WordPress community releases new versions of WordPress on a regular basis to add new features, fix the bugs, improve security, make the software better and modernize the experience for bloggers, developers and creative agencies.
However, a new report from Hashed Out by The SSL Store revealed that 49% of WordPress sites in the Quantcast Top 10,000 were not using the latest, more secure version of WordPress.
Hashed Out researched the WordPress sites after the launch of WordPress version 4.9.5 earlier this month, to find how many sites had updated to the latest version of WordPress, and how many sites were multiple updates behind.
The WordPress 4.9.5 is a security and maintenance release for all versions since WordPress 3.7. According to WordPress, the versions 4.9.4 and earlier are affected by three security issues. But users are not paying heed to the updates. The report stated that 33% of the WordPress sites were using version 4.9.3 and earlier.
WordPress is the most used platform to build websites, and the most common platform attacked by hackers. If a WordPress site is attacked, it can be very difficult to fix it because attackers may leave behind new hidden entry points to find their way in again. Hence, not updating to the latest version is a big concern for WordPress users.
“The biggest problem in WordPress security (or any other kind of site) is getting people to realize that having a WP website is like having a puppy,” says Dawes. “If you don’t take care of it – feeding, grooming, vaccinations and the like – You’re going to have problems.”— Ken Dawes, Senior web developer and WordPress expert.
Why users don’t update to the new WordPress versions?
According to Paul Bischoff, a security expert and privacy advocate for Comparitech.com, users don’t update to new versions because they think that it might impact the site stability. For example, some of the WordPress plugins might stop working.
They’re also worried that if they made changes to a theme without putting the same changes into a child theme, those changes will not be applied if they update to new version.
On the other hand, the online businesses don’t update thinking that it might cause downtime, which is more expensive for them than the risk of attack.
The longer you wait, the more vulnerable you are
It’s not easy for hackers to find the vulnerabilities in a software. They get to know about it when the software publisher releases a patch for it. Not all the users update to the new version, and that’s where hackers find the opportunity. They know that the vulnerability still exists on the installation who didn’t update. Hence, the users who don’t update are at great risk.
As per the study, of all the websites in Quantcast Top 10,000, 17% run in WordPress. Out of those WordPress sites, 49% were not running the latest version, and 33% were at least two updates behind, which means around half of the WordPress sites were at risk of attack.
There is a common misconception among the small and medium-sized businesses that they’re not vulnerable to hacking because they’re too small for any attack. However, several reports clearly show that SMBs are constantly attacked more than the large businesses.
74% of SMBs were attacked in 2017, according to Symantec 2017 Threat Report. While another report from National Cyber Security Alliance revealed that 60% of the SMBs go out of business within six months of attack.
How you can keep your WordPress site safe?
Whenever WordPress releases updates to its plugins or content management system, the users get notification in the dashboard that an update is available. So, when any update is available, the user should not waste time thinking twice whether he needs to update or not.
The users worried about themes, should use child themes. It helps them to update all the themes in the installation with no negative impact on site.
WordPress users should stop using plugins which might not be compatible with new versions, and delete the plugins which are not used or outdated. Use strong passwords and update them on a regular basis.