I’ve mentioned Troy Hunt a few times on this blog. He’s one of the good guys in our industry and runs a website called haveibeenpwned.com. If you want to scare your friends and family at a get together, send them to haveibeenpwned.com and get them to type in their email address. You’ll discover that we’ve all been hacked at some point in the past decade and your data is already out there. The site will tell you which breaches you have been affected by.
Troy wrote an awesome blog post yesterday that I think is a message that I’d really like to get out into the WordPress community. I’m going to give you the cliff notes here with my comments, and then suggest that you head over to his blog to read the full post.
All of us WordPress site owners are targets, even if we don’t collect credit cards, even if we don’t capture and store user data and even if we just have a plain old static website. The reason is because our websites have a clean reputation. Notice I’m not using the word ‘good’. You don’t even have to be popular, you just have to be ‘clean’ for a hacker to be able to use your site. If your site is not blacklisted by Google’s Safe Browsing list or any other blacklist, then you are ‘clean’.
Hackers want to gain access to your site so that they can host their own malicious content. In Troy’s post he provides plenty of examples of hackers hosting phishing pages to try and capture user credentials as part of a phishing campaign. He includes hacked WordPress websites in his examples.
So the next time you’re at a WordCamp, on a WP forum or chatting about WordPress in the community, let your friends know that even if you don’t have valuable data or capture credit cards, you are a target because hackers want to exploit your website’s reputation. Make sure you have a great firewall, like Wordfence, installed, learn how to secure your WordPress site, stay up to date on the newest WordPress security news and make sure you take security seriously.