WordPress runs over 20% of the web which makes it a big target for hackers. Hackers like to target well known vulnerabilities so they get the most bang for their script and it’s easy to tell if a site is running WordPress, what plugins it is using and what version it is on: see BuiltWith. WordPress’ popularity means there are many plugins and tools to integrate with it, but it also means there will be more people trying to take advantage of it. And if you need another reason to update, here is an article from a WordPress security firm stating the importance of updating.
The number one way to keep hackers at bay is to keep your site up to date with the latest security fixes. The WordPress team and many volunteers are awesome at finding and fixing vulnerabilities, but those vulnerabilities are also quickly distributed to the world. Once a vulnerability goes public, everyone has access to the old code so they can exploit the vulnerability on sites still using it. WordPress has instituted automatic updates, however, these updates seem to be a bit random. Some sites configured to update automatically will update quickly, others can take a few days or never update. Plugins can also be configured to update automatically, however, updating plugins can be a tricky business since not all free plugin authors test their plugins very well. Even large free plugin updates, like WooCommerce, can create a bug in specific scenarios. The most common issue after a plugin update is a blank website – meaning nothing shows up on your site, just a blank page. For these reasons, it is a good idea to manage WordPress and plugins updates to limit any unwelcome surprises.
Unbox Interactive’s WordPress and Plugins Update Plan
You could do automatic updates or you could decide to update your site on your own. Either choice is better than not updating at all. However, what happens if an update breaks your site? If you are an Unbox client, we can try to fix it for you, but we can’t guarantee we’ll always be able to jump right in and fix your site since we have deadlines and promises made to other clients.
Instead, you can opt for our wordpress and plugins update plan. The cost depends on the size and complexity of your website but is usually a very minimal fee, especially considering the piece of mind it brings.
What you get
Websites on our plan are updated at minimum every other month. If a WordPress core security update comes out (or WooCommerce for our e-commerce sites) we will update as soon as possible. These updates are performed during a window when we have time to fix any issues that arise. After updates are performed we do a quick check through the site to make sure everything is working as it should be. Currently, we update over 50 websites with similar plugins installed. Chances are by the time we get to the third or fourth site, we know of any issues that might arise and can prepare for and fix the issue right away.
We also maintain two copies, with the same plugins and WordPress version, of all sites on our update plan, called our local and staging websites. These sites are for two purposes – for checking updates before updating the live site and also for any development changes you might require over the life of your website.
We are extremely security conscious at Unbox Interactive and we do all we can to protect our clients’ websites. While we are updating each site, we also do a few security checks. We check to make sure the WordPress users are all real users. If the site was hacked, the attackers usually create their own WordPress administrative user. We also make sure Limit Login Attempts is active and sending reports to us, and any configured backups are still working.
Over the years we’ve picked up new security tips and tricks which we apply to all sites on our update plan for free. For example, we recently figured out the Yoast SEO plugin (which we use on all sites) automatically generates a User sitemap, which can be useful for blogs, but it also, by default, exposes the usernames of all users on the site. Once a hacker has a username, they just need the second piece of the puzzle, the password. Trust us, hackers are constantly hitting WordPress sites with username/password combinations to try to gain access. We install Limit Login Attempts on all our sites, which locks out IPs if more than three logins fail, but if you’ve ever watched a site under attack, you’ll see multiple IPs are used – usually from other compromised sites across the globe. It’s always best if a hacker doesn’t have any pieces of your login – username or password – so we have turned off the User sitemap on all the sites on our update plan.
If you have any questions in regards to our update service please contact us. We’d be glad to answer your questions and help make sure your site is up to date and as secure as possible.