The other day I received an email from someone. There were problems with the website and I was asked if I would take a look and possibly fix it. Once I logged into the WordPress dashboard I was shocked…. And actually, that’s putting it mildly! In fact, there was a notification about whether to update WordPress. The website was still running a version 4.1! That’s a version that was released 2 years ago. 2 years!!!
If you have your own hosted WordPress version then you are responsible for updating this CMS system. I understand that for some the doubt strikes – shall I update now or not? What if something happens to my site? But you should know that an update came for a reason. Not updating your WordPress site brings major consequences. The biggest risk namely: that something does indeed happen to your site.
That you temporarily ignore the notification of a new update, I can understand. However ignore the notification for years? I find that very strange, especially since the notification is made so that it is pretty much the first thing you see when you log in. I get the jitters right away when I log in to a client and see an update notification pop up. They then immediately receive the advice to take a moment to complete the update.
Why is WordPress updated?
There are two reasons WordPress is updated, namely for:
- introducing new additions.
- correcting errors.
When there is an update to introduce new additions it is not even mandatory to do the update. Note the word mandatory, you don’t have to do the update if you can do your job without the new additions. While it is advisable to date up, it is not mandatory.
When updating to get bugs out, you are always required to do the update. Sometimes they are small bugs you would never have noticed, but there are also regular security updates in between. Take a look at this list of security problems.
Cross-site request forgery (CSRF) vulnerability in the wp_ajax_wp_compression_test function in wp-admin/includes/ajax-actions.php in WordPress before 4.5 allows remote attackers to hijack the authentication of administrators for requests that change the script compression option.
SQL injection vulnerability in the wp_untrash_post_comments function in wp-includes/post.php in WordPress before 4.2.4 allows remote attackers to execute arbitrary SQL commands via a comment that is mishandled after retrieval from the trash.
Cross-site request forgery (CSRF) vulnerability in wp-login.php in WordPress 3.7.4, 3.8.4, 3.9.2, and 4.0 allows remote attackers to hijack the authentication of arbitrary users for requests that reset passwords.
Reading this, it sounds very technical, but the reports on this list show that there has been a regular update that has closed a security hole. These notifications show that hackers can always gain access to your site, ruin your site, make changes or delete your site completely. By not updating WordPress, your site is very susceptible to these attacks.
By the way, the very first notification I post here is from the last update, so if you haven’t done it yet I would update to version 4.6(.1) quickly now anyway.
I find it a tad strange that when there is an update to Android or iOS, that all of my Twitter timeline is full of people who have done the update, however, when it comes to WordPress, they are still a few versions behind. Don’t you want a secure and stable WordPress system so your focus can remain on blogging? Instead of spending days trying to (get) the website fixed again? Seems like it to me, right?