What we see over and over when it comes to web security is that security providers don’t take basic security measures with their own websites, which doesn’t give much confidence that they will make sure their customer’s security is handled properly and goes a long way to showing why web security is so bad. We can now add AT&T’s Enterprise division to that group. They provide a variety of security services including security consulting, which they could probably use for their own website as their Security Blog is running an outdated version of WordPress:
Keeping software running a website is a basic security measures as it insures that a known vulnerability in the software can be exploited. In AT&T’s case they have failed to update the software in nearly six months and more importantly they failed to update after WordPress 3.6.1 was released in September. WordPress 3.6.1 fixed three security issues including one that could “lead to remote code execution” and users were strongly encouraged to “update your sites immediately”. Considering how easy it is to update WordPress AT&T doesn’t have an excuse for not doing it.