There are many aspects to securing a website but one the easiest and most important things you can do is to stay on top of script updates as they become available. Our clients are generally pretty good about doing this but mistakes do happen. Attackers exploiting old, vulnerable scripts is by far the number one reason that we see sites being compromised. Cleaning a site once a compromise has already occurred can be a costly and time consuming process. Being proactive and keeping everything patched in a timely manner is far easier and significantly reduces the chance that your site will be compromised.
Popular scripts like WordPress have a very easy update process that can be run from within the administrative interface and be completed with just a couple of clicks. You can also configure your WordPress instances for automatic updates which can even take care of your plugins and themes as well. Another option is to configure Softaculous to automatically handle these for you. If you install a script using Softaculous this is very easy to do from their cPanel interface.
There have been a number of important updates released over the past month or so. We’ve posted some of them to our forums and the announcements section of our portal but given the popularity of these scripts we figure it wouldn’t hurt to mention them again here.
If you are running WordPress you need to be sure that you’ve updated to version 4.2.1 that was released last week. A couple of weeks ago it was also discovered that a large number of popular WordPress plugins had similar XSS vulnerabilities due to the misuse of functions. These have since been patched so you’ll want to make sure all of your WordPress plugins are updated as well.
If you are a Magento user you need to make sure that you’ve applied a patch for SUPEE-5344. This is a critical remote command execution vulnerability that will result in your site and all data on it being compromised if it hasn’t been already.
We strongly urge everyone to configure their scripts to automatically update, check for updates at least once a week, or closely monitor announcements from their respective vendors. The little bit of work required on the front end is well worth the additional security it provides and could save you a lot of time and money in the future.