Keeping Your WordPress Website Safe
WordPress is a great CMS platform, it offers an easy way for people to update websites themselves. If you DIY your website content then its important to pay attention to the updates. Particularly wordpress plugins as cybercriminals often find vulnerabilities with the plugin code and are able to break into your website through these. This is the most common form of website hacking.
Even if you have a website developer or SEO specialist helping you out, they often neglect keeping your wordpress secure.
Updates are not a dificult task, so please read below to ensure your site remains secure.
How to Know If There Are Updates Available?
As I mentioned earlier, updating our software is important, but we can’t monitor everyday if a new version is available for WordPress or for one of our plugins or themes, especially if we are using a lot of them.
Fortunately, if a new version of WordPress is available, you can’t miss it, as you will see a message at the top of almost every page of your administration panel. You will even see another message at the bottom of these pages!
For plugins and themes, it is different, but if they are available on WordPress.org, then the CMS can tell you if a new version is released. All you have to do is visit the ‘Updates’ section of the WordPress dashboard.
You will see right next to this entry in the menu, how many updates are available. This number also appears in the bar at the top of your screen on all the pages of your website when you are logged in. If this number doesn’t appear, good news: WordPress and all your plugins and themes are up to date!
Updating WordPress itself is very important, as the CMS is victim of its success. Used by millions of people around the world, WordPress is a good target: a single security hole can affect many websites.
Fortunately, WordPress is Open Source and security flaws can be detected and fixed quickly. However, in order to be safe, you have to update your installation.
To update WordPress, you have to add, delete and replace some files, manually or automatically. If a problem occurs when you are updating your installation, WordPress can be broken and I’m sure that it’s not what you want!
That’s why you should back up your WordPress installation before updating it, to be sure that you can retrieve the old but working installation.
If your website hosting is with Onsite Helper, then good news, we automatically backup your website for you so if things go wrong we can quickly recover to yesterday or last weeks version.
Updating WordPress with a Single Click
Since version 2.7, it is possible to update WordPress quickly and easily thanks to a one click method. This method is preferred, as WordPress will automatically download and replace the right files by itself. That way, you avoid errors and gain time.
To update WordPress in one click, go in the ‘Updates’ entry of the ‘Dashboard’ menu. If you don’t have the latest available version of WordPress, you will see the message ‘An updated version of WordPress is available’ before two buttons.
By clicking on the second button, you will download a ZIP archive containing the latest version of WordPress. You will then be able to create a new installation of WordPress or manually update your current installation (which is described below).
The first button is the one click method. If you click on the ‘Update Now’ button, WordPress will lead you to another page which will inform you of the progress: automatically, it will download the latest version, deactivate your plugins, replace the right files and reactivate your plugins. All you have to do is wait just a few seconds or minutes.
Automatically Updating WordPress
With version 3.7, WordPress introduced automatic updates. Thanks to this feature, the CMS will check everyday if a new minor version of WordPress is available. If that is the case, it will download and install it alone, without you to have anything to do, not even a click.
By default, if the latest available version is a major version, you will still have to update by yourself, in one click or manually, but you can be sure to always have the latest stable subversion of WordPress.
For example, if you use WordPress 4.0 and a version 4.0.1 is available, WordPress will install it automatically. But if the new version is something like 4.1, it won’t.
Always having the latest version is important and if a minor update is available, you should update as soon as possible, as minor updates fix bugs. That’s why automatic updates are useful, because you don’t have to worry about having the latest fixes or not: you can be sure it is the case.
Automatic updates are enabled by default. But if you want to disable them, it is still possible to by adding a new constant in your
wp-config.php file at the root of your WordPress installation.
Defining another constant, you can even enable the automatic method for major updates. Still in the
wp-config.php file, adding the following line:
It will automatically update WordPress when a new release is available, whether minor or major. If you use a development version of WordPress, development updates will also be automatic with this constant.
This constant can take three different values:
true, to enable automatic minor, major and development updates,
false, to disable all of them, or
'minor' to only enable automatic minor updates (which is the default behavior).
If you don’t want to edit the
wp-config.php file for some reason, you can also enable or disable automatic updates with filters.
For example, the
AUTOMATIC_UPDATER_DISABLED constant seen above can be replaced by adding the following line in the
functions.php file of your theme, or in a plugin:
This will disable automatic updates.
Other filters can enable or disable specific automatic updates. For each filter, your function must return
true if you want to enable the corresponding type of update, or
// Disable automatic minor updates add_filter('allow_minor_auto_core_updates', '__return_false'); // Enable automatic major updates add_filter('allow_major_auto_core_updates', '__return_true'); // Enable development updates add_filter('allow_dev_auto_core_updates', '__return_true');
Manually Updating WordPress
You should always opt for automatic or one click methods to update WordPress. However, it is of course still possible to update the CMS manually, if you wish or if you have no choice for some particular reason.
Be careful: you’re a human (I think!), so you can make errors and break your installation, so please be sure to follow the instructions step by step. Moreover, remember that backing up your installation first is always a good idea.
