What Are WordPress Security Updates & How To Check

Updated on

Check WordPress Security Updates

Do you know how often you should update WordPress, themes, and plugins? Sometimes you update your WordPress site manually or automatically through a plugin.

Several questions arise:

Why do these updates? Why Are Updates for a WordPress Website So Important? Should we opt for Automatic Update or Do It Manually? How to check for security updates? In this article, you will know all about these and much more.

Just like your computer needs antivirus software, WordPress updates provide fixes for bugs and vulnerabilities to your site. These updates take care of all the detected issues, security fixes as well, and improvements to the program itself.

Such updates are posted regularly by WordPress and sometimes several times a month.Without regular updates, your website is weakened and more easily hackable or may be affected by viruses.

Cleaning up a site that has been hacked or attacked requires many hours and high technical skills to get the site back up and running safely, so as not to risk another attack.


FOR INDEPTH READING

GUIDE WordPress Hacking
GUIDE WordPress security issues / WordPress security guide
LIST WordPress security scanners
TIPS WordPress security tips
Checklists WordPress Malware Removal Checklist \ WordPress Maintainence Checklist
HOW TO WordPress Malware Removal
LIST WordPress Errors
USER MANUAL WordPress Automatic Updates

What Are Security Updates in WordPress?

A wordpress security update is primarily geared toward improving security and fixing bugs in your wordpress installation. Some bugs present security risks, and these can be quickly addressed with an update. Security updates can also fix vulnerabilities to new attacks that have cropped up. WordPress is the core of your website and it is the prime target of hackers. Plugins installed on your website may also contain security vulnerabilities. Even if the updates offered in your wordpress theme are rare, they can bring you new added features to keep your website up to date and safe.

Why Are Security Updates So Important For WordPress ?

WordPress gives you updates regularly and you wonder why there are so many and come back so often? WordPress updates are essential for it to work for three reasons:

Gain speed and performance for your website

An update keeps your website on top of its performance. Thanks to the continuous improvements made by the WordPress community.  With each new updates the performance of this CMS is improved.

WordPress developers are trying to find ways to make it more efficient. Each new version is indeed accompanied by several improvements that speed up the execution of WordPress.

And since speed is a big factor in site SEO, you should definitely keep your WordPress up to date to get the maximum benefit from it.

Benefit from new features for your WordPress site

Major WordPress updates  include new features and changes to the core of the software:

better plugin installation experience,

the introduction of online image editing, speedy installation of updates.

Useful features can be found in the latest versions and it wouldn’t be recommended to miss them.

Also, generally, when seeking help, users on the support forums will assume that you are using the latest version of WordPress.

Finally, the developers of third-party plugins generally rely on the updated versions of WordPress.

Your website could not, therefore, take advantage of these plugins, or sometimes even the available themes, without an update that also fixes the bugs detected by the developers.

Secure your website

Last, but probably the most important, security is certainly the most important reason you should keep your WordPress site up to date.

The flip side of its popularity is that WordPress is an attractive target for hackers , and attackers. Indeed, since WordPress is open-source, anyone can study the source code to learn the foundation and improve it.

However, it means in reverse that hackers can also study it and find ways to break into websites with bad intentions.

Fortunately, in the WordPress community, security experts around the world can study the code and properly report bugs and security vulnerabilities.

Whenever a security vulnerability is reported, WordPress developers work quickly to release an update that will make the necessary fixes, which fixes the issue.

By always installing the latest version of WordPress each time, you can be sure that you are working on a secure platform.

4 Updates Required For A Secure WordPress site

To minimize the risk of downtime during an update, we make a full backup copy of your site and its database. We will be able to restore it instantly in the event of a problem. It is also likely that your web host offers an automatic backup restore system. This system is ideal for updates that are not sensitive.

We can also set up a development environment (a parallel site not accessible by your visitors), on which we will test all the updates before performing them on the original version. This type of environment doubles the update costs. We recommend it only for sensitive, at-risk or high traffic sites.

Update PHP version on your website’s server

PHP is a programming language that runs on a web server. PHP is mainly used to create dynamic web pages or web applications. For example, all WordPress websites work with PHP.

