If you are concerned about WordPress security, the second most important thing you can do to keep your WordPress site secure is to keep the software up-to-date. This includes the WordPress core software along with plugins and themes. Having a solid, recent, backup of the site is the first step in protecting your site because this protects from more than just hackers. It provides a way to recover the site if a server crashes. Aside from having a valid backup, keeping the site up-to-date is the next most important step for keeping the site secure.
In July of 2014, I wrote a post on WordPress security and the importance of keeping software up-to-date and provided some checklists for website maintenance – Checklists for Daily and Monthly WordPress Website Maintenance. Based on a series of recent updates triggered by security vulnerabilities along with a few sites I love being hacked when these vulnerabilities were exploited, it’s time to revisit this topic.
One of the major reasons software updates are released is security vulnerabilities. When a vulnerability is discovered, the developers work quickly to update the software and remove that vulnerability. This is particularly true when you see an incremental update not a major release.
Incremental Updates are Often Security Releases
WordPress 4.2 was released in April 2015. The next major release, 4.3 is due in August of 2015. Incremental releases like 4.2.2, 4.2.3, and 4.2.4 are updates to the major release. These updates provide bug fixes and security fixes. They are not feature releases. Major releases may also include added security fixes and bug fixes, and they usually include new features. For example, the ability to add a favicon from the WordPress dashboard instead of needing a plugin will be part of the upcoming 4.3 release.
In the latest WordPress update 4.2.4 released on August 4, 2015, the purpose was specifically to fix a security vulnerability. The WordPress website describes the release as, “On August 4, 2015, WordPress 4.2.4 was released to the public. This is a security update for all previous WordPress versions.”
This is the WordPress team telling you, “Hey. Update your site. It’s important.”
Check for Plugin and Theme Updates
It is also important to check for available theme and plugin updates. From the Dashboard, when you hover over the Dashboard menu item, you will see an option titled Updates. A red circle next to it displays the number of updates available for your site.
Click on Updates to visit the Update screen where you can update your core software, plugins, and themes. You will also see the circle with numbers next to Plugins and Themes on the Dashboard menu, if updates are available for those items.
Note that some premium themes and plugins may not work with the updater.
Research Out of Date Plugins with No Update Available
If major updates are occurring within the WordPress core software, and you have plugins that haven’t been updated recently, it’s time to research them further. Just because an update isn’t available, doesn’t mean it doesn’t need to be updated for security purposes. Some plugins may not require updating, but many of them might.
For example, earlier this year as security vulnerabilities were being discovered and fixed within the WordPress development community, we noticed that our cformsII plugin that was controlling the contact forms had not been updated in quite awhile. We found that the author was no longer supporting it, and it did have some security vulnerabilities, so we moved to a different contact form plugin.
Note that cformsII has been forked (taken over by other developers into a new version), and an updated, secure version is available in the WordPress.org directory under the name cforms2.
How to Successfully Update WordPress
While it is important to keep your site up-to-date, it is also important to realize that there is risk in updating software. Plugins or themes may not be compatible with the update and this can break your site. The best thing to do is run a backup before updating.
Steps for a Successful Update
- Backup your website. I like to make sure that the content and WordPress core, plugins and themes are included in this backup because it makes restoring the site faster, if necessary. Many backup plugins only backup the site files and content, not WordPress core. While the core software can be installed and then the restore completed, it is an extra step that takes more time. When their sites are down, most people want it restored ASAP.
- Run the updates (WordPress core, plugins and themes)
- Test the site.
- If all works well – great. If something breaks, document the issues, return the site to the older installation (or deactivate the problem, if possible).
Alternately, if you have a large site with many plugins, you may want to backup the complete site and migrate it to a test installation. Run the updates on the test installation and then test the site. If everything works, you can update the live site. If it doesn’t work, you can troubleshoot on the test installation and never experience downtime on your live site.
Test Multiple Pages and Plugins like Shopping Carts
When checking the site, don’t just look at your homepage. Visit multiple pages. Test your optin forms, and if you run a shopping cart, check that it is working.
We had a case where a site with many plugins and WooCommerce extensions broke after updating WordPress and WooCommerce. In testing, we found that the Ship to Multiple Addresses extension was causing the issues. We disabled that extension and kept the site running. Fortunately, an update to that extension was released, and we were able to have a working site without keeping that feature disabled.
WordPress Auto Updates – The Benefits and Challenges
In WordPress 3.7, the ability to automatically update some types of releases, including security releases, was implemented in the software. The major benefit of this functionality is that when a security release posts, your site will be automatically protected because the update will be applied without you having to take action. Of course, the problem is that when a release breaks something, you are stuck having to stop and fix the site.
Automatic updates can be turned off in WordPress by editing the wp-config.php file. Note that some web hosts automatically update separately than WordPress, so changing this file may not work depending on your hosting situation.
To turn off automatic updates, you may follow the steps in the WordPress Codex. Please note that this is an intermediate topic. You will need to use an outside program like the File Manager within your web hosting account or an FTP/SFTP program to access and change the file. Make sure that before changing the file, you create a backup of it. Broken wp-config files can break the whole site.
If you are going to use WordPress auto update, it is very important to make sure you have a site backup so that you can restore the site, if necessary. I recommend a complete backup (software included) for faster restoration.
Consider Outsourcing Your Site Maintenance
If you want to make sure backups are run, keep your site updated, and have help with your Maintenance Checklist tasks, then you may want to consider outsourcing these tasks. wpRadius is dedicated to supporting website owners by handling maintenance tasks like managing backups, running security scans, updating the site and returning it to its previous state, if necessary, and monitoring the uptime of your site.
Join in next week for Part 2 of this series where we’ll cover tools and services that can help keep your site updated, maintained, and secure.