Last Updated on December 22, 2020 by Christopher G Mendla
A key concept in protecting your WordPress site is to make sure the WordPress core and all of your plugins are up to date. Outdated plugins can contain vulnerabilities that allow a hacker to compromise your site.
As always, it is important to have a backup of your WordPress site, especially when updating WordPress or updating/adding/changing plugins
Overview of plugins
Plugins are a necessary part of WordPress. They add features that make your site useful. When you want to add a particular capability to your site, you need to determine if there is a plugin that will do that and if so, add the plugin to your site. Make sure that the plugins you choose are being maintained.
Once you install your set of plugins, you need to periodically update the plugins. With WordPress from about version 5.5.3 on, you have an option to allow WordPress to automatically update plugins. I prefer to update plugins manually. For one thing, updating plugins will cause your site to be temporarily unavailable. You don’t want that to happen during a period of peak usage.
If updates are available, you will see an indicator next to ‘plugins’ on your dashboard with the number of plugins that need to be updated.
You can go to your plugin list and click “update” individually for each plugin. Depending on your server resources, you might only want to update 1 or 2 simultaneously.
Check Check and double check
After you update WordPress or your plugins, you should always check the front and back ends to make sure that everything works.
Look for abandoned plugins
Scan the list of your plugins. Basic information about each plugin is available. Look at date that shows when the plugin was last updated. Plugins that have not been updated for a certain period of time will show up in red as shown below
In the example above, the plugin “Add code to head” was not updated for the last four years. The info line will show the rating of the plugin as well as if it was tested with your current version of WordPress. If the last update is more than a couple of months ago or if the plugin is not tested with your version of WordPress then you should do at least some investigation.
If, for example, the last update was 2 months ago and the latest version it was tested with was a minor release prior to your current WordPress release, then probably just need to keep an eye on it.
In the case of the Add Code to Head plugin, I was using that to insert code for my ad programs into the head section of the pages. I found an replacement in the Ad Inserter plugin.
Some plugins will have no configuration while others may have extensive configurations and data. In this case, I just had to copy the code from the old plugin to the new plugin and make sure everything worked.
Don’t forget to deactivate and delete the old plugin.
An inactive plugin can still provide an attack surface for a hacker. Once you are sure that your new plugin is working as expected, then you should delete the old plugin. By ‘as soon as’ I mean immediately after switching the plugins.
Summary
Many WordPress ‘designers’ don’t pay enough attention to securing the sites they create or manage.