How to Maintain WordPress Software Security

Just as your desktop software, you should keep your WordPress software up to date as well. With WordPress running a majority of websites now, more attackers are looking for vulnerabilities as it would have a high return rate for them. There have been various vulnerabilities identified with WordPress in the past, and they have a good track record of addressing them in a timely manner.

If you have a recent WordPress installation (3.7 or above),  then you likely have automatic updates for WordPress core already going. That is certainly good news as its one less thing to remember, but I generally don’t like automatic updates because it doesn’t give you the ability to test and make sure your site is fully working.

As to your plugins and themes, you will want to make a habit out of logging into the WordPress admin panel and check for updates at least on a monthly basis (just as you should be doing with your normal desktop updates). Or if you want to take the automatic updates approach for plugins and themes as well, there is a plugin called Advanced Automatic Updates which will do that activity for you.

Also note that some web providers / hosts perform updates on your behalf already, so you should understand the built in options at a server and host level.

How to Know When New Security Patches Exist

While the built in tools are made to help you get notifications of new security updates, you might not notice them in a timely manner due to various factors. One way to stay up to date on when security patches are released is to subscribe to security notifications from the vendors or utilize a service that aggregates all the security information.

This is not a complete list, but a simply a list of the top vendors you should be aware about as the attack surface with those products are incredibly high.

Email or RSS based security notifications:

Where to Find Software Patches?

This will vary to what operating system and applications you are running. Based on the most common software products in use for Microsoft Windows based machines, Adobe Reader, Adobe Flash and Oracle Java are the top products have frequent updates for security patches.

Microsoft releases their security updates every second Tuesday of the month. This well-known release schedule for security updates will help you plan their deployment updates accordingly. On occasion, Microsoft will release a fix out of the standard schedule when a critical vulnerability has been identified and likely being exploited in the wild. Using the Windows Update control panel will take you through that process.

Adobe has adopted the “Patch Tuesday” Microsoft model to release their security updates on. This originated from customers wanting a single patch cycle to make it a bit easier to maintain a fully patch system. Adobe has a built in update tool with their Flash and Reader software. The Adobe Flash Player Distribution page and Adobe Reader page have direct download links.

Oracle releases Java updates three times per year in February, June and October. As the updates are concentrated in batches, they likely include a large number of security fixes. On occasion, Oracle will release an out-of-band security fix for high impact vulnerabilities. Using the Java control panel will take you through the update process.

As a good practice, I would make sure your computer is running the latest software every month.

Why Should I Apply Software Patches?

One major factor to your computer’s state of security is what software you are running. The more software in use, the more potential issues could be leveraged from an attacker. The top cause for a computer to get exploited is from running older versions of software which in turn have known vulnerabilities in them. This is why it is incredibly important to keep your devices up to date with updates. From operating systems, to applications, to browser plugins, you should maintain your computing environment to have the latest security updates. Vulnerabilities are identified frequently in products, which is why vendors put out patches to address them.