Keeping your website up to date is a challenge, but an important one. I’ve heard some developers say that you shouldn’t update your website out of fear it will break things. Well, I did a little more digging around the internet to find out if there’s any truth to that.
In this quick post, I’ll cover a lot of the common reasons why you should keep your website running the most recent version of WordPress, the most up-to-date version of every plugin, the newest release of your theme, and the highest supported PHP version you have access to on your server.
Because security is important
WordPress is great! With 74,652,825 sites and counting, WordPress has become the largest CMS on the internet. With all that popularity comes the risk of malicious attacks. Like the ever-popular Mac vs PC debate, WordPress has more users than its counterparts so it becomes much more appealing to attack. To combat this, WordPress releases WordPress updates on its core very often. Sometimes once a week in fact. This is really, really good news. This means that the WordPress community is actively working on WordPress to make it even better, more secure, and more powerful every single week.
But here’s the issue. After releasing these updates, it is the admin of the WordPress website’s responsibility to implement them. So often I will be tasked to clean up a hacked WordPress site just to log in to find that every plugin, theme, and core file is 12 months out of date. The days of building and forgetting a website are long gone. You need to keep your websites current! Both with the content of the pages and the code powering them.
How many WordPress websites get hacked because of outdated plugins, themes, or core?
According to a Sucuri report from 2018, 90% of every CMS compromised in 2018 was WordPress. If you didn’t know, Sucuri is an incredibly popular security plugin and live service for cleaning hacked websites. This report was based on a sample of Sucuri’s data from that year. A total of 25,466 infected websites and 4,426,795 cleaned files were analyzed in that report.
WordPress accounting for 90% of the hacked sites is not super surprising since WordPress does account for 60% of every CMS-powered website on the planet, with the next closest being Joomla at 5.4% market share. That report also goes on to say that a leading cause of the hacked websites is because they were either misconfigured by the server admin or simply never kept up to date.
So what do I mean by keeping these plugins and themes and everything “Up To Date”? Let’s go over that a bit closer.
What is a “security update” in WordPress
Nearly every WordPress update has “Security” or “Security Release” in the tags. So when I say “Security Update”, I really just mean every update being pumped out by WordPress.
If you dig a little deeper into these updates, they’ll cover the things that were updated to improve security. The update from December 13, 2019, says:
Four security issues affect WordPress versions 5.3 and earlier; version 5.3.1 fixes them, so you’ll want to upgrade. If you haven’t yet updated to 5.3, there are also updated versions of 5.2 and earlier that fix the security issues.Source: https://wordpress.org/news/2019/12/wordpress-5-3-1-security-and-maintenance-release/
You may notice here that they don’t go into super explicit details on what exactly the security hole was. That’s because if they released that information to the general public, not only would it just not be relevant since we wouldn’t know what any of it means but the bad guys that do know what it means could use it for bad guys stuff. ;)
So what happens after I get hacked?
Well, a couple of things usually. In my experience, I often see a lot of injected encrypted code that usually causes a number of redirects that ultimately lead to someone’s referrer link for some popular, uhh, medications. Beyond that, I’ve seen entire web pages being taken offline to show not-so-impressive landing pages of “You’ve Been Pwned” by so and so, and things to that nature. Like anything, the ingenuity of what the hacker does with the opportunity they were given really just depends on what the hacker is prepared to do and what they set out to accomplish.
A worst-case scenario could be your entire website, database and all, is so infected with malicious code that it is simply unrepairable. And while your site is infected in that manner, you could be dishing out malware to your visitors (and your own computer), which could (and very likely would) result in irreparable damage to your brand’s trust within the community. If that’s not a big oof, I don’t what is.
I got hacked already, what can I do about it?
The first thing you need to do is take that website offline. If you’re still able to get into your dashboard, install a “Coming Soon” or “Maintenance” plugin to handle that for you quickly. If you’re not able to, you’ll want to rename the index.php file to something else in your File Manager, and add a new index.html file that just says “Down For Maintenance.” If you know a little HTML and CSS, you can make it pretty, but the goal here is to just protect your viewers and your brand from the ramifications of dishing out malware.
Once your site is sporting that “We’ll BRB” look, you need to contact a professional to get it cleaned up. Zealous Sites offers this service at our normal hourly rate, but there are cases where even I can’t clean a site myself. In those scenarios, I recommend my customers to Sucuri. It’s not cheap, but it’s the best solution I know of and it will get you answers.
Another option, and one that 9/10 times is what my customers choose to do, is just revert back to a saved backup. If you don’t have an eCommerce website or a blog that is updated very often, just reverting back to your most recent backup might be the easiest way to get your site back up and running. Once the revert is complete, you’ll want to run all those updates so it doesn’t happen again.
Because feature updates are cool!
You should keep your website up to date because the new features and updates that come with them are super cool! WordPress itself doesn’t roll out new features very often, but when it does they’re usually pretty great! The Gutenberg editor, for example, is really pretty good! And Divi’s constant stream of Divi Updates are always jaw-droppingly incredible.
