The Reuters blogging platform was hacked Friday, and a false account about an supposed consultation with a Syrian rebel leader was posted. On Sunday, Reuters endured a second security breach in which hackers acquired control of one of its Twitter accounts. While Twitter has not commented on the hack, but more information has come to light the former: Reuters wasn’t keeping its WordPress installation updated.
Mark Jaquith, one of the WordPress platform lead developers and member of the WordPress Security Team, told the WSJ that Reuters was using “an old version” of the software that has “publicly known security issues.” More specifically, the publication was using version 3.1.1. The current version is 3.4.1.
This is a classic error. You should always be utilizing the latest version of your software, particularly if you are a major company that is frequently targeted by hackers. WordPress is, particularly, a popular attack vector for cyber criminals. While there’s no guarantee that the hackers exploited an unpatched security hole in WordPress to access Reuters’ blogging platform, it’s more probable given this new information.
You are highly suggested to update WordPress if you are using an outdated version: wordpress.org/download or from your Dashboard (Updates menu in your site’s admin area). Also, make sure your theme is up to date, as another big security whole is the “TimThumb Exploit”.
While Reuters confirmed the hack on the weekend, the firm said it does not yet have any information on the party responsible for the fake news. The publication took down its blogging platform on Friday but a quick check shows that blogs.reuters.com is now working as expected. For their sake, I hope the engineers who brought it back made a point to upgrade their WordPress installation.