Both WordPress and the PHP language are constantly being improved by developers. New versions of PHP are therefore regularly available. Administrators of a WordPress website may need to change the PHP version in the following cases:

  • Following a WordPress update based on a newer version of PHP.

  • A certain version of PHP is outdated and should no longer be used.

  • A new version of PHP is available and includes performance improvements that you want to take advantage of.

The older your version of WordPress, the more likely it is that the code used in that version is not compatible with a newer version of PHP.

Then check if updates are available for the WordPress version you are using, your plugins, and your theme.

Unless you need to use an older version of WordPress for some reason, you should always keep your WordPress version and all components up to date. These updates also address possible security vulnerabilities.

We recommend regular maintenance updates, for example, every 3 months. They are fast and involve little risk or hassle.

They allow regular monitoring of the site, which makes operations faster and less expensive. WPHackedHelp team of experts can take care of your site and its updates as quickly as possible.

Updating the WordPress version and recent plugins

You can choose more spaced updates, for example, every year. It will then be necessary to take more precautions.

If the installed versions of WordPress, the theme or the plugins are not too old and the fixes are not major, updating the site can be done relatively smoothly and quickly.

Indeed, as the core of the software remains the same, the risks of incompatibility with a new version of WordPress are reduced. This type of update can take between 5 hours and 15 hours.

Update WordPress core installation

You can choose not to update or only when adding new features, or during a hack. But, we must accept the risk: security breach, period of unavailability, incompatibility of plugins, impossible to recover from backup, obsolete PHP version, obligation to go through FTP, etc.

It is complicated to estimate the time of a difficult update because the problems can be numerous and complicated.

In conclusion: Updating WordPress is an operation that goes well in the majority of cases. However, if you encounter any difficulties, please do not hesitate to contact us .

Once the update is complete, you will benefit from the latest WordPress features and a heightened level of security!

That is all for today. If you want to know more, take a look at the WPHackedHelp posts, all of them are guided tutorials step by step in real time.

What types of sites need to be updated regularly?

All types of websites need to be updated on a regular basis. Whether you have a blog , a showcase site or an e-commerce site.

The risk is the same: you lose part or all of your visibility on the internet, whereas what led you to have a website is precisely to access or improve digital visibility.

How to update your WordPress website?

WordPress provides security updates that improve how it works and yours. But WordPress also follows the technical developments of hosts (PHP and MySQL).

Before performing a WordPress update, you may check with your hosting provider that has the same versions that are required for WordPress.

Just, go to the WordPress prerequisites page.

Make backups of your WordPress site

Different backups are possible via a plugin or FTP (Filezilla for example) and for the backup of the database at your host.

These backups are essential before performing an update at the risk of “breaking” your website if the update does not work or if there is a bug in the update of the theme or in a plugin.

They allow you to return to the previous state to then determine what did not work and the solution to implement to carry out the updates.

Temporarily disable plugins

WordPress updates are done automatically since version 2.7 but bugs can appear as with the version before 4.9.4 which had “broken” the automatic update.

If you need to manually update the WordPress version, temporarily disable the plugins to avoid any conflict with those installed on your website by going to the “Plugins” page, then select “Disable” from the drop-down list and click on “To apply”.

Updating plugins or plugins

WordPress displays notifications of updates in the dashboard.

A number next to Plugins tells you how many plugins need to be updated. By clicking on “Ready to update” you will see all affected ones.

The line “A new version for…” is displayed.

With just one click, you can therefore update each plugin. WordPress will then retrieve the latest version in its directory, decompress its content and install the new version.

Then check that all plugins are still working correctly on your website.

Theme update

This update is as important as the others, but from experience, it is the one that can Improve the performance. It might change the design and look of your website.

However, it should not be neglected because the theme may also contain security vulnerabilities or be incompatible with certain plugins or your version of WordPress.

Like all other updates, it is essential to have made a backup before. Another important point to check: any CSS modification of your theme must have been made on a child theme and not on the theme uploaded to WordPress, otherwise when updating the theme, you will lose all your changes.

