Well, yes I am. If you aren’t using it.
WordPress is the world’s most popular blog, CMS, framework, magic trick – however you classify it, it’s behind almost 20% of the world’s self-hosted websites, and that’s a lot of sites. More than 75 million, they say. So odds are you’ve installed WordPress at least once, if not half a dozen times, over the years.
But where, oh where are those WordPress installations?
We find a lot of them in /test directories, or in abandoned /blog directories. We find them there because they get compromised, and we’re called in to clean up the resulting mess. And that mess can go very deep, and spread out well beyond the WordPress directory.
And the longer it sits without being updated, the more vulnerable it is to compromise by the bad guys. If you think they’ll never find it because you cleverly installed it in a random directory that you don’t link to from anywhere, think again. The bad guys have bots – lots and lots of bots – and spiders, and all they do, all day every day, is look for wp-admin pages to exploit.
Another thing you can do is delete the “admin” user that’s created when you first install WordPress. Give your everyday user admin permissions and delete that admin user. I know, it’s scary, but do it! That will make it harder for the bad guys to exploit you using a brute force attack on your admin password.
Active WordPress installations aside, the best thing you can do is look around for old, unused WordPress installations and get rid of them. And while you’re in there digging around, you might want to delete any other applications that you aren’t using. Look at it like a kind of year-round spring cleaning. It will make your domain more secure and potentially save you from a real headache down the road.