Keep WordPress, Plugins and Themes Up To Date. Period.
[This post is part of WordPress Security series.]
WordPress is always bringing major and minor updates all the time. Typically major updates increment the version number by 0.1 and minor updates increment the version number by 0.001. To not update WordPress; This is maybe the most common mistake victims make! It is extremely important that you keep up with new versions, otherwise you’re more than susceptible to hacking attacks. Here’s current version of total sites running on WordPress:
So accordingly this chart, 70.0% of WordPress-hosted sites are using Version 4, which is the latest. 29.2% of websites are still stuck with Version 3, which sadly a good news for hackers and script kiddies. To emphasize how big that opportunity is for hackers, let me just tell you, that 29.2% must be amounting over a couple million sites!
All these sites are at stake, why? Because they did not bother to keep their site updated.
Hackers Hack Older Versions Easy? How?
You see, WordPress is fortunately a software that is run by it’s community of users. Sure, WordPress employees 229 people, but thousands of people work to improve the software willingly and voluntarily. This is the type of power that commercial softwares lack. There are always occassions when a users of the software discover a bug, security fix or vulnerability and they report to the core developers about it.
Security is a never-ending battle between hackers and security specialists. There’s always one more bug or vulnerability that’s yet to be discovered and fixed. And since WordPress has millions of users, it has the benefit of being notified of vulnerabilities.
So when a security bug is discovered, WordPress is reported about it. They try to respond to it by filling that hole as soon as possible. Once resolved, they release a security update. Typically minor updates include bug and security fixes. Recently they had found a bug that fixes a critical cross-site scripting (XSS) vulnerability, which would allow commentators to compromise a site.
Jouko Pynnönen discovered this vulnerability and reported WordPress. Within few hours of being reported, a new update was on it’s way.
How to Update?
There are two ways to update your WordPress version.
Automatic Background Updates
In WordPress version 3.7, a new feature was announced, which would update the software automatically. By default, this functionality only automates minor updates and major updates must be handled manually. Major updates must be done by hand, because major updates typically include BIG changes in software’s functionality. So chances for the non-compatibility with plugins and themes are great. So these updates do break the site, if plugin(s) or theme(s) is non-compatible.
This is why automating major updates is not a very desired option, since assuming if site went broken, no one will be present to try deactivate certain plugins and get site fixed. Whereas to promote better security and streamline maintenance, minor core updates were set to happen by default. That means that the CMS by default would update WordPress if minor updates are available.
Disable Automatic Updates
Since the idea of updating a site without site owner’s consent is controversial and morally negative, WordPress also gives a way to opt-out of this default setting and disable auto-updates. To disable auto-updates, add following line to code to your wp-config.php before X. But considering the number of security updates and the motive of such default configuration, WordPress highly discourages you from disabling this feature.
define( ‘WP_AUTO_UPDATE_CORE’, false ); //disables all automatic updates
Enable Major Updates (with great care!)
There’s also a way to enable major core updates. You can do so by adding following line of code to wp-config.php file. But first a word of warning: Major updates can be very annoying if site goes broken. Here’s the line of code:
define( ‘WP_AUTO_UPDATE_CORE’, true ); //enables major as well as minor updates
Manual update
This is the normal way. You update WordPress by going to Dashboard > Updates and then update WordPress. If you have disabled automatic minor updates, then you should be frequently checking if there’s a update. And if you’re OK with automatic minor updates (default way!), then you will be frequently checking Updates section for major updates.
What About Themes and Plugins?
Plugins and themes can be vulnerable. Like the recent cases of vulnerabilities found in WordPress SEO and WordPress Analytics by Yoast. Vulnerabilities were discovered within both plugins.
In the early March of this year, WordPress rolled out a new feature called Active Installs. This feature will give media insight into how popular a plugin is and how much potential risk a plugin holds if it is vulnerable to hack. Other than this, you can also know the version being used users. Accordingly WordPress SEO plugin’s stats are here:
As per this chart, only 26% of websites are using the latest version of the said plugin, whereas 74% websites are using older versions. Such an insight is so helpful, it gives us a rough idea of how many sites will be at stake if this plugin gets vulnerable (which it did, a while back).
In another case, only 34% of sites are using its latest version. Whereas a total of 66% sites are using its older versions. The plugin we are talking about has 1+ million Active Installs. It’s Akismet.
So it’s clear from aforementioned insights that a great vast majority of WordPress plugins and themes (supposedly) are not updated. These plugins and themes can be highly destructive if somehow got vulnerable. Millions of websites are using outdated code. Which is why WordPress gives us the ability to configure auto updates for plugins and themes. Although this is entirely upto users to either enable, disable or configure. But there’s an exception here; not all auto-updates are in control of users. And WordPress, to patch certain vulnerabilities, auto-updates plugins in special cases. These cases are determined by WordPress.org API response.
I agree, not all the outdated plugins are vulnerable to hacking attacks, but that doesn’t necessarily make this case strong. There’s no immediate need to update such plugins and WordPress doesn’t interfere such plugins and auto-updates. It does auto-update only in certain cases of security.
Conclusion
That’s all! I like to think of keeping WordPress, plugins and themes to date as one key step in avoiding hacking attacks. By large margin!
To conclude, let’s reiterate: To
[This post is part of WordPress Security series.]