Everybody wants to have a website that’s fast, functional, and secure, but too often website owners neglect updates that are critical for exactly that purpose. If you can’t remember the last time you updated your WordPress website, plugins, or themes, you’re not alone — some research estimates that up to 30 percent of the top 1 million websites are currently running an outdated version of WordPress.
Obsolete WordPress core files, plugins, and themes are a huge security risk. So why do website owners so frequently neglect these updates?
There are plenty of reasons why a website and its components might become outdated. Whether it’s a lack of knowledge, or a lack of comprehensive website monitoring, the cause doesn’t really matter — but if your website, plugins, or themes become outdated, then your website may not only be less secure, but less useful for your customer base.
There are four key elements to any WordPress website that absolutely must be kept up to date.
WordPress Core Files
Of all the things to keep updated on your WordPress website, your core files are number one. Every WordPress website is built upon three core files. These files contain all the information about the version of WordPress that your site is running, as well as all the plugins, themes, and content that you add to your site. Basically, the core files are the foundation of the building that is your website.
Up to 37 percent of security vulnerabilities come from WordPress core files. While it is possible to make changes to your core files, it’s generally not recommended. For optimal website function and security, your core files should always be consistent with the files supplied by WordPress. WordPress regularly releases updates to its core files, and these updates often include measures taken to repair or eliminate security vulnerabilities in the current release.
The key thing you need to remember is that WordPress is an open-source software. Its code base is available to everyone — be they developer, or hacker. If you don’t update your WordPress core files when the software is released, your website will retain any vulnerabilities that have been patched up. Plus, when WordPress updates their core files, they usually publish release notes that explain in detail all of the vulnerabilities that were repaired. This effectively gives hackers a roadmap into your website if you’re still running the older release. Keeping your core files up-to-date ensures that the framework of your website is as safe and secure as possible.
Plugins serve a wide variety of functions on WordPress websites. When used correctly, they can vastly improve the user experience. But they also vary widely in terms of quality and level of support, and if they’re left out of date they can open up significant security vulnerabilities.
When it comes to plugins, WordPress is a bit like the wild west. WordPress plugins are developed by independent coders and software developers, not all of whom are equally competent. Some plugins are developed by fully-staffed teams and are maintained with frequent patches and updates. Other plugins are developed by private individuals and hobby coders, some of whom might develop a plugin and release it, and then abandon it to move on to other projects. If this happens, then anyone who has that plugin installed on their website is left without any support.
It’s a good idea to be selective when installing plugins for your site. Don’t just install the first plugin that serves the function you’re looking for. Use plugins that have a proven track record. You can check the community boards on WordPress.org and read comments — and complaints — from people who have a particular plugin installed. It’s also worth checking how many times it’s been installed. A plugin that’s quite popular and installed on many websites is more likely to be well-supported. Rather than taking a chance, go with the tried-and-tested.
WordPress themes control the basic design elements of your website: visual building blocks like the layout, the colour scheme, and the fonts.
Just like plugins, themes vary widely in terms of the level of competency of their developers, and the level of ongoing support that they receive. Many of them are developed by independent designers who may not have much experience.
Before you install a theme, it’s important to check that it’s still supported by its developers. Just like with plugins, you can look up the theme’s changelog on WordPress.org to find out how recently a certain theme was updated, whether it’s still supported, and crucially, whether recent updates are compatible with the current WordPress version and key plugins.
Core files, themes, and plugins affect the form and function of your site, but server-side software like PHP ensures that it runs correctly and that your browser can find and display it.
In some cases, you, the website owner, will be responsible for updating the PHP version that your site runs on. This is something that you can do through your hosting provider, but it requires a little bit of know-how and the ability to take a functional backup of your site. Likewise, SSL certificates need to be kept up to date — otherwise browsers might block traffic from your site. A site with an expired SSL certificate will be recognized as a security risk by every browser.
Finally, it’s important to also ensure that your host server’s software stack (consisting of Linux, Apache, MySQL, and PHP) is kept up-to-date. While the actual updates on the server side are out of your control, you can make sure that you sign up your website with a high-quality hosting provider with a proven track record of good web security practices.
Don’t Forget to Back Up Your Site
Finally, before making any kind of update or change to your site, make sure it’s backed up. Sometimes, the minor changes to plugins, themes, and core files that come with updates can clash with other elements of your site and lead to errors and issues. To avoid this, it’s important to back up your site securely, and store the backups offsite for easy access in case something goes wrong.
Do you know if your themes, plugins, core files, and server-side software are up-to-date? Don’t leave your website vulnerable — consult your web security expert or IT team as soon as possible to evaluate the status of all your WordPress assets.