Security is a big and complex area. Everything from the quality of your encryption algorithms, the privileges of your file access policy, and the nature of your cryptographic signature are part of security. But even without understanding what I meant by any of those things, you can still have a big impact on the security.
General Principles of Security
There’s the obvious user-level advice I shouldn’t even need to tell you about:
- Don’t write down your password (or especially not in public)
- Use unique and complex passwords
- Don’t share your password (especially not with people you don’t trust)
- Don’t leave yourself logged into private things on public computers
There’s another policy though, that should be almost as basic but people regularly fail to implement: keep your software up to date. Not every update to every piece of software is about security — some are about adding features, some are about fixing bugs — but it’s frequent enough that something security related is included, especially with large and popular software like WordPress, that it makes for a sound security policy.
The Importance of Updates for WordPress Security
I’ll not give you a full catalog of the number of WordPress version updates that were specifically targeted at a security problem, but this list gives you a pretty clear sense. Almost every WordPress “point release” — 3.5.0 to 3.5.x — includes a note like the following, emphasis theirs: “This is a security release for all previous versions and we strongly encourage you to update your sites immediately.”
It’s not the case that every WordPress update which states something like that means that your un-updated site will immediately be hacked — the internet is a big place, these vulnerabilities can be hard to exploit, and there are lot of WordPress installs that are probably more interesting targets than yours — but it’s hard to hear a thing like that from someone releasing software and not take it seriously.
Especially with open source software, like WordPress, there’s a curious fact that immediately following a release to patch a security vulnerability, a motivated malicious hacker gets easy access to direct knowledge of that vulnerability. There’s nothing wrong with that, it’s the nature of open source, and the other benefits of this kind of software far outweigh that cost. But it does make it even more important that you update promptly if you want to keep your site safe.
The Future of WordPress Updates and Security
WordPress is well aware of the importance of security through being up-to-date, and have made it as simple as possible to update the core, as well as plugins and themes from the WordPress.org repository. You can do it yourself, and while there are always stern warnings about backups — and I strongly encourage you to always have at least two somewhere in the world at all times, regardless of updates — I have personally NEVER, in more than seven years as a WordPress user, seen an update to either the core, a theme, or plugin cause a show-stopping problem. I’ve seen minor issues crop up, but never lost a site to one.
Because of this stability they’re planning a cool new feature in the next version of WordPress — 3.7 — automatic point release updates for the WordPress core. What that means is that after you install 3.7.0, WordPress will be able to just keep you up-to-date automatically and in the background for 3.7.1, 3.7.2, etc. Because it’s most likely that disruptions or minor issues would occur at 3.8.0, you’ll have to do that update manually. And how or if themes and plugins will ever get automatic updates like this is still up in the air. But I strongly encourage you to jump on the auto-update train that arrives with 3.7.0 and rest a little easier.
So in summary, update. Do it regularly. Every time you see updates available in your WordPress dashboard, make sure your backup is intact and run them. They matter, they’ll keep you secure and your site up on the internet and under your control.
Image Credits: mthierry