How to update WordPress, plugins and themes to maintain security

Keeping WordPress, plugins and themes up to date is an essential security task. Of course, we sometimes update to get extra features, but often it is to fix the security flaws and bugs.

Have you ever wondered how hackers gain access to WordPress? Do they somehow hack your admin account? Do they guess the password? Yes, sometimes they do and your login page is probably under attack right now, but mostly hackers don’t get in that way.

Hackers and malware often gain access to WordPress websites through security flaws and bugs. Access a particular file in a certain way, send a specially crafted URL to your website or a plugin and bang, they are in through a flaw.

Most updates to WordPress, plugins and themes are not because new features are added, it is to fix the bugs and plug the security holes.

Ignoring updates or simply being slow to apply them puts your website at risk of being compromised, so it is essential that you stay on top of updates.

Back up before updating

Whenever WordPress, themes or plugins are updated, there is the potential for something to go wrong. It does not happen very often or to many people, but sometimes an incompatibility arises between the various components that make up a website/blog and the problems can be minor or major.

Creating a backup before updating is like an insurance policy. Most likely you will not need it, but if something goes wrong, you will be so glad you have it.

How do you create a backup?

Go to Plugins in the sidebar and click the Add New button. Enter backup into the search box and a large number of plugins that can do the job are listed. Which one should you choose when so many are available?

A good guide is the number of people using a plugin and the rating they give it. There are several backup utilities with over one million active installations, such as UpdraftPlus (free), Jetpack (paid plan only), Duplicator – WordPress Migration Plugin (free), and All-in-One WP Migration (free).

UpdraftPlus plugin for WordPress backups

Here is a step by step guide to backing up with UpdraftPus.

Update the theme

The theme your site uses may contain security flaws and bugs that could potentially be exploited by hackers. It is therefore essential to keep it up to date.

You will be notified when there is an update if you use a theme that was installed from the theme gallery.

Go to Appearance > Themes > Add New to browse and install themes from

To check for updates to themes go to Dashboard > Updates submenu.

Updating a theme is simply a matter of ticking the check box next to the theme and clicking the Update button. It takes seconds.

If you purchased the theme from elsewhere, you may or may not be notified when updates are available. It might be up to you to check with the theme developer and to compare the version installed with the latest version on the website.

If there is an updated version available, you should check with the developer for update instructions, but you may need to manually update it. Sometimes a theme can be updated, but occasionally the changes between versions are so great you need to install it as a new theme and then switch from the old one to the new one. The theme developer will tell you if this is necessary.

Delete themes you do not use

WordPress often comes with a couple of themes and you may have tried several others before settling on the one you use now. You might therefore have many themes installed in your WordPress site.

Themes are potential doorways that hackers can exploit to gain entry to your site. Even if you are not using a theme, simply having the code on your site could be a problem, so get rid of it.

Delete all but two themes – the one you are currently using, obviously, and one as a backup. I usually keep a recent WordPress theme, like Twenty Seventeen, as a backup. All others are gone.

Delete unused WordPress themes

To delete a theme:

  1. Go to Appearance > Themes
  2. Click one of the large theme thumbnails
  3. Click the Delete link in the bottom right corner

Check plugins for problems

Plugins are a serious security problem and threat to your website. Sometimes they contain bugs that cause compatibility problems for your site, sometimes they contain security flaws, sometimes they are deliberately used for malicious purposes.

For this reason you should keep the number of plugins used on your site to the minimum you can live with. Some are essential of course, but some just make things a bit more convenient and you could live without them.

Here is an example of the sort of problem that can occur with plugins. For various reasons a WordPress plugin developer may sell their plugin, such as if it is old, they have other more important plugins they work on, and so on.

The buyer of the plugin then gets the code for it and can modify it. They could insert malicious code, advertising code, and other undesirable code. This plugin is then posted as an update on the plugins site and it gets pushed out to everyone that has it installed on their site.

The malicious plugin can end up being installed on thousands of websites almost overnight by people updating their plugins. What was a useful and safe plugin from the WordPress site, can become malware that is pushed out to everyone.

Here is an article that gives the details of hijacked plugins that now contain malware: WordPress supply chain attacks. Do you have any of the ones mentioned?

Could it happen again? Yes. Apart from following security blogs like the one at the Wordfence website, it is hard to protect against this type of security threat.

  • Write down the developer’s name for each plugin you use
  • When updates are offered, check that there has not been a change of developer
  • Be suspicious if the plugin developer changes

What a pain, but what else can you do?

Update plugins to fix flaws

Sometimes a security flaw is found in a plugin and the developer will update it. If you don’t, a hacker or malware could use the flaw to gain access to your site.

WordPress is good at making you aware of updates for plugins and a red circle with a number in next to Plugins in the sidebar is a major giveaway.

Update WordPress plugins through the Dashboard

Sometimes updates go wrong, so don’t be the first to install an update. Wait a couple of days to see if any problems are discovered. If you don’t hear anything, update.

Deactivate plugins you don’t use

There may be plugins that you once used, but are no longer using. Some plugins overlap in features and you may be able to live without one or the other. Go to Plugins in the sidebar and look through the list of plugins and ask yourself whether you actually need each one. Are there features in one that are also duplicated in another?

Jetpack is a multifunction plugin adds a lot of different features for example, and it could be used instead of several others.

Deactivating a plugin means there is one less security headache. A deactivated plugin is much harder for a hacker to use to gain entry to your site.

Delete plugins you do not use

To be really safe from security issues with a plugin, it should be deactivated and then deleted. Take a long hard look at the plugins you use and ask yourself whether you can manage without any. Every one you can delete increases the security of your site.

Update WordPress

WordPress contains security flaws. It always has and probably always will. As these become known, they are fixed with an update. Your site will be more secure if you update before those security flaws become widely known and used by hackers and malware.

It shouldn’t need to be said that it is essential that WordPress is kept up to date and fortunately it is fairly easy. When bugs and security flaws are discovered in WordPress, an update is made available and you are notified in the backend. Go to Dashboard > Updates and the current version, whether the site is up to date and any updates available are listed.

Some web hosting companies manage your WordPress site and they install updates for you but many do not and it is your responsibility to update.

You will probably find that minor updates are automatically installed automatically and this is because they are unlikely to cause compatibility problems with the plugins and theme you use. It is not impossible though, so make sure you make a backup regularly.

Related: How to control WordPress updates and plugin and theme updates

Major updates have the potential to cause compatibility problems, so they are not automatically installed. You must go to Dashboard > Updates and click the button to update, after backing up your site of course.

Action points

  • Make a backup of your site before any updates
  • Check your theme for updates, you might need to check with the developer
  • Delete themes you are not using to avoid security issues
  • Disable plugins you can live without
  • Delete plugins you are not using
  • Update WordPress when updates become available

WordPress security Course Contents

  1. How to change the WordPress admin user to something different
  2. Make your website more secure by using strong passwords
  3. How plugins damage the security of your WordPress website
  4. How to use and customise user roles in WordPress
  5. How to recover from website problems with a WordPress backup
  6. How to increase website security with a plugin for WordPress
  7. How to make your WordPress website secure and deal with threats