“If it’s not broke, don’t fix it…” is an attitude I have heard towards performing updates to a WordPress website. If the site is working properly, why should changes be made to it? Are performing WordPress updates really necessary?
The answer is YES, updates are essential! Maybe you are not experiencing any problems with your website, but by not performing regular updates, you are asking for problems. If your website gets hacked or otherwise compromised, not only can you lose valuable data, you can also lose your position in the search engine rankings… your site will be de-indexed by Google if malicious code is found. I would like to share a few tips on how to prevent something like this from happening to you.
What should I do to keep my website secure?
The number one thing you should do is keep up with housekeeping. This includes:
- Keep the WordPress core updated
The WordPress core team does a great job of cleaning up and optimizing WordPress on an ongoing basis. They are committed to finding and fixing any potential security issues. Any time you see a minor release (4.1.x), it is for bug fixes and security patches. It takes a mere matter of minutes to update the WordPress core, and it should become part of your regular routine. - Update themes and plugins
Plugins and themes can be an even greater cause of vulnerability, since they do not all go through the same extreme testing as the WordPress core. Be careful about what plugins and themes you install, making sure they have a lot of positive reviews and are maintained frequently or come from a reputable source like StudioPress. Then check regularly for available updates! - Remove disabled plugins and inactive themes
When a plugin or theme is inactive, WordPress does not load it. However, it is still accessible and executable on the web server. This is a commonly overlooked vulnerability on a WordPress site. If you aren’t using a plugin or theme, remove it from your site! You will reduce your risk of future vulnerabilities and it is less you have to maintain.
But I’m Afraid I’ll Break It!
That “update” button can seem pretty scary, and this is a valid concern. Some updates aren’t compatible with existing themes or plugins on a site, and the updates can cause issues. All you need to do to have complete peace of mind is have a backup of your site files and database prior to updating. Before updating, view the release details to know what changes are being made. After the update, check your site over for any new problems. If something happens to go wrong, you can roll back to the previous state thanks to the backup you made.
There are plugins to assist with back ups, or you can enlist a developer like myself to back it up for you and be on standby to roll things back, “just in case.”
What else can I do?
Here are a few other tips on how to keep your site safe and secure.
- Choose a secure hosting platform
Most hosting platforms are designed to be everything to everyone. If you select a hosting provider that specializes in WordPress and is proactive in its approaches to security, your chances of having performance and security issues will lessen. We recommend SiteGround web hosting for most basic needs, and WP Engine for managed WordPress hosting. - Be responsible about your passwords.
Don’t write your passwords down: You may as well leave the keys in the ignition of your car. Anyone can take it and drive off. Alternatively look at using a password management tool like LastPass.
Use Passphrases: Passphrases are basically long passwords, a phrase with a meaning to you. To make it even stronger, you can mix in a variety of character types in place of letters.
LastPass explains this technique in a little more detail in this post. - Prevent brute force attacks.
A Brute Force Attack is when someone tries to gain access to a site by trying usernames and passwords over and over again. This can be surprisingly successful when people use passwords like ‘123456’ and usernames like ‘admin’. Even when they fail, brute force attacks can cause performance issues with your website. Installing Jetpack and activating Protect will secure your WordPress sites from malicious and unwanted login attempts. - Use additional security tools such as…
Cloudflare: It is very easy to set up and connect to your WordPress site with this plugin.
Wordfence Security: A free plugin that is full of useful features and is updated regularly.
We are here for you
We understand that not everyone has the time that regular updates entail. If you prefer, Designtek offers a monthly service to take care of your WordPress updates and backups for you so you don’t ever need to worry about it. If you would like our help, don’t hesitate to contact us!
Great advice! You’re right that people often overlook removing disabled plugins and inactive themes, but those are important for security. I agree with your recommendations of SiteGround, LastPass, Limit Login Attempts, Cloudflare, and Wordfence. I’ve found them worthwhile too.
One note: Wordfence can limit login attempts, so if you install it, you don’t also need Limit Login Attempts.
Thanks for noting that, Chad! Wordfence really is quite a feature-rich tool.