I have a WordPress site, is my site insecure?
Last week and again this week, two separate WordPress security vulnerabilities were made public related to the system’s visitor commenting abilities and issues with a lengthy list of plugins and themes. As a result of these issues, WordPress sites are vulnerable to cross-site-scripting (XSS) if updates are not made in a timely fashion.
WordPress is a very robust and generally safe system to use. I would not recommend it otherwise. However, like any computer software, you have to take the proper measures to keep it safe. That is the reason for this email.
These security concerns are significant but does not mean your WordPress based sites are likely to be immediately hacked. That said, it does need to be dealt with sooner than later to avoid problems.
How can this be fixed?
WordPress developers who have created the core software, plugins, and themes we know and love are busy patching the problems so they can make updates available.
In many cases, when WordPress core automatic update is enabled, the core software of your site will already be patched. Of course, making sure of this is a useful task. Further, your plugins and themes — in most cases — will not not auto-update. This usually must be done by human operator.
Backup first!
Before doing any major updates to a WordPress site (like those noted here), it is important to have a backup of your current site. Sometimes when we do updates it can break aspects of our current site and we always want to be able to “go back” if we need to fix a problem.
Some hosting services like Flywheel, GoDaddy Managed WordPress, and WPEngine do backups automatically. If you don’t use one of these hosting services, you probably do not have a recent backup and need that prior to the updates. There are plugins and services to help us do this.
I am a client of yours, so aren’t you taking care of this for me already?
Maybe, but maybe not. There are a few scenarios for my clients and friends. If in doubt, contact me ASAP:
- Current WordPress Project Clients: If we are currently working on an active WordPress project, don’t worry. I’m already on it.
- WordPress Maintenance Package Clients: If you have a Website Maintenance Package in place with me for your WordPress site, don’t worry. I’m already on it. (Interested in a maintenance package? Learn more.)
- Hourly/Retainer Clients: If I’m doing à la carte or hourly work for you and you have a WordPress site, you may contact me for immediate action or wait for me to be in touch as soon as possible. Look for contact from me soon.
- Non-Clients: If we do not currently collaborate on a WordPress site, please still feel free to reach out for help! I’m here to make sense of this for you.
Don’t hesitate to contact me with any questions.