Vulnerabilities Related Updates

coreSecurity Pro can show vulnerabilities related to PHP, WordPress Core, Plugins and Themes.

PHP

When it comes to PHP, things can get quite complicated. There are multiple versions of PHP available, and each one has minor releases that aim at fixing bugs and vulnerabilities.

There are two major benefits to using newer PHP versions:

  • Performance: each new major PHP release is faster than the previous one, and it uses less system resources.
  • Security: new major and minor PHP releases are getting latest fixes for bugs and vulnerabilities.

Here is what you need to know about updating PHP:

  • It is not always possible to use latest major PHP version, but it is important to use latest minor version for the major version you are currently using. For instance, if you use PHP 8.1 (that is a major version), it is important to use latest 8.1 version (for instance: 8.1.26).
  • At any time only 3 major PHP versions are supported and developed by the PHP Development Team. Ty to always use one of the supported major PHP versions: Supported PHP Versions.
  • When updating from one minor PHP version to another version in the same PHP major version, there should be no issues related to the existing code. But, when you update one major PHP to another major PHP, it is important to test the WordPress and all plugins and themes to make sure they are all compatible with the major PHP you are switching to. These types of testing should be done on the staging or development copies of the live website, do not test this on the live website, it can crash it.
  • PHP is running on the server level, and you need to have server access to update PHP. Some hosting companies have easy to use PHP switchers where you can pick the version of PHP to use, but with some hosting companies, you have to work with their support to change the PHP version.
  • Good hosting companies are offering multiple major PHP versions, and they keep each one updated to the latest minor update. If your hosting company is running old major PHP versions, or they don’t have them updated to latest minor releases, your websites may be vulnerable to any vulnerability in the PHP version you are stuck using. In that case, if your hosting is unwilling to update, it is best to change hosting.

Check out the official WordPress PHP update guide: Get a faster, more secure website: update PHP today.

WordPress Core

Since WordPress 3.7, WordPress Auto Update is included in every WordPress release, and it makes it much easier to update to the latest version of WordPress. Just like PHP, WordPress has major versions, and each major version has minor releases for bug and vulnerability fixing. WordPress Development Team updates all major WordPress versions going back to 4.0 with latest fixes.

  • Always keep your WordPress update to at least latest minor version for your WordPress major version. If you use WordPress 6.0, make sure you have latest 6.0.3 installed.
  • Using latest major WordPress version is highly recommended for all the latest features and updates that go beyond bug fixing. And, many popular plugins will only work with the latest WordPress major releases. Make sure to understand which WordPress versions and plugin versions you are using and if there are any compatibility issues between them. Best policy is to always have the WordPress and all the plugins fully updated.
  • WordPress Development Team is usually very quick to fix all vulnerabilities related to the Core, and it is important to stay informed about new minor updates and keep your website updated. WordPress related vulnerabilities are very rarely exploited for hacking the websites, but, if you are running old and outdated WordPress, your website is at risk of hacking.

Plugins

Plugins are key component of the WordPress experience, and every WordPress website uses at least few plugins, most websites use 20+ plugins.

  • If you use vulnerable plugin, and there is a newer version available, update as soon as possible! If you are holding of update for whatever reason, understand that your website is potentially vulnerable and hackers can exploit the vulnerability.
  • When it comes to WordPress powered websites, most of all exploited vulnerabilities are linked to plugins, not WordPress core. Plugins are often developed by one developer or small team, and it can happen that some vulnerabilities are left hidden and unfixed for long time. Once the vulnerability is discovered, it can be used very quickly by hackers to find affected websites to hijack website, inject malware, steal user information…
  • Plugins can have various system requirements that will require testing of the newer plugin versions to make sure they are not breaking anything. Requirements usually are related to WordPress and PHP. Before updating plugins, especially to major versions, make sure to test them on the staging or in development environments to make sure they are compatible with your website.

Themes

Everything related to Plugins , goes for themes. But, with themes, there is one aspect that can make themes harder to update.

  • While WordPress supports use of Child themes to add custom code and styling, without affecting main theme, it is very common to see users modifying main theme. Once you modify the theme, you can’t update it anymore, or you will lose all the changes. It is a very bad idea to modify themes directly, and you should always use child theme for that.
0
0
31
Rate this article

You are not allowed to rate this post.

Leave a Comment