WordPress Security Basics Series Pt.2 – WordPress Updates

By 31st March 2015 April 21st, 2020 Shield Security

WordPressApplying WordPress updates is one of the easiest ways to keep your site protected from hacking.

You may or may not have heard this before, but updates for your WordPress site are very important. In this article I’m going to:

  • outline some important points about WordPress updates
  • outline what you can do to ensure you are protected
  • outline what you stand to lose if you ignore WordPress updates

Why is updating (or rather not updating) WordPress a security issue?

Code is rarely perfect – it’s built by humans. So this to be expected.

Sometimes Often when we code we don’t realise we’ve made mistakes and we create bugs and errors. We may also create scope for a security vulnerability.

When these are discovered, we patch them and the problem is apparently solved – that’s only half the battle.

For this security patch to be effective the update must be applied to the existing installations of the code.

So as a WordPress site administrator you have the responsibility to ensure that you keep your WordPress installation as fully up-to-date as possible, ensuring you have all the latest security vulnerabilities patched.

Some questions and concerns about WordPress updates

If there’s one thing that you can say about WordPress, it’s that updates are fast and furious. There are usually at least 1 or 2 updates released for any given site in a week and you need to know how to best handle them.

Don’t updates normally break your stuff?

This is a common fear because we’ve been taught for years (back when Microsoft Windows was the standard) that upgrades normally break things.

And honestly, this fear is not altogether misguided. Updates really can break things and when you’re running a critical website, updating a plugin only to have it bring down your entire site is nightmare we all share (and most of us have lived through).

Incremental updates however don’t typically break your sites and breakage is more likely to occur when you wait too long and a larger update is applied. So…

Smaller updates are just better

Updating plugins regularly as-and-when they are released, means that the code changes between version are smaller… this means you’re much less likely to introduce site-breaking changes.

The longer you wait to apply updates to a plugin, the further your installation becomes incompatible with the latest available… the longer you wait, the greater the chance that finally upgrading the plugin/theme will cause serious breakage.

Applying smaller, incremental updates is just better for your stability in the long run.

What if an update does break a site?

Performing any sort of major change to a site demands that you have a path of recourse if it goes wrong.

The only sure-fire way is to have a recent, valid backup of your WordPress site. This backup should contain a copy of all the files from the site, as well as a corresponding database export.  A WordPress backup isn’t actually a proper backup unless it has both of these components.

If a backup breaks your site, then you need to revert your site to the backup by restoring these files and database data.

What’s the best way to ensure I’m protected?

As a website administrator you have by-definition accepted the responsibility of ensuring a website stays up and running, and functioning as intended by the owner (you or your client).

This means there is a bit of work involved – when there is an update available you need to be pro-active in applying it.

Apply updates within a grace period

You can chose to apply updates as soon as they’re released, but I prefer to give plugins a grace period.

I will normally not apply a WordPress plugin update within the first 24hrs of it being released to the WordPress.org repository. I will instead wait until the update has been available for around 48hrs and if the support forum remains quiet and no further releases have been made, I’ll update the plugin.

This gives updates time to be applied and issues reported to the author, and any fixes to be released. If a fix has been released, I typically reset the grace period.

Only ever update with a reliable site backup/restore procedure in-place.

WordPress backups are easy to do, but restoring a site can be torturous.

To be absolutely safe you should have a fresh backup no more than 24hrs old, and you should also of course test the validity of your backups to ensure you can in-fact restore that data.

If you haven’t yet, check out our WorpDrive automated backup service – this is an add-on integrated into our iControlWP service.

Test the upgrades on non-critical sites first

Some websites are more critical than others, so try to only update plugins and verify them on the less critical sites before applying them to your more sensitive WordPress sites.

The best approach here is to have test sites of the websites you’re going to upgrade, and test the application of the updates.  This is most important when applying major WordPress upgrade releases.

Create and Follow Update Procedures

Sure, you can go to each site every morning and check for updates, and then just click the update button when you see them. But eventually this will burn you.

It usually takes a major incident for people to realise that WordPress site security and maintenance are not exercises in trivial pointing-and-clicking.  You need to get professional about it.

Create a workflow for your WordPress updates management, and process it in a manner that reduces risk of catastrophe, but gives you the flexibility to handle security-based upgrades when they’re released.

Always read the change logs

Most developers will include a change log with their plugin updates and you should really read these each time you come to upgrade to ensure you are aware of issues that might affect your sites.

What do I risk if I don’t maintain WordPress updates?

Your website, or your clients’ websites are the gateways to business services.

They are considered critical to businesses by most people and if your website is offline, so is your capacity to do business.

The simple act of creating a process to manage updates can protect you against security vulnerabilities because you’re on top of your upgrades and can apply security-related updates almost as soon as they’re released.

Without putting a workflow in place, you run the risk of being offline until you can recover your sites from a successful hacking on your web hosting. We see sites hacked all the time and quickly recovered with our WorpDrive backup protection system.  But we also see many sites offline due to failed upgrades on sites that aren’t protected, and they spend days and weeks offline because the man power isn’t there to get it up and running again.

You risk your business, and the businesses of your clients, by not having a WordPress updates workflow.

This is lost money, which is after-all, what most businesses are in the business of making more of.

What tools are available to help with WordPress updates?

How you create your workflow and what process you follow is down to your personal preference, and your professional obligations to your clients.  There are tools to assist with this, such as Trello to help with managing these tasks.

We recommend a WordPress management service such as iControlWP to handle your upgrades and quickly apply them across groups of sites when you’re ready to do so.

In this way you can organize your sites into meaningful groups and manage updates in a bulk, staged fashion.

How do you manage your WordPress updates?

If you have suggestions on how you manage your WordPress updates and would like to share it, please leave a comment with us below.  Perhaps we can incorporate it into our iControlWP WordPress management services and help you get even more done in less time.

We all have different processes… please feel free to share your ideas!

Leave a Reply

x Logo: ShieldPRO
This Site Is Protected By