To learn more about child themes, you can check out the official WordPress site. To perform this update, in your WordPress dashboard or in “Appearance” “Themes”, you are told that you have an update. Just like plugin updates, check that all pages of your website are working properly.

List of Vulnerable Plugins 2021

Plugin

Vulnerability

Severity

Patched version

pwa-for-wp

Authenticated Arbitrary File Upload

High

1.7.33

slider-hero

Cross-Site Request Forgery

Low

8.2.1

amministrazione-trasparente

Cross-Site Request Forgery

Low

7.1.1

free-comments-for-wordpress-vuukle

Cross-Site Request Forgery

Low

4.0.1

wp-easy-pay

Cross-Site Request Forgery

Low

3.2.3

woo-abandoned-cart-recovery

Cross-Site Request Forgery

Low

1.0.4.1

locations

Cross-Site Request Forgery

Low

4

currency-switcher

Cross-Site Request Forgery

Low

1.1.7

wp-html-mail

Cross-Site Request Forgery

Low

3.0.8

wp-meta-data-filter-and-taxonomy-filter

Cross-Site Request Forgery

Low

1.2.8

meta-data-filter

Cross-Site Request Forgery

Low

2.2.8

nmedia-user-file-uploader

Privilege Escalation vulnerability

High

18

woocommerce

Unauthenticated SQL Injection

High

5.5.1

woo-gutenberg-products-block

Unauthenticated SQL Injection

High

5.5.1

nmedia-user-file-uploader

Unauthenticated Content Injection

High

18.3

wpfront-notification-bar

Stored Cross-Site Scripting

Medium

2.0.0

astra-addon

Unauthenticated SQL Injection

High

3.5.2

woocommerce-currency-switcher

Local File Inclusion

Medium

1.3.7

woo-advanced-shipment-tracking

Authenticated Options Change

Medium

3.2.7

paid-member-subscriptions

Reflected Cross-Site Scripting

Low

2.4.2

download-manager

Authenticated File Upload

High

3.1.25

Plugins Removed From WordPress Repository

Name

Vulnerability

wp-upload-restriction

Stored Cross-Site Scripting

current-book

Stored Cross-Site Scripting

mimetic-books

Stored Cross-Site Scripting

kn-fix-your

Stored Cross-Site Scripting

custom-login-redirect

Cross-Site Request Forgery

simple-post

Stored Cross-Site Scripting

How To Check For Security Updates in WordPress?

To find out if there is a WordPress security update, you must first access the CMS Administration panel. Usually the path is http: // MYDOMAIN / wp-admin.

Once you have accessed it, you will be able to check how the manager itself shows an available version notice, located at the top of the screen. It details the existence of a new version of WordPress. In this case, 5.4.2:

 wp updates

When you click on the ” Update to 5.4.2 ” button, a window will be displayed with all pending updates, both for the WordPress version, as well as for installed plugins or themes. We will select the option « Update now ». This process may take several minutes, during which the page will be in maintenance mode.

After this step, the installation process will start.

Once finished, we will visualize a screen like the one shown in the following image, informing that our WordPress is updated to version 5.4.2.

It is important to protect your WordPress site to prevent it from being vulnerable. Follow this WordPress Security Checklist 2021 to avoid possible attacks by cybercriminals, some of them explained in real cases.

Should I Use Automatic Updates?

Updating WordPress allows you to:

  1. Correct the bugs of the previous version.

  2. Take advantage of new features (for example the new Gutenberg plugin for early 2019).

  3. Strengthen the security of your website

These 3 reasons are enough to keep your WordPress up to date by making updates when they arise.

We have already had the opportunity to talk about the last update of WordPress, version 4.6.1 called “Pepper”.

Like many developers, it was a great joy to see that WordPress continued to evolve, but also a small source of apprehension for the update.

Indeed, updating WordPress is highly recommended, so it is impossible to escape it, knowing that many files on your site will be modified.

How to Know If One Should Opt for An Automatic Update or Do It Manually?

