How to update your WordPress website to keep it secure and safe (2021)

by | Jul 4, 2021 | Website, WordPress | 1 comment

If you have decided to set up and run a self-hosted WordPress website then part of that decision means committing to ongoing maintenance and updates.

I’ve covered the basics over on this post for when you’re just getting started, but what if you’ve been going a while? How can you successfully maintain your site to avoid an downtime or security issues?

Due to the sheer volume of WordPress websites that exist on the web (64 million according to this source) it’s not surprising that there is a high number of attacks too.

In fact, over 90% of infected sites detected by a well-known security plugin were on WordPress back in 2018:

infected websites by platform (inc wordpress)
Source

It’s mostly because it’s easier to find vulnerabilities in WordPress websites.

The code is open-source and works with thousands of plugins (over 50,000) all developed by third-party developers. If the core code and plugins aren’t running on the same version then it can leave a site vulnerable to hackers.

If you aren’t setting aside time each month to address any vulnerabilities in your website then you could risk it being taken offline.

Most hack attacks aim to either redirect you to another site (crypto, pharmaceutical, adult and affiliate sites are common culprits) or spam link injection attacks:

A spam link injection attack is a type of cyberattack where hackers inject malicious code or scripts into a target website that leads to SEO hijacking, malicious redirects, and even email spam

I have to confess dear reader that the second type of attack happened to me in 2020.

If you wanted to buy some 🍆 💪🏻 💊 meds then my website was the place to be!

I got hacked.

It goes to show that even I am vulnerable to my site being taken over despite preaching about website security best practices.

The hackers got in via another site on the hosting account that was vulnerable and I had my emails switched off for the evening it happened, so I didn’t see the warning when a new account was created.

I logged into my hosting the morning after and was greeted with the website that you see below.

a "health" website that hacked my website last year
A new career for me perhaps?

I tried to delete the files that were showing on the site folder on my server but it was too late for my site and by this point my host already suspended my account until the issue was sorted as they had detected malicious activity.

Essentially the site had been deleted to make way for its new replacement and the source files were trashed.

Luckily I have a great developer I work with, who does all my server related admin and was able to restore the site back to normal like a pro for me within a morning.

Could it have been prevented?

Yes of course it could have and I was kicking myself that I had taken my eye off the ball.

It was a small thing that had left my site vulnerable and it may be the case for you too.

Something that you thought “this can wait” might mean your site gets paved over to sell products from the unsavoury side of the internet.

Below I highlight the easiest ways to keep your WordPress updated and secure which will only take you an hour each month to maintain so you don’t become one of the 30,000 websites hacked each day.

back your site up REGULARLY

Either find a host that does this for you and allows you to access the backups or use a plugin like Updraft Plus.

You can then save a copy of the site files in your own site folder or sync with a service like Dropbox or Google Drive.

It means that if things go wrong, and you have access, you can restore back to a previous version of your site.

Back up weekly at the very least and back-up before you update any plugins, theme or WordPress version.

the admin view of updraft plus

install a firewall

If your host can’t provide this with your package, then install a firewall plugin.

Firewall software can help protect your website by blocking traffic from unauthorized sources from accessing your website.

The free version of Wordfence is my go-to recommendation as it contains a Web Application Firewall (WAF) that identifies and blocks malicious traffic and a malware scanner that blocks requests that include malicious code or content.

the admin view of Wordfence

You’ll be emailed when there’s a failed login attempt on your or told when you need to update plugins amongst other things too.

I find that many new business owners get overwhelmed with notifications from Wordfence, realising for the very first time just how many hacker bots and individuals try getting into their website.

It’s a bit like knowing that the earth is hit by 17 meteors a day. You felt OK before you knew this fact and now you know it, you realise how fragile everything is!

It will work in the background blocking suspicious-looking logins and protecting your site from increased attacks, but it will really help to ensure that your site stayed updated…

Keep your wordpress version updated

This is where I messed up.

