It seems that every day there’s a new story about someone’s site getting hacked. Typically, these stories are light on details about how exactly the site was compromised. What was the attack vector? Did it involve a rogue editor or author, or was it a brute force attack? Is there anything we as users could have done to stop it? Crucially, what do we do now that can prevent it from happening to us?
A study in 2016 by WordFence shows that the overwhelming number of attacks were through plugins. Specifically, outdated plugins were the biggest vector. Clearly there’s more to the story – did the attackers have access to the backend? How much of a risk is there if you’re a single-owner business?
Updating WordPress Conundrums
Over the years, WordPress has made it a lot easier for users to automatically update everything. There was a time when I had to manually click the “update” button for each WordPress plugin. If I had 10 plugins to update, it was painfully slow! Then there are themes that require updates, and of course, the WordPress core itself. Keeping up with all this was a pain and I came to dread even opening my admin section.
But then WordPress pushed out a new version that allowed us to update everything all at once – and it all happened without blocking the editor! So easy. WordPress 3.7 even let us download security and maintenance releases automatically.
In addition, most web hosting providers now
So What’s the Problem?
All this sounds great. However, the only updates I automatically install are those belonging to the WordPress core. On my hosting provider, I turn off automatic updates for themes and plugins. The reason? I don’t want my site to break.
Like it or not, most developers don’t spend enough time testing their code. WordPress, in general, does a fine job with its core updates thanks to its nightly builds and the huge base of developers willing to iron out kinks. Even then large updates like Gutenberg come with some bugs. Here’s one example of a very frustrating bug with Gutenberg with prevented the preview of a post from showing the updates in the presence of metaboxes.
Sites Value Continuity More than Anything
My site makes money. I want that money to keep flowing. As a result, I’m paranoid about anything that can break it. Updates to plugins developed by 3rd parties frequently have bugs that get ironed out over the next few days. The more popular plugins are of course fixed even faster.
My Golden Rule
I have a standardized rule – “Do NOT update a plugin unless the latest version has been out for at least 4 days.” This grace time period is personal preference. I feel it’s long enough for any page breaking bugs to be isolated and fixed.
What About Security?
Unfortunately, this does expose my site to some risk. I already follow whatever security best practices I can like renaming my login page, maintaining blacklists etc. But there’s no doubt that not updating plugins immediately carries a risk.
Which is why NameHero’s Patchman is so useful. It’s a server-side script that scans your WordPress websites for vulnerabilities and fixes them without necessarily updating your version number! It’s a great “in-between” solution for those who want to find a balance between reliability and security. In addition, Imunify360 on NameHero scans your sites and fixes them if they’re compromised.
These two free cPanel plugins from NameHero working together can keep your site safe while you take the time to ensure that your updated plugins won’t break your site. If you’re not on NameHero, then I suggest you find another tool that can warn you if something gets hacked and allows you to rollback your changes!
I’m a NameHero team member, and an expert on WordPress and web hosting. I’ve been in this industry since 2008. I’ve also developed apps on Android and have written extensive tutorials on managing Linux servers. You can contact me on my website WP-Tweaks.com!