Updates are a hassle.
They interrupt our workflows. They pop up in our notifications over and over. Sometimes they change your system settings or even cause compatibility problems with other tools and applications. And, worst of all, they automatically restart your computer while you’re streaming the series finale of Breaking Bad. At least, for me they did.
Despite these annoyances, deep down I know that updates are important. And if your website is built with WordPress, updates are a part of life — it updates a lot.
Among the most important of these updates are those which tackle their security problems: WordPress is by far the most hacked CMS, and 44% of successful attacks on WordPress websites were because of an outdated WordPress core.
Ensuring WordPress security updates are installed as soon as possible is a cornerstone of keeping WordPress safe. Every WordPress site administrator needs to understand and apply them. In this article, I’ll discuss what makes up a security update in WordPress, how to prepare for these updates, and how to install them.
WordPress Security Updates
WordPress security updates fix bugs that can be exploited to gain unauthorized access to a website’s backend or user information. WordPress releases multiple security-related updates every year. In 2019, there were four. Let’s review a few recent fixes to understand what’s in a WordPress security update.
WordPress 5.4.1 (April 2020)
The latest security update contains fixes to seven security issues. Most of these repairs address cross-site scripting (XSS) opportunities. XSS occurs when hackers place harmful code into a website’s files, which run within those files to cause damage.
Specifically, 5.4.1 fixes XSS vulnerabilities with the WordPress Customizer, file uploading, information fetched from website databases, and blocks (specifically the search block). This update also patches vulnerabilities that potentially allowed password reset links and private posts to be seen by attackers.
See Wordfence’s report for a more technical review of these problems.
WordPress 5.3.1 (December 2019)
This update contained many general improvements to WordPress core, including security fixes that solved issues with creating unauthorized sticky posts through WordPress’ REST API, and two potential XSS opportunities in the WordPress block editor and through “well-crafted links.”
WordPress 5.2.4 (October 2019)
WordPress 5.2.4 featured patches for 2 XSS opportunities in the WordPress Customizer and HTML styling tags, as well as issues involving administrator authentication and private posts being viewable.
You can view the full history of WordPress security updates in their security category archive.
As far as we know, most of these vulnerabilities can only be exploited in very specific scenarios. Even so, attackers are constantly hunting for these opportunities, and it’s always possible they’ll find simpler methods of exploiting these bugs in the future.
How to Prepare for WordPress Security Updates
Before installing a WordPress security update (or any WordPress update), here are some other actions you can take to keep your website in good shape.
Check for Security Updates Regularly
It’s a good idea to routinely ensure that your WordPress core, plugins, and theme are all updated to their latest versions. To verify this, log into your account, then select Dashboard > Updates in the left panel. If there are updates available, you’ll see a round notification icon on the Updates button.
The updates page tells you which updates, if any, are ready to be installed, and the last time WordPress automatically checked for an update. To manually check, click Check Again.
Keep Your Plugins and Themes Updated
Chances are you’ve augmented your WordPress setup with multiple plugins and a tasteful theme. Perhaps you’ve even installed one or more WordPress security plugins to harden your site.
When updating WordPress core, it’s very important to make sure your theme and all plugins are compatible with the latest version of WordPress. If not, this could disrupt your site’s functionality and expose you to potential attacks: According to WPScan, 52% of successful WordPress hacks are from plugins, and 11% are from themes.
If you’ve chosen high-quality plugins with maintenance and customer support, updating them shouldn’t be a problem. Simply install plugin updates when they become available. If a plugin hasn’t been updated by its developers for a while, consider alternative options that are kept up to date. This will keep you safe now and down the line.
Similarly, keep your theme updated to prevent vulnerabilities. You can check this on the updates page under Dashboard > Updates. Again, if your theme hasn’t been updated in a long time, consider changing it for another.
Strengthen Your Security In Other Ways
Between updates, you can secure your site in other ways. These include:
- Securing your login: Your login page is the front door to your CMS, so keep it locked with strong passwords. It doesn’t matter what version of WordPress you have if an attacker can guess your login credentials in 0.005 seconds.
- Conducting regular security scans: Using a reputable plugin to scan your website for malware and other attacks is crucial to keeping you and your visitors safe.
- Backing up your site: Keeping a backup will limit data loss if an attack occurs or if an update goes wrong. Many security plugins offer file backup.
- Use secure WordPress hosting: Choose a reputable hosting service that prioritizes storing your information safely.
How to Install a WordPress Security Update
There are two ways to install a security update in WordPress: automatically or manually.
The easiest way to install security updates is having WordPress do them for you. The majority of security updates are considered minor releases by WordPress, meaning your site will update automatically if enabled.
Most of the time, automatic updates to WordPress core are a safe option and won’t cause functionality problems on your website, as long as you also have the latest versions of your plugins and theme installed.
To configure automatic updates yourself, follow WordPress’ instructions on their website.
Automatic updates are helpful, but more major updates do need to be installed since they are more likely to cause compatibility issues with plugins and themes. You might also prefer to install all updates yourself.
Installing security updates yourself is quick and easy from the dashboard. Log into your account and choose Dashboard > Updates. If an update is ready, click Update Now. Wait a few seconds, and you’ll be set with the latest version.
Nine times out of 10, this one-click option works. If your WordPress setup is very customized, a manual installation might be necessary to avoid compatibility problems. To manually install a new update, follow the instructions on WordPress’ website.
After updating WordPress core yourself, check that all your plugins and your theme still work as they should. If you use well-maintained plugins and themes and update them routinely, this will most likely not be an issue.
Beyond Security Updates
There’s really no excuse for an outdated WordPress site. The inconvenience of updating your systems is a small price for protection and peace-of-mind.
However, updating your WordPress core, themes, and plugins are only one piece of the security puzzle. An important piece for sure, but there’s certainly more to be done. For a comprehensive list of steps to protect your WordPress site by minimizing security risks and vulnerabilities, see our Ultimate WordPress Security Checklist.