Google Now Warning WordPress Users They Need To Update

If you own a WordPress website and you haven’t updated your WordPress version lately you might be getting a warning soon. And no, this is not the warning you get when you open the WordPress CMS, it is a warning from Google.

Last week the first people started noticing that Google had sent them a message within Google Webmaster Tools saying they should update their WordPress versions. I myself today got an e-mail from GWT saying one of my sites needs an update.

The e-mail or message in WMT tells you your site appears to be running an older version of WordPress and that you should update because otherwise your site may be vulnerable to hacking or malware.

When asked through Twitter about the messages Matt Cutts responded it was in fact a new policy from Google.

The fact that Google is ‘pushing’ the updates is remarkable but also makes sense. Not-upgraded WordPress sites are fairly easily hackable and therefore a possible danger for Webspam in the SERPS.

If you are thinking: “how does Google know I am not running the latest version?” the answer is simple: it is in your code, which anybody can see by using “view source”.

WordPress expert Joost de Valk is happy with the new policy:

“I think it’s awesome that Google is sending out these messages and urging people to upgrade. I deal with hacked blogs on a regular basis, often because I’ve been hired in a “hey, we’ve lost all our search traffic!!” panic. Upgrading WordPress and the plugins within is the best way of keeping secure, next to making sure you have decent backups of your database and files.”

It does look like this is part of something which Google decided to do two years ago, but maybe that never really got off the ground. Maybe that is what Matt means with “fresh run”.

Bas van den Beld

About Bas van den Beld

Bas van den Beld is an award winning Digital Marketing consultant, trainer and speaker. He is the founder of State of Digital and helps companies develop solid marketing strategies.

52 thoughts on “Google Now Warning WordPress Users They Need To Update

    1. I use the plugin WordPress SEO from Yoast where u can Hide the WordPress Generator by checking the box in the indexation –> clean up section part. This also works great.

    2. All of the WordPress exploit code I’ve seen doesn’t look at your version number. It just tests the exploit. And even if you hide the generator meta tag in your theme, people can still tell which version you’re running. You’re running 3.1.3, for instance.

    3. Mark knows whereof he speaks from here. Hiding your generator tag does nothing. Hackers don’t look for it or care, they probe for vulnerabilities more directly (usually using vulnerable plugins), or they just run a ton of known exploits against your site hoping one of them will work. They don’t care about the version number, at all.

      Also, it’s easy to tell your version even hiding the generator tag. Heck, I wrote a piece of code that does just that. Mark then went and wrote a better one, I believe. 😉

  1. This is why people need to ensure they have a Service Level Agreement (SLA) with their web provider. As a business owner you should not need to worry about the point version of your CMS.

    If you don’t know whether your agency is updating your CMS regularly, then send them an email today and make sure your assets and your customers are protected from malware attacks. Your brand will be irreparably damaged if a customer is infected with malware after a hacker has compromised your site.

  2. A single question lingers on my mind: how do we opt out of this service?

    Last time I checked, I haven’t elected Google the system administrator of the WWW.

  3. @Z – Google Webmaster Tools is a service you need to manually sign up for, your comment doesn’t make sense in this context.

    @Brad – with the vast majority of hosts you are in charge of what you install on their hosting service, which is exactly as it should be.

    @David & @Jacco – the only thing that hiding the WP version number does is makes it harder for people who notice to let you know that you need to update. Most hacking is bot driven that simply runs through the exploits to see if you are vulnerable. If you are going to do it though, you might as well actually hide your versions. Neither of you did so:

    http://www.artiss.co.uk/readme.html
    http://www.boekjereis.net/readme.html

    @Bas “also makes sence” – should be “sense”

      1. Well, ok, but my point wasn’t that you guys needed to do *more* to hide your version. As I said earlier, it’s rather a pointless thing to do really. It’s a concept called “security through obscurity”, and it is very weak to say the least, especially with WordPress. Besides, you can still see the versions. View the source in your html, and look at the query strings at the end of your ajax.googleapis.com calls.

        1. Michael,

          You are, of course, right. As soon as I posted my original reply I realised the error of what I was saying – if you’re going to the job of hiding your version (as I was attempting) you’re probably keeping it up to date anyway. What mad person would keep it out-of-date but go to the effort of improving security by hiding the version number?

          David.

  4. Security is an issue that unfortunately most WordPress designers and developers ignore (not intentionally, but because they more are focused on what their clients ‘see’: the design and development rather than the ‘unseen’). This is the reason why we at PositiveBusinessOnline.com provide security audits and secure WordPress websites for designers BEFORE they deliver a site to their clients. This is much easier and far less expensive than de-hacking a WordPress site (which we do regularly).

Comments are closed.