Why Keeping Your Themes & Plugins Up To Date Is Vital To Your WordPress Blog’s Success

Hackers: training starts early in the modern age.

We all recognize WordPress as a wonderful blogging platform that enables anyone, almost completely regardless of technical ability, to publish their words to the Internet. And I’m sure we can all agree that we do not want our blogs to be compromised by an unscrupulous hacker.

Or to put it more plainly, you don’t want to type in one of your blog’s URLs tomorrow and be presented with a spammy “You Are A Winner!” message, or a redirect to a completely unknown website. If you want your blogs to be successful, such an outcome can be potentially disastrous.

If you don’t keep all of your themes and plugins up to date, you are drastically increasing the chances of someone using your blog for their own devious purposes. I don’t have to rely upon anecdotal evidence to back up this assertion, because there are two recent stories that prove my point effectively.

TimThumb

Although TimThumb sounds delightfully innocent, the script was at the center of a huge security breach that exposed over a million WordPress sites to the risk of compromise.

TimThumb is a simple photo-resizing utility that is used by a huge number of plugin developers. I will skim over the technical details, but in layman’s terms, the script’s vulnerability allowed any resourceful hacker to insert code into, and therefore wrest control of, any WordPress site that utilized the script. Which was in fact any site that included the TimThumb script in any active or inactive theme or plugin.

WordPress.org Hack

In June of this year three popular WordPress plugins (AddThis, W3 Total Cache, and WPtouch) were edited in the official WordPress plugin repository. Edited by an unauthorized party, I should add.

The code added to the plugins acted as a backdoor to any blog that they were installed on. In much the same way as the TimThumb incident, a hacker could potentially use the backdoor to wreak havoc on your blog.

Updates Are The Solution

It is clear that we cannot prevent plugins from being hacked, and we may well inadvertently install “vulnerable” code on our sites in the future. Those are unfortunate facts. However, all we need to do to limit our exposure to risk is rely upon the extremely quick actions of the WordPress community and ensure that we subsequently do our bit.

In both incidents reported above, the response from the WordPress community was quick and efficient. The threats were eliminated very quickly. The real problem was that many people simply did not update their themes and plugins. As such, their sites remained vulnerable.

Because many people have multiple WordPress blogs, it takes them an age to manually access each dashboard and run through the updates. It can be discouraging enough to not do at all.

Fortunately, that is where ManageWP comes in. Because you can handle all of your themes and plugins from one central dashboard, all of those updates can be managed with literally the click of a button. As such, you can keep your blog portfolio far more secure, and highly reduce the risk of any compromise that may severely affect the popularity or trustworthiness of your blogs.

Creative commons image courtesy of Zakwitnij!pl Ejdzej & Iric

Tom Ewer

Tom Ewer is the founder of WordCandy.co. He has been a huge fan of WordPress since he first laid eyes on it, and has been writing educational and informative content for WordPress users since 2011. When he's not working, you're likely to find him outdoors somewhere – as far away from a screen as possible!

5 Comments

  1. ProSpirity

    LOL- Love the picture and scary how he looks like he already knows what he is doing!

    Your ManageWP app is just amazing, efficiency raised to the 10th power!

    1. ManageWP

      Thanks, great to hear that!

  2. Olaf Lederer

    People should remove unused plugins and theme as well. I test a lot of plugins and I never add “new” plugins where the last version is older than a year.

    1. tomewer

      Absolutely Olaf – great advice. The less opportunities there are for your site to be compromised, the better.

    2. miguel

      This is exactly what the “minimal disclosure” security policy entails in just about every web application. The less you disclose (i.e. plugins, themes, extras), the less potential security holes you leave behind. That’s also why I configure my server not to show the version of Apache it’s running; not even the fact it runs Apache appears at all.

Leave a Reply

Your email address will not be published. Required fields are marked *

Over 65,000 WordPress professionals are already using ManageWP

Add as many websites as you want for free, no credit card required. Sign up and start saving time!

Have questions? Get in touch!

Over 65,000 WordPress professionals are already using ManageWP

Add as many websites as you want for free, no credit card required. Sign up and start saving time!



Have questions? Get in touch!

Over 65,000 WordPress professionals are already using ManageWP

Add as many websites as you want for free, no credit card required. Sign up and start saving time!



Have questions? Get in touch!

Over 65,000 WordPress professionals are already using ManageWP

Add as many websites as you want for free, no credit card required. Sign up and start saving time!



Have questions? Get in touch!