To update WordPress, there are 2 different methods:

  • The easiest and fastest: automatic update

  • When the automatic update does not work do the manual update

An automatic WordPress update requires:

  • At least a PHP version 5.2.4 for branch 4 of WordPress.

  • The correct permissions to allow writing files. (see the WordPress Codex

To update WordPress automatically, you just need to:

  • Check the technical prerequisites (PHP version and write rights).

  • Make a backup of your database and your files (to be able to go back).

  • Disable all active plugins.

  • Start the update: Dashboard> Updates> Update automatically.

Before launching the WordPress update, check that you have the correct write rights and back up your database and all your files.

Update WordPress manually

When the automatic update does not work or to revert to an earlier version of WordPress, you will have no other choice but to update manually.

The manual update consists of replacing through an FTP client (FileZilla) or SSH access all the unzipped files of the latest version of WordPress (except the WP-content folder and the WP- file config.php which should not be overwritten).

Also be careful not to overwrite the wp-images, wp-includes / languages / (if you are using a translation file), and the .htaccess file if you have customized it.

As with the automatic update, you will need to:

  • Check that your host has the prerequisites and can accommodate this update  (mainly the PHP & MySQL versions requested)

  • Make a backup of all your files AND don’t forget to back up your database.

  • Disable plugins is recommended because not all plugins are necessarily up to date and can, therefore “crash” the entire update.

  • To quickly deactivate all the plugins you can do it by choosing the option “Deactivate” in the drop-down list “Bulk actions”, then by clicking on “Apply”.

  • You can then via your FTP drag and drop and overwrite the old files (except WP-content and WP-config.php) with the new unzipped files of the brand new version of WordPress that you will have previously downloaded.

  • The ideal is to first delete rather than overwrite the old files that you want to replace.

  • If you have to intervene on your Wp-content folder, you will insert new files there, you will never delete them!

  • Once all the new files are in place, you might need to sign in again. If a database update is needed, WordPress will detect it and offer you to click on the following link: http://example.com/wordpress/wp-admin/upgrade.php.

  • You just have to click and follow the instructions. Your database will be updated to work with the latest version of WordPress. You can then reactivate your plugins and browse your freshly updated WordPress.

 WordPress Automatic Update

Here, we see how to manage enable & disable automatic updates in WordPress, to always have under control what is updated.

It is a novelty introduced in WordPress 3.7 that automatically makes WordPress update itself. That is, without having to press any button. WordPress just decides that it should be updated and it does automatically.

By default, these updates are only executed in the case of minor updates. For example, from WordPress 4.3.0 to 4.3.1. Those kinds of updates include things like small improvements, bug fixes, or bug fixes.

So when WordPress 4.4 arrives this December, let’s not expect it to “just update”, because it won’t. These types of updates are considered “major” and do not run on their own.

It is important to note that if there is a great vulnerability in a popular plugin, such as Jetpack, Yoast SEO, WooCommerce, etc.

Should I disable automatic WordPress updates?

Basically, it is up to you to make this decision.

For most beginners and the vast majority of WordPress websites, automatic updates are harmless, and you shouldn’t disable them.

However, if you have an online store or don’t want to lose business due to a broken site, then you can safely disable automatic updates.

Still, be sure to manually install those updates in a timely manner to ensure the security of your website.

Whether you use automatic or manual updates, it is crucial to ensure that you have regular backups of your site.

Take a look at How to backup WordPress database manually & with plugins and our guide fix your hacked WordPress site.

When should I have them activated?

If you simply have a blog or corporate website, we would recommend that you have them active, since that way you can not worry about the subject.

If, on the contrary, you have a business whose income depends on the web, we would deactivate them. But in return, you should periodically check for updates, run them manually, and check if everything is still working properly.

If the update is simply about modifications and news, we recommend that you wait a few days for others to update, to ensure that there will be no incompatibilities. About a week or 10 days.

If on the contrary, the update is critical of security, as it is evident, update ipso facto, at the speed of light.

You can know what type of update it is by clicking on “See details” in the updates panel:

 Advanced-Automatic-Updates

We always highly recommend this! That way you will know what’s new (which is always good) and what that update fixes.