- Download the latest version of WordPress. You can do that with the button we saw when we described how to update in one click, or you can download it from WordPress.org. You will get an archive, so unpack it.
- To be sure that a plugin won’t cause a bug during the update, deactivate all the plugins you use. You can do this quickly thanks to the option ‘Deactivate’ in the drop down list that you can use after selecting all of your plugins.
- Now you have to replace the right files. In your current installation, delete the
wp-adminfolders. Then upload the new ones.
- Upload the content of the new
wp-contentfolder into the old one. Overwriting the existing files, you will update the old official themes and plugins. Don’t worry, the other plugins and themes will stay the same, and your media files won’t be affected.
- Do the same with the files in the root directory: replace them all with the new ones by uploading all of them. The only file you need to worry about is
wp-config.phpbut it won’t be overwritten as it does not exist in the new version: in the archives you download,
wp-config-sample.php. You now have to compare that file with your
wp-config.phpto be sure that a new line has not been added: if that is the case, copy and paste the new lines from
wp-config-sample.phpto your old
- Sometimes, an automatic update can fail and a
.maintenancefile gets added into your installation. If you manually update to fix the problem, you need to delete this file.
- Your database may also need to be updated. Visit your administration panel to see if that is the case: if it is, a message will appear, containing a link. Click on it, and your database will be updated.
- The update itself is finished. All you have to do now is reactivate the plugins you use.
Updating Plugins and Themes
Updating core WordPress is important, but it is also important to update the themes and plugins you use, as a bug in one of these can affect your whole installation.
Updating in One Click
Like WordPress itself, you can update plugins and themes with a one click method. To do that, go to the ‘Updates’ section of your administration panel.
If there are some plugins or themes that can be updated, they will appear here, right below the part which tells you if a new version of WordPress is available or not.
To update your plugins, select them and click on the ‘Update Plugins’ button. The same can be done with themes: select them and click ‘Update Themes’.
Whether for plugins or for themes, you will be led to another page which will inform you about the progress of the update, just as it does with the WordPress update.
Note that for plugins, another section will also allow you to update in one click: the ‘Installed Plugins’ section in the Dashboard. If a plugin can be updated, a message will appear right below it, with a link to update it automatically. You can even select all of your plugins and chose ‘Update’ in the drop down list to bulk update the ones that need it.
We saw above that WordPress itself can be automatically updated, without you needing to do anything. It’s very practical and if you are a fan of automatic updates, you will be happy to know that WordPress can also automatically update your plugins and themes.
Automatic updates for plugins and themes are disabled by default. To enable them, you can add a filter into the
functions.php file of your theme or in a plugin, just like you can for WordPress core updates.
// Enable automatic updates for plugins add_filter('auto_update_plugin', '__return_true'); // Enable automatic updates for themes add_filter('auto_update_theme', '__return_true');
However, contrary to WordPress itself, you can’t enable automatic updates for plugins and themes with a constant in the
wp-config.php file: with plugins or themes, you have no choice and you must use filters.
Manually Updating Plugins and Themes
Like WordPress, updating plugins and themes with the one click method is preferred. But you can also manually update them. In some cases, you will have no choice: for example, if a plugin is not available on WordPress.org, WordPress can not give you access to the one click method.
To manually update a plugin, begin by downloading its new version on WordPress.org or on its official web page if there is one. In most of the cases, you will get an archive, so unpack it. Then, deactivate the plugin to prevent eventual bugs.
If the plugin is a single file, replace it by uploading the new one directly into the
plugins subdirectory of
wp-content. But most plugins are stored in a folder and, if that is the case, uploading the content of the new version into the old folder, overwriting the existing files. Then, reactivate the plugin.
Manually updating a theme is similar so, as we did with plugins, begin by downloading the new version and unpack the archive.
If you currently use the theme you want to update, you should now deactivate it by activating another one. Then upload the content of the new version into the old one, replacing the old files. Now, you can reactivate this theme.
A Word About the One Click Method and Automatic Updates
WordPress cannot check if a new version is available for all the plugins and themes you use. Everyday, it checks if that is the case for the ones that are available on WordPress.org.
If a plugin or a theme is not on this platform, WordPress can not suggest to you the one click method, and the automatic update won’t work for this one.
But even if you have access to the one click or automatic update, it may not work, especially if you try to update a local installation on your computer.
To be able to update WordPress, a plugin or a theme automatically, the CMS must have the right to write files. In other words, WordPress files must be owned by the web server user, or this same user must have the right to write this files.
Updating Tools and Services
While we’re on the topic of updates, WP Updates Settings is a handy plugin that gives you an easy interface to the options discussed above, if you prefer using a plugin.
Running the latest versions of the software you use is important. Now, you know how to do this with WordPress, its plugins and its themes.
As you can see, there is more than one way to update them. You should always opt for the one click and automatic methods as they are simpler, quicker and less likely to be a source of errors. However, updating manually is still an option and, sometimes, it is the only one, so it is also important to know how to do this.
Automatic updates are practical if you want to always have the latest version of WordPress, plugins and themes. It is possible to automatically update all of this so lack of time can’t be an excuse not to update!