Keep your WordPress software up to date – unless you like nasty surprises

Out of date plug ins

Recently we’ve been asked to look at a few sites built in WordPress, and have been surprised to find the software is years – yes, years – out of date.

Allowing  your WordPress website to drift like this is a bad move that can leave your site open to hackers who could bring it down or worse.

Your site could be taken off search results, your reputation could be damaged but most of all it will take a lot of time to clean up the mess.

Wordpress is the most popular website platform in most of the world with good reason.

It’s free for a start, but also it can be extended with the help of plug ins, which allow custom functions like photo galleries or forums – just about anything you want.

[caption id="attachment_526" align="alignright" width="300"]Update WordPress now! WordPress gives you plenty of warnings about updates to itself and its plug ins[/caption]

Another reason for its success is that WordPress is constantly moving forward, with a new version featuring improvements released every three to four months  – the latest (3.5) was just last week – and sub versions to fix bugs and security issues in between.

Every major update also means the plug ins have to change, too.

That popularity means lots of people who like to hack websites devote a lot of time to finding holes in WordPress. Hackers share information and once they find a hole they will tell lots of other hackers.

When this has happened in the past the WordPress community has been quick to close the security hole by rolling out a new update that fixes the problem.

Asking for trouble

But if you don’t apply the update your site is basically sitting there waiting to be hacked. And the hackers will be looking for you.

Now we are not trying to scare you, or put you off using Wordpress, but if you or your web designer ignore this aspect of using WordPress then you are asking for trouble.

Wordpress itself does its best to warn users of new versions, but it’s amazing how many people ignore the warnings.

Even Google started warning website owners if they were running out of date Wordpress versions, and there were plenty of examples of people being caught out who should have known better.

For example the Reuters blog, which was hacked earlier this year and found to be running a version of WordPress that was two years out of date.


The result: Your website can be home to nasty software, advertising dodgy online drugs, hosting one of those fake banking/phishing sites or just taken over by someone else. In most cases you may not even know anything is wrong.

This can get your website blacklisted and removed from search results and the damage to your reputation can be immense.

[caption id="attachment_527" align="alignright" width="197"]Out of date plug ins That’s a lot of out of date plug ins[/caption]

Sometimes the fault here lies with web companies themselves who sell a website to a customer but don’t explain that the software it runs on must be kept up to date.

One company we know of even told a customer to ignore the prompts to update the plug ins and Wordpress version – and warned them that if they updated and things went wrong they would be on their own.

In this case it seems the web company involved simply didn’t understand how to keep WordPress up to date – or the importance of doing so.

A Stitch in Time Saves Nine

Some customers are put off by the idea their website will need to be maintained that there will be a small cost associated with this but skipping this is a false economy.

After all doing the necessary back-ups and keeping everything up to date is a finite task that shouldn’t take long if done regularly.

Fixing a hacked website can be a long and involved process that could cost a lot – in time and money – to put right.

Or to put it another way, keeping Wordpress and your plug-ins up to date is the equivalent of taking your vitamins, but putting a hack attack right is open heart surgery.

Ask your web company

So if you already have a WordPress site find out what your web company is doing about back-ups and software updates. If you look after your own site then don’t ignore the warnings.

And if you’re thinking about having a WordPress site built for you, ask your web company what they are going to do about updating it and its plug-ins. If they don’t have an answer, then you might be better going somewhere else.

Otherwise there could be a lot of time and expense waiting for you down the road.

More information

How to Keep WordPress Secure by Matt Mullenweg, co-founding developer of WordPress

WordPress Security: Seven Ways I Could Hack Into Your WordPress Site – Mark Maunder

Reuters was using old WordPress version when it was hacked –