If you use WordPress on a site hosted with Canvas Dreams and only have time to read this first section, let me summarize with two points:
1) Please update your WordPress installation immediately to the latest version;
2) Please do not use suspicious WordPress plugins; of those you do use, please keep them updated, as well.
3) Of the many available plugins to consider using, please look at WordPress Firewall, and install it. This blocks many of the common break-ins and has a proven track record among our customers.
The longer version:
In recent weeks, we’ve seen a tremendous uptick in the number of vulnerabilities and code-level hacks related to WordPress. This means that if your website uses WordPress in any way, even having just an “unused” installation on a subdomain, your entire hosting account could be vulnerable.
There are a variety of hacks and code vulnerabilities. Many of these security flaws are due in part to the manner in which WordPress enables third-party plugins to be instantly installed via the WordPress administration console on your website. Sadly, the WordPress community hasn’t done a very good job requiring developers of WordPress plugins to vet the code, or even provide dedicated support and patches to ensure those plugins are safe to use.
While most WordPress plugins are genuinely safe and helpful, the fact is, there are increasing numbers that have not been written with best practices in place. Use of these plugins means that your WordPress installation can become unsafe and the target for such an attack.
Right now, there is a very, very serious hack out, and unfortunately, it’s not a new one. The “timthumb” hack is something you can fix by updating to the latest version of WordPress. Alternatively, you can follow the instructions provided on this article to patch the file. Or you can just delete the file as you may not even be using it or need it.
Please be aware that we’re seeing a number of serious hacks resulting from this easily-fixable issue. As it is our responsibility to maintain a safe hosting environment, so is it your responsibility to maintain your WordPress installation and any associated plugins.
Because of the severity of these kinds of hacks, if we discover your website is hosting compromised code or phishing content (such as fake bank information, or content aimed at tricking a customer into installing viruses via their browser), we may take immediate action and suspend your website without prior notice. The reason we must do this is simple: If your site has been compromised, not only is it a threat to your business, it is a threat to the server your site is hosted on, a threat to the health and reputation of our network, and an overall threat to anyone accessing your site. If we do take this action, please understand that we are doing this to prevent any further damage to your own online reputation, first and foremost.
If your site is suspended, we will open a ticket in our online Support system under your account, and additionally try to call you with the phone number you have on file with us. If we don’t get ahold of you via phone, we will leave you a message informing you of the suspension and that you need to log into our Support system to review the details of the ticket and the issue.
If your WordPress website is suspended, we will require you to upgrade immediately before agreeing to reactivate your hosting plan. We will not reactivate any site without first speaking with the authorized owner of the domain in question.
If you have questions regarding the current status of your WordPress on your website, you can update to the latest version by logging into your WordPress control panel and clicking on the appropriate Update links, either for WordPress itself, or your plugins, or both.
Lastly, the purpose of this message has not been to cause alarm, but instead raise your awareness to the importance of keeping your WordPress site updated and secure. We care about all of our customers, and by keeping your site updated, you’ll be doing your part to ensure your site is safe and secure for all of your visitors, as well!
David Anderson, Principal
Canvas Host, LLC