And if something fails, you can deduce where the conflict has been generated.

Note that the more updates you “let go”, the more chances you will have something to fail, and the more difficult it will be to know why it has failed, since there will be many more modifications.

Activate all updates

On the other hand, if you are braver and want to activate all the updates, whether they are major or minor, you can also do it, with this line in wp-config.php

define (‘WP_AUTO_UPDATE_CORE’, true);

Be careful, because with this WordPress will always be updated! Although it is true that WordPress is “backward compatible”, which means that “it will not break when you update”, not all plugins can be prepared for new versions, so proceed with care.

Plugin For Updating WordPress Automatically

If you don’t dare, don’t know or don’t want to modify the wp-config.php file, there is a plugin to control all this. It couldn’t be otherwise, this is WordPress:)

The plugin itself is called Advanced Automatic Updates. Although it has not been updated for more than two years, it works perfectly.

So do not hesitate to use it. In the directory of recommended plugins on the subscriber’s intranet, you can find more recommended free plugins.

Once activated you will find a new menu in “Settings”, which will allow you several things. First, you can choose what to update:

We can choose between all the following options:

  • Update WordPress

  • Major updates

  • Minor updates (what comes by default)

  • Update plugins

  • Update themes

Thus, only by selecting these boxes we can activate or deactivate the automatic updates as we want.

We also have a couple of more very useful settings related to the notifications we receive to the mail when the automatic updates are executed. By default, we always receive an email to the administrator’s email. Well, we can modify that:

 

The first thing we can choose is which email to receive the notifications. This is very useful if you have many websites in WordPress since when they are all updated, they flood your mail with those notices. So you can receive or filter it to that email.

And on the other hand, we can deactivate these notifications, which we do not recommend since it is convenient to be aware of those details.

And finally, we can activate if we want to receive a “report” of how the updates have gone. If they have been successful, if they have not been, what has happened, etc.

By default, we have the option to receive it only for developer updates, but we could choose to always receive the report, or never.

Advantages and disadvantages of automatic WordPress updates

Now you know how to disable automatic updates, but should you disable them? There is no correct answer and this is up to you and your website.

On our sites, we have disabled automatic plugin and theme updates, keeping minor kernel updates enabled.

Let’s look at the advantages and disadvantages of automatic updates. In this way, you can decide whether to disable automatic updates on your site.

Advantages of WordPress automatic updates

Automatic updates are great for WordPress security. Many users forget to update their plugins or their main WordPress installation.

With automatic WordPress updates enabled, you don’t have to worry about updating your site every time a minor WordPress update is posted. These are removed for maintenance and safety reasons.

In the past, automatic updates were something you could only get by paying for managed WordPress hosting. Now, they are available to everyone (at least for minor releases).

You also know that if there is a crucial security issue with WordPress or a popular plugin, then WordPress will automatically update itself. Even if you are busy or away from home, your site will remain safe.

If you have a lot of sites, automatic updates can save you a lot of time. And even if you only have one site, you might prefer the peace of mind of knowing that WordPress takes care of everything.

Disadvantages of WordPress automatic updates

The WordPress core team responsible for posting updates makes sure you have no problems.

However, there is a slight chance that automatic updates could break your site. In our experience, minor updates haven’t broken any of our sites yet.

That’s because we are following best practices and not modifying any central files. If you modify the core WordPress files, then these automatic updates may override them.

If WordPress ever felt the need to release a security update for a theme that you are using, there is a chance it could break your website. This applies particularly if you have modified your theme files.

Automatic plugin updates can also break your site. There are too many variables, such as different server environments and plugin combinations.

Now it is important to know that these updates will not break the vast majority of websites. Still, you may feel like you don’t want to take the risk.

Another downside is that you won’t always receive an automatic notification when your site is updated.

How do you fix Update Failed Issues?

A new update is available on your Dashboard. You have taken all your precautions upstream and start the process.

It grinds, it grinds, and it still grinds. Suddenly, the following message appears: “update failed” .

When you are confronted with it for the first time, there is something to panic about. But we assure you, this is not the sea to drink.

