I got an email the other day from my hosting company, WP Engine, about a potential security issue on my site. This one, unlike so many others that you read about actually made me feel safer.
It went something like this:
We are contacting you to inform you of a proactive security change we are taking regarding the Jetpack plugin which is used on your site. The Jetpack team has identified that attackers can send spam through the “send to email address” form and they're working on closing this loophole. You can see their findings and recommendations in this forum thread https://wordpress.org/support/topic/jetpack-social-sharing-feature-exploited-to-send-thousands-of-spam-messages
At WP Engine, it is our responsibility to provide our customers with a secure hosting environment. As such, we have temporarily disabled the email sharing feature in Jetpack for our customers. No other sharing endpoints (see: Twitter, Facebook, etc.), sharing plugins or Jetpack functionality has been disabled.
Once the Jetpack team has released a fix, we will re-enable email sharing and notify you that an upgrade is available. Should you have any questions in the interim, please feel free to contact our Support team.
WP Engine Security Team
No More Security Headaches
Wow. I mean wow.
Not only did WP Engine discover a potential security issue but they installed a temporary patch on all of their sites that prevents the problem entirely. You don't have to login anywhere, you don't have to install anything, and you don't have to research anything. Their email was concise in that it told me of a potential problem, the steps they are taking to fix it, and a link for more information if I wanted all of the details. They also promised to send out more information when a permanent fix becomes available.
Here's the thing that too many store owners deny, bugs happen. When you write code you introduce bugs. I create bugs, Automattic creates bugs, Facebook creates bugs – even Google creates bugs.
You are ultimately responsible for code running on your server; not the plugin developer, not the WordPress Foundation, you. If your host or Google determines that you're sending out spam and ruining the internet for everyone else then they're going to shut you down with or without notice. Either one could stop traffic going to your site for several days or even weeks.
If you run an online store or even if you just have a brochure website how much money are you going to lose if your site is down? What are new prospects going to think if you can't even keep your website online? When you have potential security risks are you actually saving any money using a cheap $10/mo host? It takes just one security issue where you site is hacked or down for a couple of days and then managed WordPress hosting starts to look pretty darn good.
If you run a website you've gotta ask yourself a couple questions: “Am I going to catch every bug?” “Am I going to stop every single hacker?” “Do I feel lucky?” Well, do ya, punk?