Out-of-date WordPress sites will get hacked

This page uses annoyingly big text because it’s really important:

If you use WordPress, you MUST update your plugins and themes whenever you see that an update is available. If you don’t, your site will probably be “hacked” eventually because of a security bug in old software. The contents of your site will be replaced with something malicious, and your email will be used to send offensive spam.

We see this happen to people all the time. The rest of this page has more information:

Why would hackers target me?

People are often surprised by this, asking: Why would they target me? Why would my small site be attacked by criminals? That question makes sense in the physical world, but things don’t work that way online. It’s extremely easy for hackers to use Google to get a list of all sites that run certain WordPress plugins and themes. Then they use automated software to attack all of those sites, one by one, in the hope that the site is still using an old version. They don’t care if it takes weeks: they’re using stolen computer time anyway, and no human intervention is required to eventually try every last site. And once they have access to your site, it doesn’t matter how big or small it is: they can still use a small site to send lots of spam, distribute malware, infect the site visitors with viruses, and worse.

If you think “I don’t trust updates, so I won’t update my site software for a while because I’m concerned about compatibility”, like some people, you’re setting yourself up for trouble unless you have a specific plan to apply the update in the very near future (by which we mean days, not weeks). Otherwise you’ll just get further and further behind, and updating will become harder and harder, then you’ll be even more likely to be hacked every day.

If you’re concerned about compatibility, you can make an extra backup right before the update, and we’ll help you undo the update if there’s a problem. The type of problems potentially caused by updating are far less severe (and far more easily fixed) than the security problems potentially caused by not updating.

But aren’t most hacking attacks more complicated than this?

No. A surprising number of our customers read elsewhere about WordPress hacks, then write to us asking if their site is vulnerable... but when we check, we see they haven’t updated old plugins and themes on their site for months or years. We also see people who install complicated security plugins but don’t update WordPress itself.

This suggests that people have little idea how sites actually get hacked, and we want to correct that. So here’s some more annoying text:

99% of the hacked WordPress sites we see are not from complicated attacks that can only be defeated by “security plugins” or complicated defenses. They happen solely because customers didn’t update plugins or themes they installed, or because they chose a weak password.

Not updating a plugin, or theme, or WordPress itself, is the same thing as not applying security updates to your own computer. When your computer tells you there’s an update available, you (hopefully) install it right way to keep “hackers” out. You should do exactly the same thing with WordPress.

So please: whenever you see that an update is available, install it. If you don’t login to your WordPress site often, start doing so on a regular basis just to check for updates.

What if I don’t have time to constantly update my site?

If you don’t have time, automate it. On our own sites, we use a plugin that automatically updates WordPress plugins and themes, in the same way that WordPress automatically updates its own files. We recommend it to all our customers.

How to keep WordPress up to date

As we mentioned above, on our own sites we use a plugin that automatically updates things.

If you prefer to do it manually, here’s the recommended way to update WordPress:

  1. Create an extra backup of your site before making any changes.
  2. Deactivate all plugins that you don’t truly need.
  3. Delete all inactive plugins.
  4. Delete all inactive themes. Be sure not to delete the child or parent theme of the active theme, if any.
  5. Update all remaining plugins and themes.
  6. Update the core WordPress files.

Two other thoughts about WordPress security and updates

By the way, if someone tries selling you a “premium” WordPress theme or plugin that doesn’t have automatic update notifications, you should avoid it like the plague. The only way to keep these secure is to return to the original download site from time to time to check for security updates, which nobody ever does. Premium themes without automatic updates are a major security risk.

Finally, you should completely delete any plugins or themes you don’t use. Hackers can take advantage of some security bugs even if the plugin or theme is deactivated. If you’re not going to use it in the future, it shouldn’t be there at all.