What are all these WordPress updates? Is my site safe? The simple answer is yes, it’s safe. Here are some questions that you might have.

Why are there so many updates right now?

Recently, security researchers found and responsibly disclosed a security vulnerability within the core WordPress software and within many popular plugins and themes.

WordPress and the theme/plugin developer community responded with a coordinated update release to close the vulnerability. But, there have been follow-on updates too. The first type of follow-on updates has been in response to the type of vulnerability originally found: as researchers continued searching, they found similar, additional vulnerabilities. The second type of follow-on updates are from smaller plugin and theme developers who could not respond as quickly. The final type of follow-on updates deal with problems caused by the initial critical security updates – i.e. those updates fixed the vulnerability but caused some kind of resultant problem for sites running that code.

Do these vulnerabilities and updates only affect WordPress sites?

The particular security vulnerabilities have mainly been around XSS (cross site scripting). This vulnerability isn’t particular to WordPress, but the recent flurry of updates are specific to WordPress, because the vulnerability was identified within WordPress-specific code.

Doesn’t that mean that it’s not really safe to use WordPress?

No, quite the opposite. The short answer is that the fact that there are people actively trying to both find and fix WordPress vulnerabilites 24/7 means that your website is running some of the most well-tested and security-hardened software in the world. If you want the long story, here’s a great article about why you’re safer using WordPress than almost anything else.

It’s quite possible that similar vulnerabilities exist in other platforms and codebases and simply haven’t been found and fixed.

What are you doing to keep my site safe?

Keeping your website secure is truly important to us.

Generally speaking we:

  • use specialist managed WordPress hosting[footnote]Affiliate link for WP Engine[/footnote] that guarantees security
  • recommend our monthly maintenance service that is designed to keep your site running either the latest, or very recent, versions of WordPress, plugins and themes in a way that minimises adverse impact on our live site
  • have good internal IT security awareness and policies
  • stay abreast of WordPress security issues

Specifically for this series of updates we’re:

  • contacting our customers to inform them about the updates
  • running managed update cycles where there’s an agreement in place, or a request is made
  • working with our hosting company to roll out critical security updates automatically – more about that here

Might these updates break my site?

It’s unlikely that security updates will break your site as they’re usually designed to fix very specific vulnerabilities. However, it’s always possible that there will be an unintended consequence of running the updates so please do test your website on a regular basis – or ask us to do that for you.

If you’ve got any questions about WordPress security, or any concerns, please do contact us or leave a comment below.

Update 5th May

A useful blog post from Envato (who run Themeforest and Codecanyon) about this.

Update 11th May

A nice look at how amazing the WordPress security poise is, despite constant lambasting: https://ma.ttias.be/in-defence-of-wordpress/