Recent cases of hacking all used the same exploit...

[TopSage]

both done through SQL Injection which is quite simple.

These web masters of the hacked site fail to upgrade their software to
close a long standing bug.

The hacks are done via a 2 step process:

1. SQL Injection Scanners such as SQLIer – SQLIer takes a vulnerable URL and attempts to determine all the necessary information to exploit the SQL Injection vulnerability by itself, requiring no user interaction at all.

2. Once the SQL vulnerability is found it is a matter of injecting malicious code into the system.

 

[Leongsam]

That's what happens when sites are built using open source software. If you don't stay on top of the revision upgrades and patches, the site becomes vulnerable very quickly as information regarding the security hole spreads like wildfire.

I made the same mistake at the beginning and started a couple of forums using SMF in order to save money. They were hacked within months and it taught me a valuable lesson.

Even vbulletin add ons and plug ins can contain vulnerable code.