WordPress presents a conundrum. One reason for its popularity is that the WordPress system makes easy the process of setting up and hosting an interactive website where all kinds of people can post their video, photos, audio, and most cherished thoughts for the world to see. That very trait makes WordPress a favorite target of spammers, site-jackers, porn vendors, and virtual casino moguls.
So how do you invite the world to your party AND keep the undesirables out?
The first thing is to practice safe computing practices whenever you are dealing with your WordPress site. That means, among other things, having strong passwords and never executing any unprotected logins over public WiFi connections (hotels, airports, Starbucks, McDonald’s, etc.).
Accepting comments has risks
A favorite target for those who would use your site to do their mischief is the comments feature so popular in today’s interactive web. What happens is that the “bad guys” comment on a post (if that feature is active) and insert subtle code into the comment or not so subtle links to their sites. Either way, you become a vehicle for advancing their agenda.
What is really scary is how easy it is for you to unwittingly become their servant. Depending on how your site is configured, you might approve a comment they have made. Based on that one approval, the system now recognizes the person writing the comment and gives that person free reign to comment anywhere in your site. MORAL: If you accept comments, be very careful about which ones you approve. The site administrator for your division MUST regularly and carefully review comments and send to spam any comment that is not from known people in your division.
It is possible for one careless comment approval to compromise the entire site for all divisions, so be very circumspect in your approvals.
It also means that if you are responsible for a WordPress site, you keep all your themes and plugins up-to-date. Some themes and plugins are updated frequently, others rarely. For some themes and plugins not updated for a long time (even if there are no known security issues), WordPress managers have removed the older packages from the WordPress download site.
Meanwhile, for those who are interested, the makers of the Wordfence security plugin keep tabs on security issues and report them in their blog.