WordPress blogs hacked : Law firms need to consider WordPress support costs

After WordPress came under attack by hackers over the weekend, well known blogger, Robert Scoble, reported last evening that he no longer feels safe with WordPress.

A few weeks ago some hackers broke into my blog here (this was before 2.8.4 was released). At first I thought they just left some porn sites in a couple of blog entries. So we upgraded WordPress (I was on 2.7x back then). Deleted a fake admin account. Deleted the porn sites. And thought we had solved the problem. We didn’t.

They broke back in, but this time they did a lot more damage. They deleted about two months of my blog. Yes, I didn’t have a backup. I should learn to do backups (we’re doing them now). Life has a way of beating you if you don’t have backups.

Anyway, this time they also put some malicious code on my archive pages. Google sent me an email saying they had removed my blog from its index. That got a whole team to look into how they broke in. Now thanks to TechCrunch and Mashable you know there was a vulnerability in WordPress which let them break in. Even more good details on Lorelle’s blog.

Turns out that if you ran WordPress at WordPress.com (WordPress hosts your blog), you were probably safe from attack. The reason being that WordPress kept doing regular updates to its software to prevent such attacks.

However, a lot of publishers, including a lot of law firms, do not host their WordPress blogs at WordPress.com. They want more control and features on their blog than WordPress may offer. They’re hosting their blogs on their own servers at co-location facilities or having service providers host their blogs on the service provider’s servers. In which case, timely updates may not have been made to prevent major hacking like this.

And it’s not easy as just keeping up to date with every WordPress update (which can come quite regularly and making the upgrades. It’s possible the WordPress upgrades won’t work on your blog or worse yet, the upgrades will cause other parts of your blog to fail.

As discussed in Scoble’s Friendfeed comments, lots of WordPress blog publishers, including law firms and firms hosting blogs for law firms, use plugins to add various features to their blog. WordPress upgrades are not necessarily tested on blogs with such upgrades. So when WordPress upgrades come out those running WordPress blogs on other than WordPress.com can not just install the upgrade. Testing and often fixes to bugs that develop must be done.

WordPress is good blog software and may be the most widely used. The fact that it’s Open Source has allowed it make major advances and develop quite a following. But with mass use and open development, it can be susceptible to hacking like this.

For law firms running their blogs, it’s not as easy as just downloading blog software and being up and running. In addition, when outsourcing your blog hosting, having a solution provider whose business is blogging is a plus.

Bottom line, when you are considering the cost of WordPress (free) and all the plugins created on WordPress for blog features, you need to consider the cost of the support you need.