It’s been another busy week for WordPress security — first a large number of very popular plugins were found to be vulnerable to XSS (Cross-site Scripting) attacks due to improper use of a couple of commonly used functions. Then, an important security update for the WordPress core, version 4.1.2 was released. Plugin and theme authors the world over are no doubt still busily checking their code and updates to various plugins and themes are still rolling out as I write this post (though most have already been fixed and updated a couple of days ago).
Many WordPress users are probably wondering … why are there so many security patches coming out for WordPress? Is WordPress a safe platform for my website?
Security updates are a good thing
Believe it or not, we actually see this as a positive thing. Yes, you read that correctly. This is good.
The point is that these issues are being identified and fixed. The WordPress community is constantly learning and evolving … and everyone benefits. Every time one of these issues is discovered and patched — WordPress security improves.
WordPress has a highly-active community of literally thousands of developers world-wide, continuously analysing and scrutinising both the WordPress core and plugin code. The recently discovered XSS issues were uncovered and dealt with in a swift, professional and responsible manner. Independent developers, Sucuri Security and the WordPress core team all worked together to coordinate the dissemination of information, allowing enough time for developers to fix their code and release patches, and then clearly and concisely release information to the public so they were aware of the issues and could act accordingly.
The WordPress core security update — version 4.1.2 — was installed automatically, without users needing to do anything. Since version 3.7.1, important updates for WordPress core will normally be installed within about 12 hours of them being released. This is a very good thing.
Ask yourself … what other CMS platforms can boast that kind of proactive, passionate developer community?
Some important things to remember
These recent issues do remind us of a few important things to keep in mind, however.[/vc_column_text][vc_alert type=”information” text_strong=”Just because WordPress and many plugins are free” text_info=” doesn’t mean there is zero cost associated with using them.”][vc_column_text]Remember, many of the plugins you use on your site, which most likely provide all sorts of really useful functionality and features — cost you absolutely nothing. The developers that write those plugins often spend hundreds of hours designing and writing the software, and then you get to use it … for free. Wow, that is so cool.
However, just because something is free doesn’t mean that there isn’t some cost or responsibility you must accept for using it. If you install a plugin from the WordPress.org repository — install updates when they become available. The same applies for paid / premium plugins — there’s probably no software in existence that doesn’t contain some bugs, so do yourself a favour and keep your software up to date. WordPress makes it stupidly easy to update your plugins, in most cases you can just hit the “update” link on the Plugins page.
A few important tips…
- WordPress is not a set-and-forget system – it requires regular updates to ensure that bugs and other security issues are fixed. Keep your plugins and themes up to date.
- Don’t use your live production site as a sandbox, test plugins and themes on a local development server and remove plugins and themes that you’re not using.
- If you can’t (or don’t want to) manage your WordPress site yourself — use Managed WordPress Hosting.
Managed WordPress Hosting
Because of all of this, Managed WordPress hosting makes a lot of sense for many WordPress users who don’t have either the technical know-how, time or willingness to manage their WordPress site themselves.
In addition to automated backups, monitoring and other features many other hosts don’t provide, WP NET installs all WordPress core updates for you — both minor release security updates (we often push out the updates quicker than the automatic WordPress installation) and major version releases as well.
Furthermore, we monitor numerous security blogs and other sources and will install important security updates for WordPress plugins as they become available. So, while the customer is ultimately responsible for plugin and theme updates, if an important security issue is discovered in a plugin, we’ll patch it for you.
If a security issue is discovered in a WordPress theme (which is less common) we’ll get in touch with you and provide assistance where we can, but due to the prevalence of users modifying their themes and because many themes don’t have automated updates enabled, we’re not able to provide this as a standard part of our service.
If you would like to discuss your WordPress hosting requirements, please don’t hesitate to get in touch.