Statistics show that 60% of website breaches involve vulnerabilities for which a patch was available but not applied. Outdated plugins and themes are still the #1 reason WordPress sites get hacked. See below for new WordPress plugin and theme vulnerabilities disclosed in August.
There have been no WordPress core vulnerabilities disclosed in the first half of August. However, a new major version of WordPress was released on August 11, 2020. This new version includes 1500+ changes to the block editor interface, 150+ enhancements and feature requests, 300+ bug fixes, and more.
The biggest change in 5.5 is auto-updates for plugins and themes. Previously, you would have to have used a plugin to handle auto-updates for you. Why would auto-updates be rolled into WordPress core? Outdated plugins and themes are still the #1 reason WordPress sites get hacked. Note the following important points –
- Not all premium plugins or themes may support the new auto-updates (at first)
- Scheduled/automatic backups are more important than ever now. You need a way to roll back your site in case an update breaks something.
- By default, auto-updates are turned off in 5.5. You’ll have to enable auto-updates for all your plugins and themes.
NOTE – Do NOT update to WordPress 5.5 without first backing up your website. It may also be wise to wait a bit for plugin and theme authors to apply any fixes needed for their code to work flawlessly with 5.5.
There have been no WordPress theme vulnerabilities disclosed
UPDATE these if you are using them –
- CMP – Coming Soon & Maintenance below 3.8.2
- Divi Extra, and Divi Builder below 4.5.3
- Gallery PhotoBlocks below 1.2.0
- Newsletter below 6.8.2
- Product Input Fields for WooCommerce below 1.2.7
- Quiz & Survey Master below 7.0.0
- Social Rocket below 1.2.10
- wpDiscuz below 7.0.4
Effective Measures to Minimise Risk
There are a number of measures you can take to minimise the risks to an acceptably low level –
- Manage your web server carefully
- control access
- configure properly for security as well as performance
- Update your WordPress software regularly
- check for updates routinely (at least once a month), or use an updating service (like we provide at Skylime)
- Backup your website files – this will enable a quick recovery when you get a problem
- use at least 2 separate locations for your file storage, eg. on the cloud and offline (eg. your computer)
- find a web host who provides automatic daily backups for you as part of their service
- Change your passwords regularly
- don’t re-use the same password
- use capitals, small case, numbers and symbols
- use a minimum of 8 digits
- quickly change any shared logins and passwords when staff leave
- remove access permissions if and when they are not needed
- Run security software
- use secure web hosting with built-in malware scanning (like ours!)
- choose and install a software firewall plugin for WordPress such as WordFence (and other CMSs)
- subscribe to and set up a firewall service such as Sucuri
- regularly run an anti-virus scanner designed for websites
* * TIP * * – a password manager will make the passwords aspect much easier