Welcome to the second installment of our series all about WordPress security for developers.
Last time, we talked about everything related to installation – how to do it, how to make sure it’s secure and how to avoid some common pitfalls.
This week, we’re going to discuss the importance of updates and why keeping everything related to your WordPress installation up to date might just be the single most important thing you do to protect your site.
In case you want to jump around to read a different part of this series, here’s a handy link list to point you in the right direction:
- Part 1: Installation
Part 2: Updates
- Part 3: Management & Logins
- Part 4: Security & Backup Plugins
- Part 5: Roundup
The question should really be, “Why not?” After all, WordPress rolls out updates for a reason. These updates include vital fixes, patches and security repairs. If there’s a leak in the plumbing, patches make sure everything is shipshape.
Ken Westin, a security analyst with Tripwire, Inc. explains. “WordPress Core and patch updates are important for the very same reasons OS and other software patches are important,” he says, “New vulnerabilities are always discovered either by the development team, users or third parties who actively look for bugs in the application.” When issues are found, patches are created to fix those problems and, “make the application more secure,” Westin says.
Types of Updates
Before I continue, I think it’s important to spend a moment on defining the different types of updates WordPress offers and what each of them means.
In a recent blog post, Tony Perez, founder of Sucuri, notes that there are three distinct types of updates: security, patch and major releases.
Security updates are exactly what they sound like. They roll out quickly and offer just a few fixes to repair vulnerabilities that have been recently discovered. These updates are usually of the Version 3.1.2 variety and pose little risk to breaking your site. I mean, it could happen but it’s highly unlikely, especially since no new features are included here.
Patch updates are a bit bigger. They don’t include new features either, but they do update the system and usually include some security updates, too. These tend to be more predictable, according to Perez and are often released on a set schedule. We’re talking Version 3.2.
Last but not least are the major releases. This is the transition from Version 3.9 to 4.0. It’s major in every way and many of the features being discussed over at the Make WordPress Core blog wind up rolled into these updates. They get the most press because they change the WordPress game and introduce new features we all can get excited about. However, major releases are also the kinds of updates that make site owners trepidatious, notes Perez in a blog post. These are the site-breaking kind of updates, so many site owners are wary about updating as soon as they are released.
Of course, this shouldn’t be a problem if you have appropriate backups in place, but I digress.
A Failure to Update Means Greater Vulnerability
As I’ve already mentioned, failing to update your WordPress installation and any plugins or themes you have installed puts you at a greater security risk. What you may not understand is why.
“Once a patch is made available, the risk to users that don’t patch actually increases because attackers with malicious intent review the patched code and identify the vulnerabilities and find ways to exploit those weaknesses,” says Westin. “They specifically use this information to target installations that have not been patched.”
He also notes that there is only a “small window of time” between the moment the patch and its notes are released and the moment hackers start making use of these newly discovered vulnerabilities. “This is the time frame users need to take advantage of the patch,” he says. Waiting just leaves you open to the very real risk of being hacked.
The same can be said of plugins and themes. Though not a part of Core, these add-ons can create additional vulnerabilities. Poorly coded plugins pose a risk in general, but even high-quality ones can leave you open to hackers if not updated. “Plugins and themes increase the attack surface of a WordPress installation, even if the plugin is not being used,” says Westin. “If the code exists, these can be used as a ‘backdoor’ into the system,” he says.
That’s why it’s so important to only install plugins and themes you actually intend on using. Delete everything else. Then install updates for plugins and themes as soon as they become available. “WordPress has been doing a better job of reducing the risks that third party themes and plugins pose, but the danger still exists,” Westin warns.
WordPress Update Management
One of the best ways to make sure you always keep your WordPress site up to date is to make it just another part of your routine. “If you aren’t technical you should choose to host your instance with a provider that will automatically update WordPress when patches are available,” Westin says, adding, “You should also regularly check for updates for plugins and themes and add this to your publication calendar.” You can even add reminders to your calendar to check for updates on a regular basis.
Beyond creating a schedule, keeping tabs on what to update when can feel like a constant scramble. Tony Perez offers several solutions for keeping track of all of these updates that don’t require your daily input. That’s got to be a relief to developers; anything that can be removed from your daily task list is a must-know!
Ever since WordPress 3.7, the platform has offered automatic updates. When enabled, this means your Core installation will update on its own after a set period of time with no input from you. Of course, the same can’t be said for plugins and themes. You still have to tackle those yourself, dammit.
A maintenance service is actually one of the best ways to stay on top of every single security update. Our own ManageWP is a great choice, of course. With it, you can automatically schedule backups, updates and enable site monitoring that will allow you to check for malware, restrict access by IP address and even setup two-factor authentication (which we’ll talk about more in-depth in a later installment).
Basically, you might find it to be a worthwhile investment to use a utility like this since it automates much of the process. And if you’re making a living as a developer, that means you’re building and managing several sites. Automation is your friend, here.
WordPress updates are important. Like, really important. And it’s in your best interest to do everything in your power to keep your site current. If not, you expose the sites you’re managing to hackers and you run the risk of gaining a reputation as a careless coder. Diligence is key here. Without it, you’re up a creek.
Well, that about covers it for the second installment of our series all about WordPress security. I hope you’ve found it helpful. And be sure to check back next week for the third post, which covers site management and logins.
In the meantime, as always, I’d love to hear your thoughts. How do you manage updates? Did I miss a tool or technique you can’t live without? Feel free to share that info with our community in the comments!