With creative use of plugins, you can add an unbelievable array of functionality to your site, but therein lies the problem.
On the web, anything that’s popular becomes a target, and that’s exactly what has happened here.
Hackers have been quick to take advantage of a newly discovered unauthenticated privilege escalation vulnerability in the code that has enabled them to fan out all across the internet and start defacing a worrying number of websites powered by WordPress.
The chief culprit that’s making this possible is the simple fact that many site owners don’t allow automatic WordPress updates, and as such, didn’t get the already-released patch when it became available.
There are some valid reasons not to use auto-updates. If your site has a high number of custom additions, an update may break some of your custom code or cause it to behave in ways you don’t expect, which could mean downtime.
That’s an understandable and quite valid concern, but the reality is that without the latest patch, your site runs a real and growing risk of being hacked.
If you’re lucky, you’ll get overlooked for a few months.
If you’re very lucky, when the hackers do turn their attention to you, all they’ll do is deface your home page, but with escalated (Admin) privileges, there’s nothing that says they have to stop there.
If they wanted to, they could download all manner of sensitive customer or proprietary data and sell it to the highest bidder. It’s just not a risk worth taking, so if you use WordPress and haven’t updated in a while, the time is now.