Today it was reported that website of the JavaScript library jQuery was recently hacked. When a high profile website like this is hacked what is important to find out is how it was hacked, since a high profile websites are sometimes hit with new exploits that will later be exploited more widely and making sure that others are warned early can help to limit further successful exploitation. Unfortunately that has not been determined so far, the article states that “The bad news is that they still don’t know how the compromised happened, so it just might happen again.”.
Right now the jQuery website has a pretty obvious security problem. They are running an outdated version of WordPress:
The next version of WordPress, 3.9.2, which was released on August 6, included a number of security fixes and users were “strongly encourage you to update your sites immediately”. We are not aware of a mass exploitation of those vulnerabilities (or any others in older versions of WordPress in years), but some of the vulnerabilities fixed might be exploitable in a targeted attack. Back in WordPress 3.7, a new feature was introduced that automatically applies maintenance and security updates, like WordPress 3.9.2, so most websites that had been running WordPress 3.9.1 would have been upgraded within a day of the release of 3.9.2. That means that either the jQuery web developers disabled that feature or their server has some issues preventing the automatic updates from occurring. (Those automatic updates can be extended to plugins with our Automatic Plugin Updates plugin.)
Unfortunately the use of outdated software on the jQuery website isn’t an uncommon occurrence, when we looked at data from one of our tools earlier this year we found that 60 percent of WordPress were running a version below the then current version (we also found widespread use of outdated version of Drupal and Joomla.). A good way to keep track of the update status of websites you manage is with our Up to Date? Chrome app.