is-wordpress-secure

7th May 2016

As of Version 3.7, WordPress ships with automatic maintenance and security updates. That means if you have a live WordPress site on the web, and a new maintenance and security update comes out, let’s say 3.9.2, then your WordPress site should automatically update to this new version. This is part of the process of making WordPress more secure, and it also reduces the amount of time you need to spend maintaining your WordPress site. This automatic update only applies to maintenance and security releases, meaning the releases that have numbers like 3.9.1, or 3.9.2.

For full version releases like 3.8, or 3.9, you still have to do a manual update, simply because the new full releases have large scale changes to functionality or to the core code, and you need to know what’s going on before you make these updates. That said, any time a new version of WordPress comes out, it is always a good idea to update right away. That goes both for WordPress core, and also for all plugins and all themes you have installed. So let me show you how all this fits together.

Like I said, most of the time, these automatic updates should happen automatically on your site. But in some cases, for many different reasons, it might not happen. So, a good rule of thumb when you run your WordPress site is to always make sure you’re up to date. And it’s really easy to do so. If you’re logged into your WordPress site, the first thing you’ll notice is at the top, the WordPress toolbar, there’s a recycle-like icon and it has a number next to it. That tells me there’s currently something on my site that’s not up to date, in this case some plugins and themes need to be updated.

wordpress-core-update-available-please-update-now

Anytime you see this icon you should always go and update whatever needs to be updated. You’ll also notice that in addition to this warning up here, I’m also being told that WordPress 4.5.1 is available, and I should update right now. That’s because I disabled automatic version updates on my installation, just to show you how this works. So, if for some reason the automatic updates don’t work, you’re still going to be notified that something is off and that you need to update. And just looking at the screen, you can see there are several different indicators.

wordpress-updates-screenUp at the top here, the recycle icon says 5, because we have both WordPress itself, 2 plugin updates and 2 theme updates. So If I click on the recycle-like icon it will take us to the WordPress Updates screen, where it breaks it down for us. Here in my case, I first need to update WordPress itself. I’m simply going to click on Update Now.

WordPress will be quickly downloaded and installed, and I immediately get information about what this release is, in this case it’s a maintenance release, and I can go look at the release notes. And now that I’ve updated WordPress, I can go back to updates again, and just check all the plugins that need to be updated, and click on update to get the new versions of the plugins as well. Updating WordPress, and updating plugins and themes is really simple, and can be done from inside the WordPress admin panel.

That said, some people have an aversion to updating because they’ve had the experience of updating maybe a version number, or updating a plugin and theme, and then discover that the site goes down in the process. Something goes horribly wrong. If you’re one of those people, here’s a hard truth. If you’re updating your site and it crashes, it is almost a guarantee that this is because you have a theme that has some broken code in it, or more likely that you have a plugin with some broken code in it. WordPress itself is almost impossible to crash.

So if you’re not updating your WordPress site because you experience a lot of crashes, you need to reconsider either the theme you’re using or the plugins you’re using. And it’s really easy to figure out exactly what’s going wrong. If you have that experience, anytime you update WordPress itself and something goes wrong with the site, here’s what you do. First, go to Appearance and Themes. And activate one of the default themes, be that 2014, or 2015, or 2016. Any of the default themes should work just fine.

plugin-select-all-checkboxNext, go to Plugins, and deactivate all of your plugins. Simply check the box above all the plugins, go to bulk edit and just deactivate everything. Now update WordPress and see that everything works fine. If that’s the case, then go back and reactivate one plugin at a time to see if something goes wrong. Because, if there’s a conflict in the plugin after you’ve updated WordPress, WordPress will tell you that, it won’t crash. Then, if all your plugins work fine, go back to your themes, and try to activate the theme that you were using.

If that takes your site down, you now know the culprit is the theme, not WordPress itself. I cannot stress this enough. Keeping WordPress, and your plugins and your themes up-to-date is what’s going to make your site secure. It goes the same way with all your other applications, it’s just that all these other applications update automatically, you don’t have to see it. In the case of WordPress, you still have to do some manual updates, although I can see a time in the future where that’s no longer the case. But until then, keep an eye on the Dashboard Updates tab, and make sure you never see a number there, and when you do, update everything immediately.

Part 2 of the WordPress Security Best Practices series;
Part 1 : Is WordPress Secure?
Part 2 : Keeping WordPress up to date
Part 3 : WordPress Backups and Logins
Part 4 : Limit WordPress admin access

About Blueocto

Blueocto is a web design and development company, based in North Tyneside, UK.

We work with sole traders, small and medium-sized businesses.

PI Insurance Broker