Do you use custom post types in your WordPress site? You may have some fixin’ to do…

Security experts just found a breach in which hackers manipulated a common WordPress plugin to do “bad things” (I’m leaving out the jargon) to your site.

What’s so special or unusual about this announcement? The type of hack. Most security breaches begin as brute force attacks – all those attempts to gain entry to your site via the “admin” login. If you don’t have security software installed on your website (or by your host), your site may be susceptible to intrusions.

For my own clients, I receive regular notices (every day and every week) of hack attacks via login attempts. This is the equivalent of marauders banging on the drawbridge or shooting arrows at a high castle wall: Ain’t gonna get in!

But a hack attempt (and success) via a WordPress plugin (which is what happened) is a veritable Trojan Horse: If you get automatic updates to this plugin or accidentally manually update to the hacked version, it’s a huge pain to clean up the mess.

Fortunately, none of my clients use this plugin. Disaster averted. And it is the first time anyone’s seen this type of attack, making those of us who develop WordPress sites wonder where the next attack may come from within the castle walls.

As always, we try to stay at least a step ahead of hackers (and hopefully on the other side of the moat, too)!