Most of the time, it is enough to delete a named file .maintenance on your FTP. In principle, it will be at the root of your site.

Also note that it is possible that automatic updates crash and display a beautiful blank page (we also speak of White Screen of Death).

All your CSS changes are gone

Now let’s talk about an annoyance that you may have encountered before.

You’ve spent hours polishing your site design using CSS code.

As a serious professional, you have also just updated your theme, to protect yourself as much as possible. You did well.

Except that now, you no longer recognize your site. All your changes are gone after this damn update!

The reason is simple: you probably aren’t using a child theme, and you’ve made all of your changes right in your parent theme’s code.

Not good. Thanks to a child theme, this problem is over. A child theme is a kind of sub-theme that allows you to customize the look of your site. Like that, no risk of losing all your mods at the next update!

How to safely perform a WordPress security update?

There are two ways to perform WordPress security updates:

  • Update on the staging site (safe)
  • Update directly from the dashboard (unsafe)

Updating directly from the WordPress dashboard may cause websites to crash. Fixing and recovering a faulty site can be difficult and time-consuming.

Create a WordPress Staging Site

Using a development environment provided by your hosting provider is one way to ensure consistency. Also, it’s usually quite easy to create one.

Another benefit of vendor-level readiness sites is that you can usually instantly apply new changes to your live site. It would also contradict one of the points we raised earlier about the waste of time.

But you need to check with your host individually.

Assuming that you have already signed up with BlogVault and added your websites to the dashboard:

→ Go to the Staging section and click on Add Staging.

 

BlogVault will ask you to select the backup and PHP version of your choice.

 blogvault-staging-backup-version

It’ll take a few minutes to create a staging site. Once it’s ready you can start to test updates.

Where would WordPress be without its fantastic plugin library? It seems like there’s a plugin for just about everything these days, and that includes staging sites.

BlogVault

You can get started for free with BlogVault WordPress Staging Plugin and never worry about breaking your site while customizing again. You can also use it when updating your theme, plugin, or other minor changes without any restrictions.

It only takes one click to set it up and create a live replica of your site with all the data. You don’t really need to switch hosts, as it works with all of them. On top of that, if you have multiple sites on different hosts, you can easily interconnect without any issues.

All of your staged copies are password protected, come with HTTP authentication and automatic Google de-indexing to eliminate confusion for search engines.

Finally, it allows you to make changes to the test site and then merge your selection with the live site with just a few clicks. All this without hassle.

WP staging

This duplication-based plugin allows you to copy your production site to a new development site in minutes. The way it works is pretty straightforward. You go to the plugins dashboard, click Copy and whola – your clone is getting ready.

Sure, it looks easy on paper, but there’s a lot going on in the background as well.

The plugin must copy the files and database received by enchanters and also must ensure that all links are working properly. With that in mind, WP Staging is a wonderful plugin to use.

This plugin also has a Pro version, which adds features like Push Changes to your test site. This means that you can apply changes directly to the live site without having to do it twice.

Over 50,000 WordPress users are using WP Staging, so you’re in good hands!

Test Updates on Staging Site

Test updates on the staging site

To test for updates, simply log into the staging site. The URL of the staging site should look like this: https://yoursite.wpstage.net/

You can log in to your staging site using your usual user credentials.

When you open the staging URL, you will notice that it is password protected.

It has a password to ensure that your staging site is private and not accessible to the public or any search engine.

You need to go to the BlogVault dashboard to get your username and password in the Staging section.

Use it to access your Staging site.

blogvault-staging-http-auth

To access your staging site login page, add / wp-admin / at the end of the staging URL like this

https://yoursite.d.wpstage.net/wp-admin

→ Use the usual user credentials to log into the WordPress dashboard.

→ To implement the updates, go to the dashboard> updates.

On the Updates page, looks for outdated software and details of the new version. To implement the updates, select the plugin or theme or the kernel and press the Update button.

After implementing the updates, you need to check if your website is working properly. Now check all the important pages and functions. This will include your homepage, blogs, cart pages, checkout pages, etc.