WordPress is massive. As of November 1 2017 WordPress can be found on over 59% of websites running a Content Management System (CMS). It is no surprise then that the Opensource platform is often one of the first targets when website come under attack. Vulnerabilities in a platform like WordPress would present attackers with a smorgasbord of potential targets. The best way to deal with this risk is to ensure that you apply available WordPress updates.
What does this mean?
When it comes to updates, WordPress has 3 main areas to consider. Themes, plugins, and the Core.
Your themes are the visual aspects and styles of your site. Usually, themes coming from the WordPress repository – or themes that you buy from sites like Envato – will have periodic WordPress updates to fix bug, patch vulnerabilities, and include new features. One thing to be wary of when updating themes is if you have made any customisations. If you modify a downloaded theme to suit your needs and then download an update, you will lose your changes. Because of this you should make a child theme if you are planning on making any changes. More details on that in another article.
Plugin updates are important too. Plugins add additional functionality to your site. As such, they often integrate pretty tightly with the WordPress Core. Because of this, a compromised plugin can be very dangerous, such as Fireclick, a plugin which redirected visitors of Equifax’s website to malware recently. Sadly, it isn’t as simple as just applying updates as they come. Recently, a popular plugin called Display Widgets was compromised, including malicious code to publish spam on affected sites. This happened as the result of the plugin’s ownership being sold to a new entity. The new owner used the update feature to deploy the malicious code. Basically, updates are important for the protection of your site, but you must be aware of the potential risk as well.
Core updates are probably the most important of the bunch. The WordPress development team releases these updates to address security issues and bugs in the platform itself. It is advisable to apply these updates when they are available. They are usually fixing a problem which you are better off not having.
Whenever you are applying updates, it is a good idea to take a backup of your site and database beforehand. Unfortunately, updates can occasionally break things if they change code which something else relied on to function correctly. This can also be the case if you modify a theme directly instead of using a child theme as mentioned above.