Updated Abridged Version:
- Keep all of your scripts up-to-date at all times without exception. Examples of scripts: WordPress, Joomla, Magento, Drupal, etc...
- If you are not using a script, uninstall it. A script you are not actively using is likely to become severely outdated and, as such, become a severe secrity risk to your entire account.
- If you are running any plugins / themes / extensions / hacks / modifications - keep them up to date. It's a common misconception that due to a plugin being "inactive" or "disabled" it cannot be used against you - and this is incorrect. If you are not going to use it, remove it or make sure you keep it up to date at least.
- Services such as Sucuri are a great supplement but are not a replacement for keeping your software updated and secure. Any malware scanning service will only be able to act after the damage has been done.
Here are a few examples of why you should stay up to date whenever possible:
Millions of websites hit by Drupal hack attack <- BBC News
Such exploits/issues can occur with any software platform [not just Drupal] but this one particular incident highlights why it's important to keep things up to date.
Many hosting customers do not realize the issues caused by running outdated scripts and insecure plugins, as most do not deal with compromised accounts on a regular basis. It's a misconception that the server has to be insecure for an account to be compromised. Any account running an outdated script, plugin, or theme can easily be exploited and then used for purposes not intended by the webmaster such as sending SPAM or outbound DoS attacks.
When a script is updated, it is not only done to release new features. There are often SQL injections and other issues that give attackers the opportunity to gain access to your script, your account, and your file system that are patched with new releases and updates. When an attacker uses one of these exploits - more often than not - they are not doing it just to destroy your site. An attacker will usually leave your site alone as not to attract attention, and then will upload malicious files such as a spam script or dos script.
Recently we have had a large number of accounts that have been compromised due to outdated or unused scripts, and the attackers are uploading attack scripts to the servers. As our servers have ultra-high-speed connections (1,000 megabit) this makes them a perfect tool for taking others offline - and means that our entire network and all of our customers suffer when an attacker uses one of our servers to perform outbound attacks.
You may think that it's not going to happen to you or that it's a rare occurrence, and I assure you that it's not. We have suspended no less than 10 accounts over the last 24 hours due to outbound attacks and compromised scripts. We do perform a full server security audit every time we investigate one of these cases to ensure the issue isn't something on our end, and those investigations have all come back clean.
Please check your account(s) and make sure that all of your scripts, plugins, and themes that you are using are UP TO DATE and that you've removed any that you are not actively making use of. Just because a plugin is "disabled" or a theme is not in use does not mean that it cannot be used against you by an attacker. Any accounts found to be sending outbound SPAM or DoS attacks can potentially be permanently suspended. If you've ever installed a script "just to test" or to mess around with it, it is VERY important that you remove that script or make sure that it's fully up to date.
We are taking this issue very seriously as it's been causing network outages to individual servers periodically as an attack crops up and we have to identify the source and disable the account. This is bad for the customer whose script is exploited, bad for others on the same server as we may have to temporarily disable the network while we find the culprit, and bad for our entire network as the traffic and packet flows can cause slowness and packet loss.
In the event that your account is compromised due to outdated software, you may want to look at the services offered by Sucuri Security to clean up the malware. Once the malware has been cleaned from the account - you will still need to ensure that the account is secure [i.e. software updated, strong passwords, etc].
If you have any questions at all about this, please let us know.