Why software and plugin updates are good for your website
When websites go bad and why plugin updates are good
A client recently observed that no sooner had we made a big update to their WordPress e-commerce plugin than another update for the same plugin had showed up in their plugins list. For lots of people it’s a pain to have to keep updating plugins, but if you’re a website owner or website maintainer this is part of your duty to both your website and your users.
We all hear stories on the news about cybersecurity, data breaches and identity theft, but what’s that to do with your website? Security firms such as Sucuri and Wordfence do a very good job with software firewalls preventing unwanted and malicious activity on WordPress, and Joomla!, websites. Sucuri recently published an article called When Your Plugins Turn Against You which looks at how once trusted plugins can be taken over by new developers with other plans for the software, sometimes mutating into malware. This makes a very good case for staying on top of security scans.
Choose a good webhosting company
Many webhosting companies go further and actively include code in their hosting setup to both improve speed and security. But if you’re not using a recommended host, or you haven’t updated your plugins there may not be much to stop your website falling prey to the baddies who will turn vulnerable unpatched code into spam farms (and worse) quicker than you care to imagine. See this list of bad plugins for starters. Webhosts like WP Engine also has a list of banned plugins, which has a lot to do with performance but contains useful advice on why you shouldn’t follow certain practices, such as emailing directly from your website, or trashing your database.
Sucuri says: “In most instances, the compromises analyzed had little, if anything, to do with the core of the CMS application itself, but more with improper deployment, configuration, and overall maintenance by the webmasters and their hosts.”
When themes go bad
Google blocks malware and it doesn’t listen to excuses about why you forgot to run an update. Believe me, getting a website back online, let alone rebuilding reputation is a real effort. Those firewall plugins also carry stats and show how many times a bot or a human has had a go at guessing your admin details or fired something nasty at your site looking for a weakness.
There’s a cautionary tale that people tell about creating websites to test something and then forgetting about them. The website probably had a dozen WordPress themes lined up to see what worked for a job and once the project went live the development site got forgotten. Somewhere along the way some code in one of those themes was deprecated by a new version of PHP. It doesn’t take long for bots to sniff out vulnerabilities, like old code which might allow SQL injections, or elevated permissions and before you know it that website, and all the other ones on your shared hosting have been hacked, defaced or pumped full of malware.
Why you need to take care updating plugins
It’s possible to set all plugins to update automatically, and WPMU’s article on website security, 12 Ways to Secure Your WordPress Site You’ve Overlooked details methods for updating plugins without having to login. However, there’s times when allowing a plugin to be updated automatically can cause some unwanted issues. Take for example the recent Woocommerce update to version 3.0 – this was a major update and users were advised to take care with updates. They advised backups and to ensure that the website theme and extensions were compatible. We know from client feedback that this wasn’t the case with some themes and some drastic action had to be taken when an automatic plugin update didn’t work with the existing website theme.
In other cases we have seen automatic updates take down a website where a code error had been left unchecked resulting in a blank screen (White Screen of Death). In this case we had to manually rename the plugin folder to get the website admin area functioning and wait for a speedy code fix from the developers.
Use a staging site
The majority of plugins come from the WordPress repository but there’s other sources too such as the very popular Theme Forest. These include plugins developed for a specific feature, not available commercially or otherwise and some plugins are developed commercially and sold as downloads via websites such as Envato. The difference being that when a plugin is updated in the repository the admin user will be notified via the website’s dashboard, usually with a number next to the Plugins section. Commercial plugins need to be downloaded and uploaded to the website and are usually notified by email. It’s quite possible to miss email notifications and for plugins to be some versions older than the latest one. This can mean bug fixes and feature updates can be missed, leading to possible vulnerabilities in the website.
Commercial plugins need to be downloaded and uploaded to the website and are usually notified by email. It’s quite possible to miss email notifications and for plugins to be some versions older than the latest one. This can mean bug fixes and feature updates can be missed, leading to possible vulnerabilities in the website.
Using a webhost that provides a staging site facility means you can safely test plugin updates without affecting the live website. With webhosts such as WP Engine and SiteGround, creating a staging site is a one-click action and is a complete duplicate of your live website.
How many WordPress plugins is enough?
If you’ve looked in the Plugins section of your website’s dashboard you’ll see a total of all the active / inactive and updateable plugins you have installed. Take a look down the list. Plugins do so many things, from blocking bad logins, to selling products and taking payment, to managing your SEO. There are also little plugins that do things like redirecting pages, changing the look of your login page and some other stuff that is better off being called from a functions file. If you see lots of that you might want to look at alternative methods of doing pretty simple things.
Some very short code tweaks contained in a plugin can just as easily be added into the website’s function file. WPMU says in How Many WordPress Plugins Is Too Many Plugins…? that you need you need to bear in mind each plugin can be making extra http requests on the server, and querying their own tables in the database. This in turn can cause performance issues with the website, which, as we said in our last article, Why improving the pagespeed of your websites is essential for page ranking, can affect your SEO. It all adds up, so take care and think about what you need your website for.
Still not sure?
There’s a lot to take in here, and you might not be the guy who should be making the plugin updates anyway. If you need help, or pointing in the right direction, get in touch and we’ll see how we can help you keep up to date.