There seems to be a lot about WordPress security breaches currently and so we want to taker a moment and look at why it is important to keep your plugins, themes, and WordPress up to date to maintain some basic steps towards your website security. This is not an exhaustive list to make your WordPress security completely hacker-proof, but instead are a few easy wins to help keep you safe.
Why Is WordPress Security Important?
In general, your website security should be a concern to you whether you are on WordPress or not. A site that gets hacked can lead to a loss of trust of your users which will also lead to a loss of revenue. If you are storing any kind of information about your users then if you are not serious about your WordPress security then you are saying that you are ok with a hacker coming in and taking all of your user’s private info.
We doubt that you really feel that way, so let’s look at some small easy ways we can mitigate the possibility of an attack.
Keep WordPress Core Updated
WordPress has small little patches pretty frequently that you can actually have automatically updated. They restructured their update methodology a while back to make sure that only major releases with big possible breaking changes are required for you to do manually.
We think that even though you can have them do automatic updates it is not always a good idea. This is mainly just from a control perspective and just really being sure you know what is going on with your website. This means a bit more work because you will need to check the changelogs each time, but in general, things usually go pretty smooth so it’s well worth the effort to do it manually. The important thing is that you make sure to keep it up to date as close to the current version as possible.
Keep Your Plugins Updated
Plugins are a great way to extend the functionality of your website, but they can also be doors for hackers to get access to your website. You should be making sure to review any plugin you install to your site to make sure that it meets a certain minimum standard. It is also good to use a trusted repository of plugins so you know that if there are any issues that it will likely become public pretty fast.
After you have installed some plugins, you will notice that they will need some updates after some time. It will usually have some sort of changelog for the update that you can view before updating. It is always good to review these so you actually know what to expect from the update. The changelog can be a place where the plugin authors will let you know that there are going to be breaking changes or security patches.
If the plugin mentions a security patch then it is recommended that you update it immediately. The longer you let it site without an update is more time for a hacker to find a back door into your site and potentially cost you money, time, and lots of stress.
Keep Your Themes Updated
Just like plugins, you will have a theme installed to your site for the look and also any added functionality. You will want to keep an eye on the changelog for your theme updates just like you are doing with your plugins or use a site checker to scan for any known security threats.
A less-standard and a bit trickier issue can arise with the use of a child theme. If you have a child theme installed, then you will not have automatic updates available for it like you will for the parent theme. In this case, to maintain your website security you will need to manually check for potential security holes. This is more common if a core WordPress function is found to be insecure and any calls to that function need to be updated – which happens rarely.
Remove Unused Plugins & Themes
Great, so you know you need to keep your plugins and themes updated and why that is important. Next is to do some housekeeping with any plugins or themes that are installed but are not actually being used.
If you have a plugin or a theme installed, but it is not activated, then you are at risk of an attack through those files! A lot of people don’t realize this because they think that if it is not active then it’s invisible. Well, the truth is that all of the files are still accessible if someone can get the correct file paths.
It is highly recommended that if you do not have it activated then you just delete it completely. This will make sure there are not any extra files an attacker can get access through. If you must keep them though, then at least make sure you follow the same procedures for checking on updates that you do for active plugins and themes.
One thing to note is that if you are using a non-default WordPress theme (default themes would be the ones like Twenty Nineteen, Twenty Twenty, etc) then it is a good idea to keep one of the default WordPress themes installed. This is just an extra precaution if your main theme ever fails for some reason then WordPress can fall back to one of the default themes. Just make sure you keep it updated.
Test Before You Upgrade
As with any major change to your website you should always make sure to take a backup before you run updates. If you have the means through your host to set up a staging site and test out the updates there first then that is a great way to do it also. The important thing is that you take care of making sure that you are not going to break the site for your users by updating your site.
Plugins, themes, and WordPress all get updated at different times. This can make it a bit overwhelming to keep on top of the updates immediately all of the time. So what should you do?
If there is a big security update, you will most likely hear about it. If you have that installed then you should update immediately to lessen your risk for an attack. However, most of the time you should be ok to run through general maintenance updates about once a month.
Need help with updates? We offer a website maintenance package where we go in and do the updates and checking for you each and every month. We take care of checking the changelogs, testing the updates, and staying on top of all things related to WordPress security. If you would like to sign up for our package just head over to our contact form and shoot us a message!