Out-of-date WordPress sites are much more likely to be hacked

This page uses annoyingly big text because it’s really important:

If you use WordPress, you must update your plugins and themes whenever an update is available. If you don’t, it might be “hacked” because of a security bug in old software. The “hackers” can then replace the contents of your site with something malicious and use your site to send spam that appears to come from you.

Fortunately, this is easy to avoid by automatically keeping things up to date. The rest of this page has more information about it.

How to keep WordPress up to date

Just make sure you’re using at least WordPress 5.5, and that you’ve clicked “Enable auto-updates” for all your plugins and themes:

WordPress plugin automatic updates
WordPress theme automatic updates

If you have many plugins, you can do this more quickly by selecting all of them and choosing Enable auto-updates from the Bulk actions menu, then clicking Apply:

Bulk Enable Auto-Updates for plugins

That’s all it takes — WordPress will then automatically update everything, and send you a message each time it does so.

If you do this, you can almost certainly ignore the rest of this page — but it has answers to some common questions we’re asked about WordPress updates.

Okay, but why would hackers target me, even if my site does use outdated software?

People are often surprised that their site might be attacked, asking: Why would they target me? Why would my small site be attacked by criminals when it contains nothing worth stealing? That question makes sense in the physical world, but things don’t work that way online. Hackers can use even a small site to send lots of spam, distribute malware, infect site visitors with viruses, and worse. It doesn’t matter how big or small it is.

It’s easy for hackers to use Google to get a list of every site on the internet that runs a WordPress plugin or theme that’s recently been updated to fix a security bug. They use automated software to attack all of those sites, one by one, in the hope that the site is still using an old version. They don’t care if it takes weeks, months or years: they’re using stolen computer time anyway, and no human intervention is required to eventually try every last site, no matter how small it is.

Don’t updates cause problems?

If you think “I don’t trust updates, so I won’t update my site software for a while because I’m concerned about compatibility”, you’re setting yourself up for trouble unless you have a specific plan to apply the update in the very near future (by which we mean days, not weeks). Otherwise you’ll just get further and further behind — updating will become harder and harder with more risk of compatibility problems because you’ll be using outdated versions that software authors don’t test.

If you’re concerned about compatibility, you can make an extra backup right before a major update, and you can easily restore that backup in our control panel if there’s a problem. The type of problems potentially caused by updating are far less severe (and far more easily fixed) than the security problems potentially caused by not updating.

If you’re worried that automatic updates might completely break your site, we try to protect you from that. Every 8 hours, we run an automated process that loads the home page of every single site we host. If the site returns an error, and it didn’t return an error on the previous load, a real human on our staff is notified to review and fix it. This makes sure your site won’t completely stop working after an update.

But aren’t most hacking attacks more complicated than this?

No. A surprising number of our customers read elsewhere about WordPress hacks, then write to us asking if their site is vulnerable... but when we check, we see they haven’t updated old plugins and themes on their site for months or years. We also see people who install complicated security plugins but don’t update outdated software.

This suggests that it’s not obvious how sites usually get hacked, and we want to correct that. So here’s some more annoying text:

99.9% of the hacked WordPress sites we see are not from complicated attacks that can only be defeated by “security plugins” or complicated defenses. They happen solely because:
  1. Customers didn’t update plugins or themes they installed;
  2. A WordPress administrator account used a weak password that was easily guessed (or reused and stolen from another service that suffered a data breach); or
  3. A WordPress administrator installed a “premium” paid plugin or theme from a site that offers “nulled” versions of the software that actually contains malware.

That’s it — we almost never see any other cause.

Not updating a plugin, or theme, or WordPress itself, is the same thing as not applying security updates to your own computer. When your computer tells you there’s an update available, you (hopefully) install it right away to keep “hackers” out. You should do exactly the same thing with WordPress.

So please: Enable automatic updates as the section above describes. If you prefer to do it manually, always install updates every time you see that they’re available (and make sure you login to WordPress dashboard often to check). Remember that “security plugins” are not a replacement for keeping your site updated (in fact, at least one of the more popular plugins, Wordfence, intentionally doesn’t block new security hacks for 30 days unless you pay them a monthly fee, making it almost useless).

By the way, if you’d like an independent confirmation of the idea that most WordPress security problems are a result of outdated themes and plugins, and that updating those fixes it, take a look at the blog of the Wordfence plugin we mentioned above. You’ll see that many of the problems they describe have a description that ends like this:

In today’s post, we detailed a flaw in theme or plugin X that granted attackers the ability to upload arbitrary files and modify existing theme files, which could be used to achieve remote code execution. This flaw has been fully patched in version Y. We recommend that users immediately update to the latest version available to make sure their site stays secure.

Wordfence Premium users received a firewall rule to protect against any exploits targeting this vulnerability on <date>. Sites still using the free version of Wordfence will receive the same protection in 30 days.

The thing to notice is that using the free version of the Wordfence plugin doesn’t protect you for the next 30 days, but updating the plugin that has the bug would protect you immediately. A good example of this is their post “PHP Object Injection Vulnerability in Booking Calendar Plugin”, where the developer released a secure update on on April 21, but Wordfence didn't start blocking attacks against it until May 18. Simply turning on automatic updates would have protected the site far better than the free version of Wordfence did.

What about people stealing my password?

The section above mentions that the second most common way WordPress sites get hacked is by someone guessing or stealing your password. There’s an easy defense against that, too: you can use a security plugin that provides two factor authentication, which prevents “hackers” from logging in even if they somehow steal or guess a WordPress password.

Two other thoughts about WordPress security and updates

By the way, if someone tries selling you a “premium” WordPress theme or plugin that doesn’t have automatic updates, you should avoid it. The only way to keep these secure is to return to the original download site from time to time to check for security updates, which few people ever do. Premium themes without automatic updates are a major security risk.

Finally, you should completely delete any plugins or themes you don’t use. Hackers can take advantage of some security bugs even if the plugin or theme is deactivated. If you’re not going to use it in the future, it shouldn’t be there at all.