A new client called this week. Their site had been polluted with spam. There were 2 – 3 links to questionable ads in nearly each of their nearly 500 posts. After doing a backup in case anything went wrong with the cleanup, we added the Wordfence security plugin and scanned the site. We replaced a few files that had been altered then began updating WordPress and quite a few plugins that were considerably out of date. The perpetrator most likely got in through a vulnerability in one of the outdated plugins or WordPress itself.
Many updates are released specifically to address newly discovered security flaws. If you don’t test and install them promptly, you leave your website open to rising risks.
If you don’t have the time to log in at least weekly and check for updates, at least install a good security plugin like Wordfence that will alert you when attackers try to login, when plugins are out of date or when other issues are detected. And if that is not something you can or will pay attention to, think about outsourcing the operation of your site. That is what we do in our managed website operations.
The client’s site is clean and safe now with no offensive spam waiting to ruin their reputation. The cost of the recovery exceeded what we charge to operate a site for a year. Between the downtime, reputation risk and cost, they now know it would have been better to have let us keep them safe before their site was compromised (and if we didn’t keep them safe, the cleanup would’ve been on us).