I had created a test site on the same hosting account as my main website and forgot about it after using it for the demo.

This meant that as the versions of WordPress got older, the more vulnerable my site became.

A user was able to sign up for guest account as a commenter and they were able to find a way in via the code and run rampant.

I had email notifications switched off that evening and so didn’t see the alert from Wordfence telling me that a new user had registered either.

It’s such a rookie move because you can set up your installation of WordPress so that it updates automatically,

WordPress is updated by the community on a regular basis and released sent through to your site.

You’ll be able to see what version is currently installed via the bottom right-hand side of the admin screen here:

wordpress website updated - how to see what version of WordPress you're running in the admin view

You can also find the version information over in the ‘Updates’ section of the admin dashboard here:

wordpress website updated - how to see what version of WordPress you're running in the admin view

Typically, your website will be set-up to download any update notifications automatically. You’ll be informed when it’s time to update your WordPress version via a link at the top of your dashboard:

wordpress website updated - 
update notice within the WordPress dashboard

You can also set the update to happen automatically but if it’s set to be manual, then it’s from within here that you’ll be able to update the version.

Always backup your site before you update your WordPress version!

wordpress website updated - 
the update version button in the WordPress admin

check your theme – does it need updating too?

Your theme also needs to be updated regularly so that it works with your current version of WordPress without issues.

Updates can contain visual updates or feature upgrades, but they’ll also ensure that the theme continues working with the core WordPress code.

You can check if your theme needs to be updated by navigating to Appearance > themes and checking there for the yellow notification message.

wordpress website updated - updating your theme in the WordPress admin

Once you have updated you’ll see the green notification message.

updating theme notification


If you cannot see any messages, ensure that you don’t need to download a re-upload your theme update from the source you bought it from.

Always backup your site before you update your WordPress theme!

plugin updates and how to manage them

Plugins are often created by third-party developers,so it may take them time to update their tech to the work with the latest version of WordPress.

The cross-function nature of plugins means that not updating one can have an impact on others and so keeping them all updated regularly can help to avoid this.

Plugins are the main reason why your WordPress website will break or get hacked. In fact 52% of WordPress vulnerabilities relate to plugins so ensure that you have the latest version installed wherever possible.

wordpress website updated - updating plugins in the WordPress admin view

You’ll be notified with a red circle over the plugin menu item in the WordPress admin area to let you know how many are out of date.

Within the plugin area hit the ‘update now’ link under the relevant plugin to update it.

After a big WordPress core update (when the version number changes from 4.0 to 5.0 for example) you might want to wait a week before updating your plugins so that the community can catch up and update.

update plugin in progress notification
updated plugin notification

Always backup your site before you update your WordPress version!

what to do if your website goes down after an update

Updating these three can sometimes result in your site breaking or looking odd which is a fact of life when managing a WordPress website.

It could be due to updating your WordPress version first and an old plugin then breaking everything.

I recommend updating in this order to avoid:

Backup first
Start by updating plugins one-by-one
Then the theme
Then the WordPress version.

When you do an update your site will go into Maintenance Mode so try to not to do anything with it while it’s in this state.

Common issues after updating could be that things appear broken on your site or the design looking odd, or worse…the site stays in Maintenance Mode.

If that’s the case you should be sent a link by WordPress to login via safe mode and be able to roll your WordPress website version back using your updraftPlus backup.

If the issue was updating a plugin, deactivate the plugin you think it could have been and then either contact the plugin developer, delete and replace with one that works or revert to a previous version.

update php version

PHP is the coding language WordPress is built on and your hosting provider will be able to set the version of PHP for you when your hosting account is set up.

PHP is maintained by a community of developers and new versions released periodically.

wordpress website updated- how to check php version view in CPanel

Keeping the PHP version updated means a faster WordPress website and WordPress.org currently recommends PHP 7.4.

