When update WordPress, plugins, and themes

Is updating the WordPress core, plugins, and theme important? I will tell you what I think about it.

As you know the web is a very dynamic place, full of new things, users, fashions, new practices …, and hackers.

Every day on the web is different than the day before. Every day someone has a new idea.
With an updated installation you can enjoy the last features that could include better ways to do something on your website or better website performance ….
Should we update everything only for that?

There are also other reasons. The system practically forces you to update the software, and it’s also true that old software is more vulnerable.

Many people want you to update your theme and plugins.
Theme and plugin authors want to sell you the licenses for their product updates.
Freelancers and web agencies want to sell you their maintenance services.
Web hosting providers want to sell you their backup plans.
Updates are the soul of the software business. It doesn’t mean the updates exist only to keep the software business alive, but of course, without them, this business would die, Soon or later, you will be in a situation where you must update your software because all the system that is behind the software, pushes for updates.

Apart from everything, the WordPress core team always tries to include the important new features needed by a website and to improve the software.
Moreover, when a WordPress site is attacked because of a certain vulnerability, the WordPress team works to find a solution to prevent further attacks that exploit that vulnerability and then releases a new WordPress version.

As you probably know, WordPress is supported by the programming language PHP.
From time to time, also PHP is updated, and hosting providers sometimes remove the old PHP versions from their control panels. When this happens, if one of your plugins doesn’t work with the new PHP version, you will probably need to update that plugin. So there is no escape. Sooner or later you will have to update your plugins, even if you don’t care about the vulnerabilities. So, better you keep your plugins updated rather than update them only when you have no other possibilities.
Keeping old versions of your plugins, and then updating them only when you can’t wait anymore, may cause some problems.

As mentioned, many people want you to update the software because of their interests, however, it should also be your interest (what an intriguing system!), because hackers exist, and they like old software.
WordPress is a very popular CMS full of very nice features, however especially because it’s so popular, the websites powered by WordPress are also a good target for hackers who invest a lot of time studying the WordPress code because doing so they have more choices for their activities.
I don’t want to spend too many words explaining why these hackers do that, also because it’s just my personal opinion, I will only say that for me they do that because they also sell their service to protect a website against attacks. Let’s say they nourish their business by generating potential customers in a not-so-nice way. This is to say that hackers exist and could also attack your website, although you would never imagine someone could do that.

Now don’t be afraid. Being careful it’s relatively easy to protect your website. If you always update the WordPress core, plugins, and theme, the probability you have problems with hackers becomes lower.

You can also find some plugins that can help you to protect your website (e.g. WordFence).
Don’t think your site will be safe after you have one of those security plugins. They can help a little, nothing else.

Regarding the safety of your website, I suggest you:

  • Periodically make an entire backup.
  • Avoid too-easy user passwords.
  • Don’t give your password to people you are not sure about.
  • Avoid premium plugins and themes that you get for free from some marketplaces.
  • Always update the WordPress core, plugins, and themes.
  • Avoid bad-coded plugins and themes.

The first of the list is the most important, if you have a backup of your website, everything could happen, hackers can destroy your website and your entire hosting, but if you have a backup, you will be able to restore everything in a few minutes easily. I suggest you store the backups in a place different from where your website is hosted, in another case if hackers gain access to your server, they would get access to your backup too.

To easily back up your website I suggest one of these two plugins:

Using them with few clicks you can export and import back-ups, they don’t consume resources on the front-end, so you can keep them on your installation, and from time to time save a back-up.

Regarding the user password, of course, the easier your password the higher the risk that someone gets access to your administrator panel.

I think also the third point doesn’t need more comments.

About premium plugins and themes given for free, the so-called nulled plugin, I would say that this is the most frequent cause of attacks.
Some marketplaces offer premium plugins and themes for free, they buy the original ones and then distribute them for free, but they add malicious code in the files to prepare the doors for malware and attacks.
I strongly suggest you avoid this kind of plugins and themes.
The free plugins on the official WordPress repository (https://wordpress.org/plugins/) are relatively safe. A specialized WordPress team discards plugins having a suspected code.

About the last point, as mentioned, the older the software, the easier for hackers to exploit some vulnerabilities.

You should always update WordPress, themes, and plugins, including the plugins and the themes that are not active. If a plugin or a theme is inactive, it doesn’t mean their code can not be used to violate your website.

Because the WordPress team frequently updates the core, all plugins, and theme authors have to update their products, even if they had not done it for only their initiative because many WordPress updates include function name changes and so on. Plugins and themes code call many times in their code core WordPress functions, so if the core has different function names, and the plugins and themes are not updated, they trigger fatal errors that break the entire website.
If this happens, it means that the plugins or themes are very old because before taking away or changing core functions, WordPress declares them deprecated and the plugins and themes authors have enough time to adapt their products.
Moreover, plugins and theme authors are also interested in always improving their product, both for positive and negative reasons as explained for the WordPress core.

If you have well-coded themes and plugins, you can update the WordPress core without being afraid to break anything. Well-coded plugins and themes will also be less vulnerable to eventual attacks.

I will not describe here all the actions to improve your website security further, this is a post categorized as basic, no advanced knowledge is required to follow the tips described above, in the future, I will write something more advanced for those who like to get their hands dirty with the code. Already doing the very simple things described above, you’ll sleep more peacefully, it’s enough to back up your entire website and store the back-ups in a safe place.