPress installations?
We find a lot of them in /test directories, or in abandoned /blog directories. We find them there because they get compromised, and we’re called in to clean up the resulting mess. And that mess can go very deep, and spread out well beyond the WordPress directory.
Since WordPress is so popular, it’s also the target of more compromises than any other third-party application that you can install. So what often happens is someone installs WordPress to try it or test it, and then they forget about it. But they don’t delete it. So there that old installation sits.
And the longer it sits without being updated, the more vulnerable it is to compromise by the bad guys. If you think they’ll never find it because you cleverly installed it in a random directory that you don’t link to from anywhere, think again. The bad guys have bots – lots and lots of bots – and spiders, and all they do, all day every day, is look for wp-admin pages to exploit.
If you are actively using WordPress, that’s great, all you have to do is keep it up to date and your chances of being compromised are vastly reduced (they don’t go away, but they’re reduced). If you use WordPress but you’re not someone who logs in to the WordPress admin back end every day, you might consider setting up automatic updates.
Another thing you can do is delete the “admin” user that’s created when you first install WordPress. Give your everyday user admin permissions and delete that admin user. I know, it’s scary, but do it! That will make it harder for the bad guys to exploit you using a brute force attack on your admin password.
Active WordPress installations aside, the best thing you can do is look around for old, unused WordPress installations and get rid of them. And while you’re in there digging around, you might want to delete any other applications that you aren’t using. Look at it like a kind of year-round spring cleaning. It will make your domain more secure and potentially save you from a real headache down the road.