Do you need to take WordPress and Plugin updates?
Do you need to take WordPress and Plugin updates? YES. Now, many updates are just recommended and if you don’t take them, your site isn’t going to crash or get hacked, but a lot the updates are for the purpose of patching security vulnerabilities. For example, the FBI just announced that ISIS has been hijacking WordPress sites and using them to spread their message. https://nakedsecurity.sophos.com/2015/04/08/fbi-warns-wordpress-users-of-isis-threat-patch-and-update-now/
Also, Sucuri, a company that specializes in website security, just announced yesterday that cross site scripting vulnerabilities have been found in several major WordPress plugins https://blog.sucuri.net/2015/04/security-advisory-xss-vulnerability-affecting-multiple-wordpress-plugins.html
And WordPress itself announced that they have released a new version to fix any cross site scripting issues that they may have had. https://wordpress.org/news/2015/04/wordpress-4-1-2/ In fact, here is a quote directly from their site, “This is a critical security release for all previous versions and we strongly encourage you to update your sites immediately.”
So, what should you do if you are concerned about this? Well, if you are one of my clients, nothing because I have your back. I subscribe to these sites and get the alerts as soon as they come out. I then check my sites and make sure that they are up to date and have all the required security patches…
If you are hosting your own site (outside of managed hosting. Most, if not all, managed hosting companies take care all this as well), you should do the following things:
- Make sure that your site(s) are up to date with the latest WordPress framework and that all plugins are updated as well.
- If you are not using a plugin, then you should get delete it. Don’t just deactivate it, go ahead and delete it.
- Make sure that all of your themes are up to date. Even themes that are not active. I would even recommend that you delete themes that you don’t need or have a reason to keep.
- Back up your site regularly. I use UpdraftPlus and I have backups made regularly that get uploaded to dropbox.com
- Harden your site. Create strong passwords, use plugins like ‘Limit Login Attempts’ and ‘Two Step Authentication’… Never use ‘Admin’ for your username…
- And if you are really concerned you can do things like implement iThemes Security which will do things like hide your login page and much much more.
- Also, hosting is important, the cheaper the hosting, the more concerned I would be. Make sure you host with a trustworthy hosting company and if you are willing to pay the price Managed Hosting such as WPEngine will do all the things needed for you. Ie, they will take backups, make sure all plugins, themes, and WordPress are up to date, force security in things like strong passwords…
So, make sure your website is safe and if you have any questions, feel free to drop me an email…