Every now and then I’d hear a developer mention security issues with WordPress. I’d ignore these (sometimes oblique) statements and trust that the folks working on the WP core knew what they were doing and that while potentially vulnerable… I mean there are security holes and then there are security holes.

Until last month when a client of mine emailed and said her nonprofit’s site had been cracked and she needed help. Last year I’d migrated her personal blog from an older service to WP and she was so happy she’d had a volunteer build a WP site for her nonprofit. I looked into the situation and realized that this was a major problem. I was building sites that had a massive security hole.

I’ve since been fixing this vulnerability for all my clients, and had to wipe and reinstall both the site install and the database for said nonprofit. It was dumb luck that it wasn’t one of my clients’ sites to get hit first.

There are a few different ways to protect against this. It doesn’t take long to do, but does require a little php or text file editing. If you are running a WordPress site call your person and ask if they’ve protected the wp-config file. Or email me and I’ll check for you.