Is it really important to update the WordPress core, the plugins, and the theme? I will tell you what I think about it.
As you know the web is a very dynamic place, full of new things, users, new fashions, new practices …, and hackers.
Every day on the web is different than the day before. Every day someone has a new idea regarding the way to do business on the web, but unfortunately every day many websites are also attacked by hackers.
So for both positive and negative reasons, it’s convenient to always be up to date with the software that supports your web site.
Positive reasons: with an updated installation you can enjoy the last features that could include better ways to do something on your website, or better website performance ….
Negative reasons: not updated software will be easier to be exploited by hackers.
The WordPress core team always try to include the important new features needed by a website and to improve the software.
Moreover, every time a WordPress site is attacked because of a certain vulnerability, the WordPress team works to find a solution to prevent further attacks that exploit that vulnerability and then releases a new WordPress version.
WordPress is a very popular CMS full of very nice features, but especially because it’s so popular, the websites powered by WordPress are also a good target for hackers who invest a lot of time studying the WordPress code, because doing so they have more choice for their activities.
I don’t want to spend too many words to explain why these hackers do that, also because it’s just my personal opinion, I will just say that for me they do that because they also sell their service to protect a website against attacks. Let’s say that they nourish their business generating potential customers in a not so nice way. This is just to say that hackers exist and could also attack your website, although you would never imagine someone could do that.
Now don’t be afraid. Being careful it’s relatively easy to protect your own website. The WordPress core code is written taking into account the possible vulnerabilities, and if you always update the WordPress core, the probability you have problems with hackers becomes lower.
Moreover, you will find some nice plugins that can help you to protect your website (e.g. WordFence).
Regarding the safety of your website I suggest you to:
- Periodically make an entire back-up.
- Avoid too easy user passwords.
- Don’t give your password to people you are not sure about.
- Avoid premium plugins and themes that you get for free from some marketplaces.
- Always update the WordPress core, plugins and themes.
- Avoid bad coded plugins and themes.
The first of the list is the most important, if you have a back-up of your website, everything could happen, hackers can destroy your website and your entire hosting, but if you have a back-up you will be able to easily restore all in few minutes. I suggest you store the back-ups on a place that is different from the place where it’s hosted your website, in another case if hackers gain access to your server, they would get access to your back-up too.
For easily back-up your website I suggest one of these two plugins:
Using them with few clicks you can export and import back-ups, they don’t consume resources on the front-end, so you could keep them on your installation, and from time to time save a back-up.
Regarding the user password, of course, easier it’s your password higher will be the risk that someone gets access to your administrator panel.
I think also the third point doesn’t need more comments.
About premium plugins and themes got for free, the so-called nulled plugin, I would say that this is the most frequent cause of attacks.
Some marketplaces offer the premium plugins and themes for free, they buy the original ones and then distribute them for free, but they add malicious code in the files to prepare the doors for malware and attacks.
I strongly suggest you avoid this kind of plugins and themes.
The free plugins you find on the official WordPress repository (https://wordpress.org/plugins/) are relatively safe. They are checked by a WordPress team that is specialized to discard plugins having a suspected code.
About the last point, as mentioned, older is the code of the software that supports your website, easier will be for hackers to exploit some vulnerabilities.
You should always update WordPress, themes, and plugins, including the plugins and the themes that are not active. If a plugin or a theme is not active, it doesn’t mean that their code can not be used to violate your website.
Because the WordPress team frequently updates the core, all plugins, and themes authors have to update their products, even if they had not done it for only their initiative because many WordPress updates include function name changes and so on. Plugins and themes code call many times in their code core WordPress functions, so if the core has different function names, and the plugins and themes are not updated, they trigger fatal errors that break the entire website.
If this happens, it means that the plugins or themes are really very old because before to take away or change core functions, WordPress declare them deprecated and the plugins and themes authors have enough time to adapt their products.
Moreover, plugins and theme authors are also interested to always improve their product, both for positive and negative reasons as explained for the WordPress core.
If you have good quality theme and plugins, you can update the WordPress core without being afraid to break anything. Plugins and themes that are well coded will be also less vulnerable against eventual attacks.
I haven’t suggested the use of firewalls or malware scanners because it’s not always the best way to protect your website. Of course, having a firewall or periodically scanning your website you will improve the safety of your installation, but you will also lose performance.
In some cases it will be better to add security renouncing to the best performance, in other cases, it will be better to reach the security in another way and give more importance to the performance.
On this topic, many people will have their own thinking, and probably what I think about it is different than what most people believe. I prefer to increase the frequency of back-ups and have themes and plugins that are very well coded than slowing down the website with too many malware scanners and firewalls. If someone destroys one of my websites, after I notice it, I need a couple of minutes to restore it.
I will not describe here all the actions you could do to further improve your website security, this is a post categorized as basic, no advanced knowledge is required to follow the tips described above, in the future, I will write something more advanced for those who like to get their hands dirty with the code. Already doing the very simple things described above, you’ll sleep more peaceful, it’s really enough to back-up your entire website and stores the back-ups in a safe place.