You can find the version your site is running on via the hosting package CPanel or via a dedicated part of your hosting package home admin.

If you don’t have access to this info, then contact the person or company hosting your website and ask them for help.

Before updating your PHP version you’ll need to do all of the steps above: backup, then update plugins, theme and WordPress version.

check your hosting package

As you grow as a business and your website gets bigger and needs to do more things for you, it sometimes doesn’t occur that your hosting will need to grow with you.

Your site might be running on a very basic hosting package with low bandwidth and processing speeds.

Your host might be able to make some recommendations to your site to help it run faster and therefore work better with some more memory-hungry plugins like Woocommerce. This means that you shouldn’t encounter issues when updating either.

Many hosting packages also offer backup and firewall services too to ensure that your site stays secure. They might even do you a deal as an existing customer. so reach out to them and ask what they can help with to ensure that your website stays secure.

change the login url

It’s an annoying fact that you can find the admin login for every WordPress website by adding /wp-login.php or /wp-admin to the end of the URL.

This makes your site open for hackers to try and guess your username and password.

If you have Wordfence installed ( see above) then you’ll be notified when users try and fail to login into your site, plus whenever anyone does a ‘forget password’ reset.

I got really tired of seeing these pop-up in my inbox and so decided to use WPS Limit Login to change the URL to one that was unique to me and hopefully hide from anyone trying to log into my site unauthorized.

It’s not a perfect solution as I still get the odd chancer, but Wordfence locks out users who fail 3 times for a month and hopefully they get really bored of trying my site now.

wordpress website updated - creating a custom login url in the WordPress admin using a plugin
Covering my unique login URL up here for security reasons. It contains a lot of random characters and numbers.

limit login attempts

That said, even changing your admin login URL won’t stop users trying to access your site using scripts and bots, and for that extra level of security I have added a reCAPTCHA plugin called Login No Captcha reCAPTCHA that asks users to confirm they are human.

You can’t progress signing in until the ‘I’m not a robot’ box has been checked:

wordpress website updated- limiting the login attempt to your WordPress website

don’t use ‘admin’ as a username

Or your website name or email if publicly available on your website.

These are the first usernames that hackers will try to use when accessing your website and makes it 50% easier to get into your website if all they have to do is guess a password.

Back in the old days, the default installation of WordPress used to use ‘admin’ as the username and ‘password’ as the password. Thankfully this is a thing of the past BUT don’t make that same mistake.

Brand news websites get found and these details get tried. Don;t make it easy.

Use a username that only you will know, plus a password that contains characters, numbers and special characters.

You can create a new username by creating a new user and deleting the old one here:

wordpress website updated - How to create a new user in the WordPress admin view

get someone to do all of this for you

As mentioned at the start of this article, managing and updating your WordPress website is part of the process of owning one and you’ll need to factor update time into your schedule or run the risk of the site becoming vulnerable.

I find that 1-2 hours per website, per month is all it takes to keep on top of the light updates.

If you have a site that is transactional, you may want to think about when you do these updates in case your site goes offline.

Typically big sites will do their updates when there’s less traffic (like evenings or at the weekend).

If your business may suffer if you go offline then you might need to ask yourself “is it time I mitigated the risk?” and have someone who can help you get back online quickly.

This could be a developer, a tech virtual assistant or an agency.

Your hosting provider may even offer support too, so check out the packages.

There are only so many things that we can do as business owners managing our own websites so it’s worth thinking about that next step.


I genuinely hope that you have found this article useful and have been able to take away some tools and tips for keeping your WordPress website updated and therefore secure.

I’d love to hear what you think in the comments below and you can always reach out to me via social media to chat more in the DMs.



1 Comment

  1. Sarah

    Wow too scary for a Monday morning but eye opening to keep your site updated and check your logins and passwords

    And you nearly lived it down but then have brought it up again, let the puns begin!

    Reply

Submit a Comment

Your email address will not be published. Required fields are marked *