Subscribe to THE LATEST

Website security: What updates should you be making to your WordPress site — and how often?

Website security: What updates should you be making to your WordPress site — and how often? Blog Feature

Melissa Smith

Sr. Front-end Developer, 8+ Years of Web Development Expertise, 2x Recipient of IMPACT's Helpfulness Core Value Award

June 12th, 2020 min read

A website isn’t something that you can just set and forget. Just like a house, it needs to be updated regularly in order to keep from falling apart. WordPress is the world’s leading content management system (CMS).

Indeed, 35% of the internet is powered by it.

WordPress is open-source and built by a community of developers, which also makes it more susceptible to attack. Due to it being an open-source platform, however, anyone can study the code and look for holes to figure out how to hack into a website.

That means if you don’t update your site regularly, you are likely missing out on new features and improvements, risking your site not working properly, and compromising your website security.

That’s why hackers love websites that aren’t up-to-date.

So, what steps should you be taking to make sure your website is safe? And how often do you need to be checking to make sure your site is up to date?

Here’s what you need to know to keep your WordPress site in great shape.

Now, before we get started:

It is important to note that you don’t want to do any updates your live website. You want to make sure that you fully test your website in a staging area after making these updates to make sure that everything is working fine. Then, once it is bug free, take your changes live.

Without further ado, here are four updates to do to make sure your WordPress website stays secure.

1. Update PHP version on your website’s server

PHP (an abbreviation for Hypertext Preprocessor) is one of the most common server-side coding languages that is used by many platforms, including WordPress.

🔎 Related: Is a HubSpot-hosted website more secure than a WordPress website?

PHP is not updated frequently, but when it is, it is important to update it on your site. Each PHP version is fully supported for two years, during which any bugs and security issues are fixed and patched. After three years, though, it is no longer supported.

Updating the PHP version for your website is all dependent on where your site is hosted.

If you are not sure how to update your PHP, reach out to your hosting company and they should be able to help you by checking that your site is on the most recent version —  and help you update if it’s not.

If you host your website with WP Engine, a WordPress hosting company, their engineers thoroughly test the updates before it becomes available for customers. Once updates become available, you can change the PHP version in your WP Engine user portal by following these directions.

WP Engine provides three different environments (production, staging, development) so that you can work on your website behind the scenes and not touch your live website until you are ready to take your changes live. You can update the PHP version in all of them.

🔎 Related: Our candid WP Engine full product review

2. Update WordPress core installation

Just like any other software, whether on your computer or your phone, WordPress has upgrades (major releases) and updates (minor releases). These can be anything from small bug fixes to major new features or improvements.

Major upgrades usually happen two or three times a year and minor releases happen as needed. Depending on where your site is hosted, some hosting companies will automatically update your WordPress core.

WP Engine states,

“Our top priority is the stability, security, and functionality of your sites, and we want to give you time to test the new version against your current configuration. WP Engine does not update during the beta or immediately after the new update is released and all releases undergo some form of testing by our Security team. Once we have analyzed the update and made the needed adjustments to our platform, we will begin updating your sites automatically.”

If your hosting company doesn’t automatically update for you, you will see the notification in the backend of your site that there is an update available.

When updating your site you should proceed with caution. While minor updates shouldn’t cause issues, major updates could mean something bigger like new features added or old ones removed. WordPress development teams work hard to make sure that updates are backwards-compatible, but it is important that you test everything before taking it live.

You might have certain features on your site that are no longer supported. A plugin that you are using may no longer be compatible with the new version of WordPress.

You don’t want to risk your website being broken.

Here at IMPACT, before we start updating a site, we use the staging environment provided by WP Engine (our host and recommended host for clients) to update everything and fully test the site to ensure that it’s fully functioning and that the update didn’t cause any issues — and then we make a backup of the site before taking the updated site live.

If you aren’t on WP Engine and you have an IT team or a development team, work with them on getting an environment set up outside of your live site, if you don’t have one already.

3. Update themes

When the WordPress core gets updated, themes may need to be updated as well. A WordPress theme provides the front-end styling of your website. From time to time, the creators of the theme may release enhancements to make their product better. 

This is why it is extremely important when you are first building out your website you set up what’s called a child theme, which inherits the functionality and styling of another theme, called the parent theme. Having this setup allows you to easily update your theme.

If you don’t have a child theme it becomes very difficult to update your site — and by not updating your theme you run the risk of making your site more vulnerable to attack.

🔎 Related: 3 crucial steps to take when your WordPress theme is no longer supported

4. Update plugins

Just like themes and WordPress core, you will want to update your plugins. Plugins can become outdated and have security issues, which would necessitate an update. Thus, it is important to make sure that your plugins are updated regularly.

elementor-wordpress-backend-plugin

Your WordPress Backend > Plugins > Add New

elementor-wordpress-plugin-page

WordPress Plugin Directory

When choosing a plugin for your site, check how many installations it has and when the last update occurred. You don’t want a plugin that hasn’t been updated in a while.

We like to see a lot of installs and a frequent update history. You can see this information when installing the plugin from the backend of WordPress or from the plugins directory.

🔎 Related: These 8 WordPress plugins are most vulnerable to hackers in 2020

Making site health a priority

Now you are asking yourself, how often should I be making these updates? Is this something I can do myself? If so, how?

If you feel comfortable with your site and know how everything works, then yes, you can make these updates yourself. These updates should be really quick if you stay on top of them. Obviously, the more features you have on your site the longer it may take.

If you wish to take this on yourself, you’ll need to work with your hosting company to get the PHP version updated if there is a new release. As far as updating the WordPress core, theme, and plugins, this is all handled through the backend of your website.

Keep in mind what I mentioned before: You should be doing this in a staging environment so that you don’t risk affecting your live site. 

There are two ways to get you where you need to go to make these updates. When you are logged in to the backend of your site, under “Dashboard” you can see “Updates”, with an alert to let you know that you do have updates (and how many). 

Or next to the name of your site, (in this instance “IMPACT Elementor Site”) you can see the circular arrow symbol with the same alert next to it. You can click on either of these and it will bring you to the page with the list of every that needs to be updated. 

wordpress-dashboard-update

Once you are on the page, you will see any core WordPress updates you need to make, followed by a list of plugins that need to be updated, followed by the themes that need to be updated.

You should be checking for updates as often as you can. While a weekly basis would be ideal, bi-weekly is okay. Longer than that means you are putting yourself at risk. To make sure it gets done, put a recurring event on your calendar to remind you to check for updates. That way, you’ll never miss one. 

If you don’t feel comfortable doing these updates yourself, I strongly recommend that you work with a company or an individual that can help you with this, preferably the company that built your website, especially if it is heavily customized. 

You could also find an agency or even a freelance developer who will be willing to help you out.

I know this can seem like a lot, especially with everything else you already have on your plate, but if you set time aside each week or even bi-weekly, you will avoid having to deal with a disaster down the road.

In the end if you are spending this time taking care of your website you won't be missing out on new features and improvements, risking your site not working properly, and compromising your website security.

Website Strategy and Website Blueprint

Here Are Some Related Articles You May Find Interesting

Want to Contribute Content to impactbnd.com? Click Here.