I was asked the following question today:
Would you recommend that whenever a WordPress update is issued its users should upgrade their website immediately?
My answer is a resounding YES.
Why Update WordPress?
WordPress updates are often issued for the purposes of fixing potential security issues. My favorite podcast, SEO 101, recently noted that if you do not update your self-hosted WordPress software frequently, you are just about guaranteed to get hacked at some point.
Say “Bye-Bye” to Google!
When your website gets hacked, not only can you lose valuable content and prospects, you can also lose your position in search engine rankings. Google de-indexes sites with malicious code on them, and if a hacker places such code on your site, you can say “bye-bye” to your placement in Google.
So, YES, YES, YES! Update your WordPress software AND plugins immediately whenever possible.
Plugins need to be updated, too?
YES, WordPress plugins are also a source of security holes, often more so than the WordPress software itself. Make wise choices when installing plugins (only choose those with a lot of positive reviews), and update them frequently.
There is also a WordPress plugin called “WordPress Firewall 2” by Matthew Pavkov that is supposed to help thwart security breaches on your site. It has a lot of good reviews, so it wouldn’t hurt to put that on your site just in case.
“But I’m Afraid I’ll Break It!”
A valid concern many people have is the fear that strikes their hearts when they go to click that “update” button. Sometimes updates aren’t compatible with existing themes or plugins on a site, and the updates can cause issues. WordPress does not provide an easy way to “roll back” updates, so it can be scary to go ahead and press that button.
It doesn’t have to be that scary, though. Just back up both your site files and database prior to updating and you will immediately be able to roll back updates if they cause issues.
There are plugins to assist with back ups, or you can enlist a wordpress developer (ahem, me) to back it up for you and be on standby to roll things back “just in case”. Many developers (ahem, me) offer a monthly service to take care of your WordPress updates and backups for you, to ensure that your site (and Google rankings) stay as safe as possible.
Thank you!
A big thank you to Ruby from Hill PCI Group and Chris from Acme Control Service for the great discussion that spawned this post. Follow them on Twitter for more great conversation: @HillPCIGroup and @AcmeControls
Your Experience? More Questions?
Please share your experience with WordPress updates, plugins, or website security breaches in the comments below. Have more questions about this? Put them in the comments below, too.
- What You Need to Know About the Loading, or Largest Contentful Paint (LCP), Metric - July 13, 2020
- Google’s Latest Algorithm Update - July 1, 2020
- 11 Research-Driven Best Practices for Increasing Form Conversion - April 6, 2020
Wow what a quick and detailed response this is! I will update ours today right away, and will check the plug-in that you mentioned as well. Oh, and thanks for the mention!
Always appreciate your support and all the valuable marketing tips you give us.
Likewise, Ruby! Thanks for all the kind words you share with people about me. I appreciate it so much!
I can honestly say I’ve experienced 2 of the above consequences of not updating my WordPress site right away.
1) I ignored a wp update, got hacked, and had a site removed from the Google index for about 3 business days. It was terrifying and impossible to explain to the site owner. Even my clients who don’t pay me for maintenance get wp updates now.
2) The most recent wp update didn’t play friendly with Genesis Simple Hooks plugin and caused some major issues in the admin panel. Simple to fix but made my heart stop for just a moment none the less.
Thanks for sharing, Pam!
Thanks for sharing your experience, Heather! Unfortunately, what happened to you is a real world example of the risks involved in ignoring updates and neglecting to back up the site. I’m glad you got it all straightened out.
Thank you so much for answering this question that I didn’t even know I had! I always stare at those update notifications for a long time before taking the plunge. Now I’m going to do it immediately.
I’m so glad you found this useful. Thanks for the feedback.
Risk reduction is the name of the game. Follow these steps and you lower your risk floor significantly:
1. Keep software updated – There is a reason patches are released. Not only for awesome new features, but to fix bugs and security vulnerabilities.
2. Remove it if you’re not using – Ever install a dummy WordPress instance for testing? Then you leave it there? It sites for a couple years? Ya, don’t do that. You end up putting everything at risk. Remove it, or at minimum go back and read my 1. step 🙂
3. Reduce access – Don’t give everyone admin access, and remove the ability for people to access your logins when not needed. This means WordPress, FTP, even your databases. Give folks enough to do their job, nothing more, and remove it when they are done!
Above and beyond that, you can add the ability to stop more than 3-4 failed login attempts on your wp-admin by using something like Limit Login Attempts. this will reduce the risk of someone trying to brute force your login.
4. Passwords – Be unique!!! Use long pass-phrases like the lyrics to your favorite Notorious BIG song. Use different pass-phrases across your different logins. Another great approach is to not know your passwords at all and let a password management tool like LastPass do the heavy lifting. It stores them securely, and even helps make them for you without you even knowing them.
Beyond that, most of the practices you hear about like removing admin or changing your database prefix are not extremely helpful. They are definitely obscure practices that may thwart a script kiddy from doing damage, just don’t fool yourself into thinking it’s an extreme help against modern automated attacks which scan for specific vulnerabilities and weak passwords. It is indeed about reducing risk so we don’t discount these practices altogether.
Most of the security plugins that do, or say they do anything above and beyond but don’t hit these areas, i’d really weigh their value. In a lot of cases they give a false sense of security with buzz words and OMG tactics. Others are more for auditing and tracking down issues that may have occurred which do bring value, but wont be very helpful in reducing risk.
Sorry for the rant, good post!
Just a quick point – that WordPress Firewall 2 plugin doesn’t seem to have been updated for 2 years, so may not play nicely with the latest WordPress? Does anyone know of a good firewall that’s being updated? I tried Wordfence, but it slows my server when doing scans!
Check out Sucuri’s Web Application Firewall (WAF)
Hey Pam, thanks for the post… I’ve got a cool tip for your readers too!
When you’re updating your plugins and WordPress core, the site displays a boring white screen saying ‘Under Maintenance’. Now this can display for seconds or a number of minutes depending on how your server is set. This doesn’t look great to any site visitors.
All you need to do is to create a maintenance.php file and add this into your /wp-content/ folder. You can simply add whatever PHP and HTML you like in here 🙂
Just remember that WordPress isn’t loaded at this time so don’t add any WordPress PHP… and hey presto… a cool little fix for all your Pam Ann Marketing readers!