In our dealing with the security of websites one of the biggest obstacles to improving security is that basic security measures are often not taken, while there are lots of companies trying to push additional security measures that are not needed in most situations and in many cases are not going provide additional protection against threats. A major cause of this seems to be that many companies involved in providing security services are not actually concerned about security, whether for their own website or yours. Acunetix provides a good example of this. Acunetix is the maker of vulnerability scanner for websites and promotes themselves as the “worldwide leader in web application security”. Their scanner has a number of features specifically for looking at vulnerabilities in WordPress, including checking for outdated plugins. Based on all of that you would expect that they would be making sure to take the basic step of keeping the installation of WordPress running their website up to date, but surprisingly you would be wrong:
It has now been nearly two months since WordPress 3.5.2, which included several security fixes, was released. In the release announcement for that version users were warned:
This is a security release for all previous versions and we strongly encourage you to update your sites immediately.
When a company providing the tools to keep websites secure is failing to take care of basic security measures on their own website it doesn’t bode well for website security improving in the near term.