If you’re a frequent reader of this blog, you’ll know how much I love Divi by how often I bring them up. And look, the tiny kickback we get if you purchase a subscription to Elegant Themes is nice. But this is a perfect example of why I love Divi and the Elegant Themes team so much. The feature updates they roll out on Divi are incredible. The videos Nick over at ET does to explain those features are super informative! And just the overall value you continue to get from Divi because of these constant streams of updates is…. man… it’s really just too good if I’m being honest. Elegant Themes has released 2 Feature Updates for Divi already this year. And around 12 last year.
I think that’s enough about Divi specifically for now though. Let me explain the difference between the two types of updates you might see in plugins, themes, and even WordPress’s core: Major Releases and Minor Patches.
What’s a major release?
A Major Release is often depicted by the first number in the version number changing. For example, the current version of WordPress at the time of this writing is WordPress 5.3.2. The major release here was 5.0.0 on December 6th. This is when the Gutenberg editor was released, and it was the biggest WordPress update since WordPress 4.0 in 2014.
Themes and plugins often use the numbering format, with the first number being the big important version and the following numbers indicating minor updates and patches.
What’s a minor patch?
A minor patch typically is where a theme, plugin, or WordPress fix any security issues that have shown up since the previous release but doesn’t add any major features – or anything that you would notice as a non-developer at all. These are indicated by the second and third numbers. The second number is a bigger patch and the third being for the smallest of fixes – sometimes just adding or removing comments in the code or something.
Are minor patches important? Yes. Yes, they are. Pushing out a patch isn’t a super easy task for developers, so when they do it, they’re not doing it lightly. If there is an update, major or minor, you want it. That is the version that the developers that wrote the code say is the best version. You always want that best version.
Because You Gotta Go Fast!
Updates often make your website quicker! Not just WordPress core updates, but theme updates, plugin updates, and PHP updates. For example, WordPress version 5.1 included multiple performance improvements to the Gutenberg editor introduced in version 5.0.
But I mentioned PHP updates, and that’s really where things start to get quick. If you’ve ever worked in a WordPress blog as an admin, you might have come across plugin’s Support Center or something along those lines. Often times that will tell you what version of PHP your running as well as the PHP variables on your server. This blog post isn’t a “7 Great Steps To Improve Your Website Speed”, there are tons of those already. So I’ll assume you’ve at least heard of PHP and know that there are some numbers after those 3 letters. You want those numbers to be as high as possible.
There are still WordPress servers being sold by popular vendors that you’ve heard of, and maybe are even still using, that are by default using PHP Version 5.4. That’s really bad. Check out this Supported Versions graph from the PHP.NET website to give you an idea of just HOW bad that is. Notice how 5.4 isn’t even in that graph? That’s because it’s been discontinued since September of 2015!!! These “premier” hosting platforms are selling you hosting servers that are still using a PHP version from over 5 years ago. That’s insane.
But here’s the thing, there’s a good chance you’re not a techy-person, right? You don’t know what a cPanel is, let alone how to update the PHP version your website is running. And there’s an even better chance that your server can’t update to the current version of PHP. That’s where we come in. If this sounds like you, and you’re running a really old version of PHP, please talk to me. I can get moved over to a new, better, faster host in a few days. And if it’s time for that new website design, we can do that for you as well.
But… couldn’t some stuff break? Well…. yes.
Okay, so yes. There is a chance that when you update a theme, plugin, or even your PHP version, that stuff will just not work anymore. Compatibility, or lack thereof, is a real issue sometimes. But, in all honesty, if your theme breaks because of an update, then the theme you were using is either so outdated that it no longer works on the current version of WordPress, or wasn’t using a Child Theme. Both of these scenarios are rough ones to be in. But at the end of the day, you’re comparing spending a little money on getting your website re-designed in a new theme, or risking losing your entire business to the fallout of malicious attacks. I don’t think that’s a difficult decision to make for anyone.
The same can be said for plugins. WordPress has been out for a long time, so there are some plugins that have come and gone. Some very popular plugins that used to reign supreme in their field are no longer supported. If you have any of those, it’s possible they’ll stop working since they never were updated for the latest versions of WordPress. But again, whatever feature this plugin is giving you is simply not worth the risk of running an out-of-date website.
So what about PHP versions. If I updated my PHP to the lastest one and it breaks the site, then what? The good news here is that if your theme isn’t compatible with the most recent version of PHP (7.4 at the time of writing), it still likely supports 7.2, which right now is “good enough.” It does mean you’re on a deadline to get that site updated this year though. 7.2 will only continue to get security updates until December 6th of 2020.
So in conclusion…
Sometimes, keeping your website up to date is arduous and it takes time, but it’s something that needs to be done and needs to be done often. If you’re comfortable with doing it yourself, that’s great! More power to you! I think that the very little development knowledge it takes to keep these things up to date is very accessible to anyone who does a little looking, so anyone can do it.
But not everyone has time to do it.
That’s where Zealous Sites can help. If you’ve got a WordPress website and you just don’t have time to keep it, or the server up to date, we can absolutely help you with that. We offer a few different retainer options for exactly this. And once you’ve got me on retainer, I’m happy to answer any more of your technical questions as they come up.
Let’s make the internet a little safer each day by keeping our sites running the safest code we have at our disposal.