The lesson, as always, don’t use WordPress or any other web-facing technology if you aren’t going to keep up to date with it.
“Earlier this month, users of the popular WordPress CMS were advised to upgrade to the latest version of the software to patch “an undisclosed critical vulnerability.” At the sound of that dogwhistle, hackers pounced, targeting the many sites whose users had not immediately pushed the update.
In the weeks since, some 1.5 million websites have been exposed and defaced, including what appear to be the sites of several hundred law firms — their marquees tagged prominently with the aliases of their attackers.”
I don’t mean to pick on WordPress necessarily in this post. WordPress actually handled things the way you would expect a software company to. They were notified of a security problem, and they patched it almost immediately. The problem is that many organizations didn’t get the patch applied in a very timely manner, and that is ultimately the problem. Law firms, especially but not exclusively, simply don’t have an infrastructure that can keep up with applying security patches. Even those that have a plan to deal with security generally have one period of time per month where they can take down systems to patch them. And that’s only after any updates have been tested in a non-production environment before being rolled out. In this case, that was far, far too slow.
That might work for some internal tools. It does not work for web-facing tools that can be accessed by hackers.
You need a better plan.
In fact, one of the biggest reasons I switched hosting providers was the ability to have my WordPress installs automatically updated when I was too busy to keep it updated myself. I’ve learned the hard way not to have un-patched versions of WordPress on my sites. There’s no reason for a law firm or other organizations to not do the same.