{"id":3268,"date":"2017-02-06T13:52:05","date_gmt":"2017-02-06T20:52:05","guid":{"rendered":"https:\/\/www.whitefirdesign.com\/blog\/?p=3268"},"modified":"2017-02-06T13:52:05","modified_gmt":"2017-02-06T20:52:05","slug":"minor-wordpress-updates-are-the-ones-you-want-to-make-sure-are-applied-right-away","status":"publish","type":"post","link":"https:\/\/www.whitefirdesign.com\/blog\/2017\/02\/06\/minor-wordpress-updates-are-the-ones-you-want-to-make-sure-are-applied-right-away\/","title":{"rendered":"Minor WordPress Updates Are The Ones You Want To Make Sure Are Applied Right Away"},"content":{"rendered":"<p>When it comes to the security of websites one of the major problems we see is that often the <a href=\"https:\/\/www.whitefirdesign.com\/resources\/secure-your-website-from-hackers.html\">basics are not being done<\/a> (<a href=\"https:\/\/www.whitefirdesign.com\/blog\/2016\/10\/10\/cyber-security-companys-poor-website-security-reminder-of-industrys-lack-of-focus-on-actually-improving-security\/\">even<\/a> <a href=\"https:\/\/www.whitefirdesign.com\/blog\/2016\/11\/01\/high-profile-cyber-security-company-crowdstrike-fails-to-do-basic-security-step-with-their-own-website\/\">by<\/a>\u00a0<a href=\"https:\/\/www.whitefirdesign.com\/blog\/2016\/11\/16\/another-cyber-security-company-in-the-news-failing-to-do-security-basic-with-their-own-website\/\">security<\/a> <a href=\"https:\/\/www.whitefirdesign.com\/blog\/2016\/12\/16\/wordfence-using-outdated-and-insecure-software-on-their-website\/\">companies<\/a>), one of the most important is keeping software up to date, which prevents known vulnerabilities that have been fixed in a newer version of the software from being exploited.<\/p>\n<p>Back in 2013 the\u00a0developers of WordPress took a step to protect websites running WordPress from this by introducing a new updates system in WordPress 3.7 that <a href=\"https:\/\/codex.wordpress.org\/Configuring_Automatic_Background_Updates\">automatically applies minor WordPress updates<\/a>\u00a0(the ability to have major WordPress, plugin, and theme updates also exist in that functionality). Alongside that they started releasing security updates for older\u00a0major releases that have that update functionality, in the form of minor updates. So unless something causes that feature to not work or it has been intentionally disabled, any\u00a0websites\u00a0still running WordPress 3.7 or above would still be being protected against vulnerabilities discovered in WordPress.<\/p>\n<p>As far as we are aware only the most recent major version of WordPress is officially supported, so you should be making sure you are on the latest version, but those running older major versions should still be relatively secure as long as they\u00a0are on the latest minor release of that.<\/p>\n<p>Disabling those automatic updates cannot be done in the settings of\u00a0WordPress, so it isn&#8217;t something that\u00a0could be accidentally done. Instead someone has to make an active decision to do that (by using a plugin or making a change to a file) and it would generally be a bad one. The reasons for doing that usually seem\u00a0rather bad, take for example the <a href=\"https:\/\/www.whitefirdesign.com\/blog\/2015\/07\/07\/security-company-with-wordpress-security-plugin-doesnt-keep-their-own-wordpress-installation-up-to-date\/\">website of WordPress security plugin where that looked to have happened<\/a>, the company behind later told us that had been done because they had modified core files, which you shouldn&#8217;t be doing (that the developer of security plugin would\u00a0be modifying core files like that would be concerning on its own and it probably isn&#8217;t surprising then that we later found a <a href=\"https:\/\/www.pluginvulnerabilities.com\/2016\/09\/02\/cross-site-request-forgery-csrfcross-site-scripting-xss-vulnerability-in-centrora-security\/\">couple of vulnerabilities<\/a> in <a href=\"https:\/\/www.pluginvulnerabilities.com\/2016\/09\/02\/authenticated-persistent-cross-site-scripting-xss-vulnerability-in-centrora-security\/\">the plugin<\/a>).<\/p>\n<p>That brings us to fairly widespread reports of websites that have been hacked due to not having applied the latest WordPress update (without having looked at the websites&#8217; data and logging we can&#8217;t say how many of those claims are true and how many of those websites were hacked due to other issues). <a href=\"https:\/\/wordpress.org\/support\/topic\/wordpress-4-7-1-hacked-by-ng689skw\/#post-8744611\">One message<\/a> that showed up about this in the monitoring of the WordPress support forum we do, to keep track of vulnerabilities in plugins for our <a href=\"https:\/\/www.pluginvulnerabilities.com\/\">Plugin Vulnerabilities service<\/a>, had a troubling explanation for not being on the latest version:<\/p>\n<blockquote><p>WordPress 4.7.2 was patched at some rest-api vulnerability and some other stuff according to change log. I usually checkout the change log every time whenever an update is available. This was the first time I didn\u2019t check that and only imagined the 0.1 version difference to be a slight upgrade. But I was wrong.<\/p><\/blockquote>\n<p>While some minor updates just include bug fixes (the <a href=\"https:\/\/wordpress.org\/news\/2016\/04\/wordpress-4-5-1-maintenance-release\/\">last one<\/a> being in April of last year), most are security updates. By comparison, a major update is not likely\u00a0to introduce\u00a0a security\u00a0fix. So the updates you want to apply right away are the minor ones or better yet don&#8217;t disabled the automatic updates, so you don&#8217;t have to worry about making this decisions. Major updates, not minor updates are the ones that have more of a chance of causing a problem (say if a plugin hasn&#8217;t been updated to be compatible with the new version).<\/p>\n<p>If you are still using a\u00a0very old version of WordPress on your website, you may want to have a test of the upgrade done before upgrading the production website to the latest major version so that any issues can be resolved first. Doing a test of the upgrade\u00a0is included in our <a href=\"https:\/\/www.whitefirdesign.com\/services\/wordpress-upgrade.html\">upgrade service for WordPress<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>When it comes to the security of websites one of the major problems we see is that often the basics are not being done (even by\u00a0security companies), one of the most important is keeping software up to date, which prevents known vulnerabilities that have been fixed in a newer version of the software from being &hellip; <a href=\"https:\/\/www.whitefirdesign.com\/blog\/2017\/02\/06\/minor-wordpress-updates-are-the-ones-you-want-to-make-sure-are-applied-right-away\/\" class=\"more-link\">Continue reading<span class=\"screen-reader-text\"> &#8220;Minor WordPress Updates Are The Ones You Want To Make Sure Are Applied Right Away&#8221;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[25,3],"tags":[],"class_list":["post-3268","post","type-post","status-publish","format-standard","hentry","category-bad-security","category-wordpress"],"_links":{"self":[{"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/posts\/3268","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/comments?post=3268"}],"version-history":[{"count":4,"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/posts\/3268\/revisions"}],"predecessor-version":[{"id":3274,"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/posts\/3268\/revisions\/3274"}],"wp:attachment":[{"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/media?parent=3268"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/categories?post=3268"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/tags?post=3268"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}