After 15 years as a WordPress professional, I‘ve seen firsthand the damage that outdated WordPress installs can inflict. Hackers aggressively target sites running outdated WordPress, plugin, and theme versions filled with known security holes.
According to Sucuri‘s latest report, a shocking 83% of hacked sites were running outdated software. And Symantec found that over 1 million WordPress sites were hacked in 2018 alone due to an old plugin vulnerability.
Don‘t let your site be next. Keeping your WordPress site updated is absolutely critical for security.
In this comprehensive guide, I‘ll show you how I keep client sites safe using:
- Automatic background updates
- Alternative update methods
- WordPress security plugins
- Staging and testing before updates
- Other WordPress hardening techniques
Let‘s dig in…
Contents
Why You Should Always Update WordPress Sites
Before showing you how to update WordPress, it‘s important to understand why keeping your site updated is so crucial for security.
Outdated Software is Hacker Magnet
Cybercriminals have an arsenal of automated tools that continuously scan for outdated WordPress sites to break into.
Once they detect a vulnerable target, they‘ll quickly move to exploit known security flaws that have long been patched in newer software versions.
I‘ve seen many clients hacked simply because their WordPress version was over a year old. Or worse, they were still running an end-of-life version that hasn‘t received updates in years.
WordPress is a Big Target
With over 40% market share, WordPress is the world‘s most popular CMS. And its popularity also makes it a juicy target for hackers motivated by money and notoriety.
Major vulnerabilities like the Duplicator hack I mentioned earlier affects hundreds of thousands of sites all at once. So keeping up with the latest updates is critical.
New Security Issues Constantly Being Discovered
Security researchers and the WordPress security team work tirelessly to identify vulnerabilities before hackers do.
Whenever new threats are uncovered, WordPress quickly rolls out security patches. Having automatic background updates enabled ensures you receive these fixes promptly.
Responsible disclosure of vulnerabilities by white hat hackers helps improve overall WordPress security. The faster issues can be reported and addressed the better.
Back Up Your Site Before Making Updates
Based on my experience managing client sites over the years, I strongly recommend backing up your site before running any major updates.
While rare, I have seen instances where a flawed update caused compatibility issues or broke site functionality. It‘s better to be safe than sorry!
Here are a few options I rely on for comprehensive WordPress backups:
Managed WordPress Hosting
Hosting services like WP Engine and Kinsta include integrated site backups with one-click restore built-in. This covers you if any updates go bad.
| Host | Backups Included |
|---|---|
| WP Engine | Evercache Infrastructure, Clone Staging Sites |
| Kinsta | Snapshots, Staging Sites, Clone |
Premium Backup Plugins
Plugins like UpdraftPlus, BackWPup, and VaultPress give you granular control over WordPress backups.
I recommend configuring them to do automated daily or weekly backups to cloud storage. Some even have free options.
WP-CLI
You can use WP-CLI commands like wp db export to manually export the database before running updates.
I utilize WP-CLI often for updates and WordPress management. It‘s a powerful tool for WordPress pros.
How to Check for and Install WordPress Security Updates
Now let‘s dive into how to actually check for and install available security updates for WordPress core, plugins, and themes.
There are a few different ways to approach this:
1. WordPress Dashboard Updates Page
The built-in updates page provides an easy way to view and install available updates:
- Log into your WP dashboard and go to Updates > Overview
- Review updates for WP core, plugins, and themes
- Select updates to install and click Update Now
Let‘s look at best practices for approaching each update type:
WordPress Core Updates
These contain security fixes, new features, and improvements. Major versions (e.g 5.0, 5.2) often take longer to install and should be tested first.
Minor versions (e.g. 5.0.1) usually just contain bug and security patches. These are safe to enable for automatic background updating.
WordPress Plugin Updates
I recommend testing plugin updates on a staging site first before updating on production. Incompatible updates can sometimes break functionality.
You can also use auto-updater plugins to automate the process safely in the background.
WordPress Theme Updates
Themes frequently need security updates too. However, updating them can overwrite customizations.
To avoid losing theme settings, I have tips on updating WordPress themes the right way. Using child themes is ideal.
2. Alternative Update Methods
Beyond the dashboard, some other ways to update WordPress include:
- WP-CLI – Powerful command line tool for WordPress management like running updates.
- Auto-updater plugins – Enable automatic background updates for core, plugins, and themes.
- Managed WP hosts – Some hosts offer auto-update options in cPanel to maintain security.
- WordPress mobile apps – Receive notifications about pending updates.
I utilize a combination of these methods to keep my sites updated. WP-CLI and auto-updaters are great for automating updates across multiple sites.
3. WordPress Hardening After Updates
After updating, it‘s also important to harden your site against attacks. Here are a few quick tips:
- Install a security plugin like Wordfence or iThemes Security.
- Limit login attempts to prevent brute force attacks.
- Disable file editing and use SFTP for uploads.
- Modify user permissions to enhance security.
- Use 25 character randomized passwords for all accounts.
Weighing Risks and Benefits of Auto-Updates
Due to the vital importance of promptly installing security updates, I generally recommend enabling automatic background updates where possible.
However, there are also some caveats to keep in mind:
Benefits
- Critical security fixes applied immediately
- Ensure sites don‘t fall severely out of date
- Convenience of not manually updating everything
- Some hosts carefully test updates before applying them
Potential Risks
- Small chance of compatibility issues or site problems
- Loss of control over change management process
- Can‘t test updates on a staging site first
- Major updates may cause temporary downtime
So there are pros and cons to weigh. I suggest managed WordPress hosts that thoroughly vet automatic updates if going that route.
Conclusion
I hope this guide gave you a comprehensive overview of best practices I‘ve learned for handling WordPress security updates over the years.
Please feel free to reach out if you have any other questions! I‘m always happy to help site owners secure their WordPress sites.
