Website security is a constant battle, especially for a popular platform like WordPress. It’s crucial to make sure your website and visitors are safe. One simple way is checking regularly for WordPress security updates.
Fortunately, WordPress recently overhauled its updates procedure. It now offers a clearer picture of what needs updating – whether that’s your themes, plugins or the WordPress core itself. This easy process means you should never worry again about a vulnerable site.
Let’s delve deep into WordPress security updates, first discussing why they’re necessary for a secure website. Then, we’ll talk about the different types of security that exist, before we finally walk through how to check for updates in WordPress.
Why you should get WordPress security updates
WordPress often releases updates to its core files, and they usually include fixes for the latest security issues. Your installed themes and plugins will also need updates, and you’ll be notified of available new versions via your WordPress dashboard:
There are two main reasons for staying on top of WordPress security updates:
- You’ll be protected against any recent threats that present a danger to your site or visitors.
- Any incompatibilities between plugins, themes and the WordPress core are likely fixed, creating a more stable system.
In short, it just makes good sense to keep your WordPress core files, themes and plugins up to date. However, protecting your site involves much more than simply applying updates.
The difference between server-side and backend protection
Getting WordPress security updates is a simple decision. However, carrying it out can be trickier, as there are various points in the WordPress chain that need to be protected. You’ll want to pay attention to two main types of security:
This protects your site at the server level, and is normally taken care of by your host. It can include SSL certification.
Plus, some hosts (such as GoDaddy) also offer advanced Web Application Firewalls (WAFs) and other features that stop malicious intent before it infiltrates your server.
Backend security is normally implemented by installing plugins. While many tools focus on stopping brute-force attacks at points such as the login page, some plugins (such as Wordfence Security) also offer dedicated WAFs of their own.
Many hosts will handle minor WordPress updates on your behalf, but major core updates — along with those for themes and plugins — are usually up to you. It’s why we recommend manually carrying out update checks, rather than relying on your host.
Related: What is a brute force attack?
Checking for WordPress security updates in 2 simple steps
You’re about to learn how to check and update your WordPress website in two steps. Before you begin, you’ll want to back up your website, in case something goes wrong and you need to restore it.
Step 1: Find the WordPress updates page
First, log in to your WordPress backend. Go to the Dashboard section, and then click Updates. This is a recent addition that offers a handy, at-a-glance guide for any themes, plugins or core files that need updating.
Here, you’ll see a reminder of when you last checked for updates, along with a prompt to check again. You can also find your currently installed WordPress version and an overview of any themes or plugins that have available updates.
This is where you can reinstall the latest version of WordPress if you need to, for example, if you’ve had to migrate a site or install a backup. If you use a translated version of WordPress, you’ll also get the option to install either the U.S. version or one in your own language.
Once you’ve become acquainted with this screen, the next step is to actually perform the updates.
Step 2: Update WordPress core, themes and plugins (as necessary)
Before actually updating WordPress, it’s important to mind a few best practices. These make the whole update process run much more smoothly. Here’s what you should remember:
- Create a full backup before updating your site, in case anything goes wrong.
- If you can, update WordPress using a staging or local site first, and then migrate it once you’re happy the change has been successful.
- Update the WordPress core first, then your themes, and finally your plugins. That way, it will be easier to determine the cause of any errors.
To carry out an update, go to Dashboard, and then click Updates. Take a look at what’s displayed there. Depending on what you find as you get through your WordPress security updates, you might need to get the latest version of:
- WordPress — Simply click Update Now. If you don’t see it, you’re likely running the latest version.
- Themes — If updates are available, you’ll see the information displayed under Themes. Check the appropriate boxes, and then click Update Themes. You’ll be notified when it’s done, and then prompted to return to the Themes or Updates pages.
- Plugins — Check the boxes for the plugins you’d like to update, and then click Update Plugins. It should only take a few moments.
That’s all there is to WordPress security updates! Keep in mind, you can either update everything at once, or individual items as required. The former option is more efficient, although the latter will make it easier to figure out the cause of any sudden problems. It’s not a bad idea to perform one update at a time, testing your site in between and looking for errors or compatibility issues.
When it comes to WordPress security updates, it pays to be on the ball at all times. The simplest way is making sure WordPress core files, themes, and plugins are up to date. That way, you’ll have peace of mind that your website — and its visitors — are safe.