Simplest WordPress Security Win: Always Be Updating


Security is a big and complex area. Everything from the quality of your encryption algorithms, the privileges of your file access policy, and the nature of your cryptographic signature are part of security. But even without understanding what I meant by any of those things, you can still have a big impact on the security.

General Principles of Security

There’s the obvious user-level advice I shouldn’t even need to tell you about:

  • Don’t write down your password (or especially not in public)
  • Use unique and complex passwords
  • Don’t share your password (especially not with people you don’t trust)
  • Don’t leave yourself logged into private things on public computers

There’s another policy though, that should be almost as basic but people regularly fail to implement: keep your software up to date. Not every update to every piece of software is about security — some are about adding features, some are about fixing bugs — but it’s frequent enough that something security related is included, especially with large and popular software like WordPress, that it makes for a sound security policy.

The Importance of Updates for WordPress Security

I’ll not give you a full catalog of the number of WordPress version updates that were specifically targeted at a security problem, but this list gives you a pretty clear sense. Almost every WordPress “point release” — 3.5.0 to 3.5.x — includes a note like the following, emphasis theirs: “This is a security release for all previous versions and we strongly encourage you to update your sites immediately.

It’s not the case that every WordPress update which states something like that means that your un-updated site will immediately be hacked  — the internet is a big place, these vulnerabilities can be hard to exploit, and there are lot of WordPress installs that are probably more interesting targets than yours — but it’s hard to hear a thing like that from someone releasing software and not take it seriously.

Especially with open source software, like WordPress, there’s a curious fact that immediately following a release to patch a security vulnerability, a motivated malicious hacker gets easy access to direct knowledge of that vulnerability. There’s nothing wrong with that, it’s the nature of open source, and the other benefits of this kind of software far outweigh that cost. But it does make it even more important that you update promptly if you want to keep your site safe.

The Future of WordPress Updates and Security

WordPress is well aware of the importance of security through being up-to-date, and have made it as simple as possible to update the core, as well as plugins and themes from the WordPress.org repository. You can do it yourself, and while there are always stern warnings about backups — and I strongly encourage you to always have at least two somewhere in the world at all times, regardless of updates — I have personally NEVER, in more than seven years as a WordPress user, seen an update to either the core, a theme, or plugin cause a show-stopping problem. I’ve seen minor issues crop up, but never lost a site to one.

Because of this stability they’re planning a cool new feature in the next version of WordPress — 3.7 — automatic point release updates for the WordPress core. What that means is that after you install 3.7.0, WordPress will be able to just keep you up-to-date automatically and in the background for 3.7.1, 3.7.2, etc. Because it’s most likely that disruptions or minor issues would occur at 3.8.0, you’ll have to do that update manually. And how or if themes and plugins will ever get automatic updates like this is still up in the air. But I strongly encourage you to jump on the auto-update train that arrives with 3.7.0 and rest a little easier.

So in summary, update. Do it regularly. Every time you see updates available in your WordPress dashboard, make sure your backup is intact and run them. They matter, they’ll keep you secure and your site up on the internet and under your control.

Image Credits: mthierry

About David Hayes

David likes learning, solving hard problems, and teaching. He bikes a lot, and lives in (and loves) Colorado. You can find him on Twitter as @davidbhayes and check out his latest hobby-project, Quodid, a monument to his love for pithy bits of wisdom.

10 thoughts on “Simplest WordPress Security Win: Always Be Updating

  1. Pingback: What You'll Need to Invest in Your Website | Press Up

  2. Pingback: Why You Need a Plan for Site Support | Press Up

  3. Pingback: Why You Need a Plan for Site Support - WP Business Tips

  4. Pingback: Always Use a Child Theme! | WPShout.com

  5. Pingback: What We Learned at WordCamp Boston 2013 | WPShout.com

  6. Pingback: Technical Debt: What It Is, and What It Means for Your Web Project - WP Business Tips

  7. Dmitri Larionov

    I am regularly surprised when site owners don’t become concerned during my WP security explanation. When I attempt to explain to someone the necessity for a child theme and regular software updates, often times a site owner will be carefree and really won’t understand the potential danger of the situation. I tell them, this is especially dangerous if you have credit card numbers on your server stored in an unencrypted manner. Although, the internet is a big place and the likeliness of a hacker knowing about sensitive data on a server and the fact that the site is outdated is not that high but it still should be a concern.

    Reply
  8. Pingback: Technical Debt: What It Is, and What It Means for Your Web Project - Press Up

  9. Pingback: What You'll Need to Invest in Your Website - Press Up

  10. Pingback: Why You Need a Plan for Site Support - Press Up

Leave a Reply

Your email address will not be published. Required fields are marked *