A recent update to the WordPress security plugin confirmed that hosting providers were still running software on Windows and Macs that were not secure enough.
WordPress security plugin updates this week fixed several security issues, including the use of a malicious Java plugin that could remotely execute code.
That included a Java plugin called JShell.
The plugin was first reported last year and was widely used by attackers to access a user’s computer through the web browser.
A version of JShell also used to target WordPress blogs was later found to be in the wild and had been modified to allow remote code execution.
Security experts said the update showed that hosting companies still use a variety of insecure software that is not properly vetted.
“I believe they continue to use a large number of insecure and unsupported software.
I believe that is the case, but it’s a fact,” said Matt Wood, chief security officer at security firm Avast.
“They still continue to rely on insecure and untested software and I don’t believe that’s going to change anytime soon.”
Wood said there are many ways that attackers could bypass security measures that protect WordPress websites.
Wood said he is confident that many hosting companies are now using some of the secure software that was previously tested and validated by antivirus vendors.
“If you’re a hosting company and you have a large amount of malware that is just getting into the systems and being used to infect people, then you need to be vigilant and aware of the way you’re operating,” he said.