Last week it was reported that there is a major vulnerability in WordPress in version 4 prior to 4.9.9 and the new version 5 (Gutenberg) prior to 5.0.1. The advice is simply to update your version asap.
The problem with a CMS like WordPress is that it is used to allow clients to manage their own sites after development. It can then be the client’s responsibility to ensure the site is up to date, patched and secure and as we all know that will often not be the case. Usually this will mean that an individual site may be exploited but there could be wider implications for a compromised server.
There are 2 broad approaches to get round the issue of ensuring WordPress is patched and up to date but both create problems of their own.
The first one is to set up automated updates for WordPress core, themes and plugins. The major issue with this is incompatibility as an update to one element interferes with the operation of another or makes it obsolete leaving a site with elements that don’t work or, worse still, displaying the dreaded internal server error.
The second option is to have the hosts/developers managing the updates and patches – this should ensure that any issues between different bits of code can be dealt with but there is a cost due to the time required for this which has to be passed onto the client.
Businesses who understand the importance of their website will be willing to pay for the latter but many will go for the automated route (or take the risk of not patching) and then have to deal with costs of recovery.
It is a wider issue, not just with WordPress and online systems, that a typcal user will not keep systems up to date and leave themselves open to simple attacks.