Hacked sites are never fun, and reading tales like this one from Tim Butler gives great insight as to how hackers gain access, since it seems the ways are limitless. In this case, I enjoyed how Tim was able to locate the exploit. The problem was linked to a Gravity Forms exploit, although the exploit was fixed a year prior. Tim’s statement here I think is important:
Unfortunately despite the widespread publicity to update, this isn’t getting to business owners and non-technical people who don’t know that they need to keep their website updated.
WordPress sites are often left in the hands of non-technical people that either don’t know about or don’t make time for site updates, causing these problems to continue. Regular backups, regular updates, and a solid host are points that can be easily educated to most and it’s good to see many developers doing this as they hand off projects.
I honestly don’t think it’s that small business owners don’t make time as much as that many just don’t log in to their site very often. And when they do, they have a specific task and then don’t make time. I think we’ll have a much safer web when we decide it’s okay to enable auto-updates by default — plugins and all. It’ll have to be a smart approach that doesn’t cause site owners to lose their trust in WordPress, but I think it’s inevitable.