Background
Most websites are built from many bits — CMS, plugins, libraries. If anything's out of date, the website inherits the holes. Most hacked WordPress sites are running old plugins, not zero-days.
Questions to ask yourself
- When was our website (or its CMS, plugins, libraries) last updated?
- Who's named as responsible?
- Do we know which third-party libraries the site uses?
- Are old themes or plugins still installed but unused?
For owners — questions to ask your developer
Questions to ask your developer
Outdated components are the most common cause of SME website breaches.
- 01“Can you produce an SBOM — a list of every third-party library we use and its current version?” If they can't produce one, that's a sign nobody's tracking.
- 02“When did we last apply security updates to our CMS, plugins, and libraries? What's our patching cadence?”
- 03Decision: For WordPress sites, move to a managed WP host (WP Engine, Kinsta, SiteGround) that handles patching.