There was a survey conducted that said that 49/50 WordPress blogs are running old and vulnerable versions of the software.I inquired about WordPress versions this past Saturday night at a blogger meetup I attended, mainly to share my experiences about blogging and meet other individuals who blog.
I can unofficially confirm the survey. Most bloggers I spoke with were running vulnerable versions. I asked why they did not upgrade. Their answers were generally that:
They hacked [modified] some of the core components of WordPress and were fearful that upgrading would break their code. They further could not export the data and re-import it into the new versions without significant effort.
So here’s a rule for businesses that I learned when I was developing applications that applies equally to the security space:
Don’t change the core code of an application. Don’t customize it to the point where every new version would need to be customized. If you need to modify a COTS app, make a standalone application that interfaces with the core system through the application’s APIs.