The Dangers of Outdated WordPress Plugins & Themes

Ignoring your WordPress update notifications may be one of the easiest things, but it’s also likely the most detrimental. Why? Inconsistent updates can create severe security issues, compatibility issues, and make you accrue technical debt. Here’s how to avoid all of this.

Nearly every day an email hits my inbox from someone who hasnโ€™t updated WordPress in years. Not months, years. By now, we all know that ignoring theme, plugin, and WordPress core updates can create severe security issues, compatibility issues, and accrue technical debt. Not to mention website owners miss out on great new features and capabilities of their software when updates are ignored.

When an email like the one described above comes through, this is typically my response:


Dear Sir/Madam [Iโ€™m a very fancy email communicator],

It has come to our attention that your website is currently living in the technological equivalent of the Crustaceous period and needs to be brought back to the modern day. This will require extensive testing, a small bit of sorcery, potential time travel, and a well-appointed checkbook (or any major credit card).

Regards,

Count Sullivan of Site Care


I really donโ€™t enjoy writing these emails and telling people that making their respective sites current is going to be an expensive and time-intensive undertaking. So today Iโ€™d like to address some of the most common missteps I see and how we, together as a community, can keep WordPress up to date and avoid the dangers of outdated WordPress software.

Intentionally Deferred WordPress Upgrades

Iโ€™ve seen developers do some very clever things to not only ignore WordPress core upgrades, but to cover their tracks as well.

If the client canโ€™t see the red update notification, theyโ€™ll never know thereโ€™s a problem.

Developers everywhere

Itโ€™s the same logic that big tobacco uses to sell cigarettes. โ€œIf they canโ€™t see the nicotine and harmful chemicals, then weโ€™re off the hook! (Until someone dies, of course. But thatโ€™s a bridge weโ€™ll cross another day).โ€

Some of the most common ways Iโ€™ve seen updates hidden are custom plugins that modify user roles, management plugins like ManageWP or InfiniteWP, or Easy Updates Manager. Iโ€™ve also seen updates blocked through the wp-config file hundreds of times, with a few other steps taken to hide notices from the dashboard completely.

And Iโ€™ll be the first to admit, sometimes hiding the notices is absolutely necessary. Curious clients see that update notification as a BIG RED BUTTON and need to push it. Thatโ€™s facts. Unfortunately, more often than not these blocks are put in place with good intentions, and then end up being ignored indefinitely.

Picture of a big red button with "Press" printed on it.

Here are some of the most common scenarios Iโ€™ve seen for blocking WordPress plugin, core, and theme updates:

  • Theme update hasnโ€™t been tested for compatibility – Weโ€™ve all seen theme updates break things. If it hasnโ€™t happened to you already, it will. Updating a theme without disrupting the website may require staging the update in a sandbox and testing for compatibility. And who’s got time for that?
  • Updates havenโ€™t been tested with the PHP version on the server – Sometimes we want to test pending updates but because some hosts are slow to upgrade their PHP versions, or alternatively insist on running bleeding edge server software, thereโ€™s yet another variable to test for thatโ€™s going to require more time and effort.
  • Managed hosting is taking too much control – Sometimes there are business reasons for not updating software right away. One example is an established change control process. Some corporations literally wonโ€™t allow changes to be made to their websites without going through a somewhat rigorous set of checks and balances. In these scenarios we tell the host to stop processing updates automatically. Hopefully we donโ€™t use that as an excuse to ignore updates altogether.

These are all completely legitimate reasons for deferring updates but they arenโ€™t excuses to ignore them outright. An uncomfortable trend Iโ€™ve seen is that while the initial reason to block updates and hide notices is legitimate, itโ€™s treated more like a Get of Jail Free card. If youโ€™ve ever told yourself youโ€™ll get to the updates โ€œon a day when I have more time,โ€ donโ€™t fool yourself. Unless keeping plugins and themes up to date is a priority, the time will never come.

If youโ€™re a service provider and your client trusts you to stay on top of these updates, please make them a priority. Or you can pass them off to our team and weโ€™ll do the heavy lifting for you. But please donโ€™t leave these important updates unattended.

Absence of License Keys

The absence of license keys is the most prevalent challenge we encounter when trying to get websites up to date.

Developers, agencies, I say this with all the love I have available in my small heart: CLIENTS NEED TO BUY THEIR OWN PLUGINS AND MAINTAIN ACTIVE LICENSES

Without an active license key or account connection (see all Themeforest and CodeCanyon products), all future updates will be blocked.

And I know how it goes. You have the developer license for the theme or plugin that gets installed on the clientโ€™s site. Or you have the latest version from another project youโ€™re working on so you install that to get your work done without asking the client for more money. Itโ€™s no big deal, right? In fact, youโ€™re even doing them a favor!

Well, it isnโ€™t a big deal today. But eventually youโ€™ll stop paying for that developer version because the plugin author raises prices, or because you decide you like another forms plugin more, or the budget is tight and you need to find ways to cut costs.

These things happen and itโ€™s totally fine. Really, it is.

But when these decisions are made, licenses expire and updates are suddenly unavailable. Iโ€™m not saying itโ€™s never been done, but Iโ€™ve never once seen a developer or agency go back to a client after the fact and say โ€œWeโ€™ve been paying for you to use this plugin for the last 4 years and arenโ€™t going to anymore. Please purchase a new license and send us the key.โ€

No, I usually get to be the one that tells them Revolution Slider is 4 years out of date and that they not only need to pay the for a plugin, itโ€™s also going to take six hours of developer time to upgrade the plugin and resolve all the resulting compatibility issues.

Do yourselves a favor and discuss license fees at the beginning of every project. Businesses understand the concept. They pay for Adobe, McAfee, and Microsoft Updates every single month. And at a much larger scale than any WordPress plugin fees.

Recommendations for Security Best Practices

It only takes a few days of following updates at WPVulnDB to get a very clear picture of how often security updates are applied to WordPress software. Authors are usually quite good at releasing security updates in a timely fashion when theyโ€™re needed.

Aside: If you use a WordPress plugin or theme with a known security issue and the author doesnโ€™t release patches quickly, find another solution.

Without proactive monitoring and a regular update schedule things can get out of hand very quickly.

WordPress is often compared to Microsoft as โ€œthe operating system of the web.โ€ It has extremely wide reach which makes it a prime target for exploiting vulnerabilities.

Yoast SEO has over 5 million active installs. If Iโ€™m a hacker and that plugin has a known security flaw, Iโ€™m going to try and build a bot to exploit it as quickly as I can. Even if half of website owners are diligent in keeping their plugins up to date, I still have a user base of 2.5 million I can try and take advantage of. I like those odds.

P.S. I’m not a hacker.

Youโ€™ll see lists on the internet for โ€œ300 tips to secure your WordPress websiteโ€ but ultimately protecting your website comes down to these core principles:

  1. Use a quality web hosting provider who maintains current web server and PHP versions
  2. Have a regular update routine for WordPress core, plugins, and themes. Anything less than monthly is too infrequent.
  3. Use a firewall. We recommend Cloudflare or Sucuri. These firewalls prevent malicious requests from hitting your website.
  4. Keep active license keys or account connections for all premium WordPress plugins and themes.
  5. Use strong passwords. WordPressโ€™ default requirements are stronger than theyโ€™ve ever been. If you want to really enforce strong passwords check out Force Strong Passwords.
  6. Disable File Editing – Even if an unauthorized user is able to access your site, theyโ€™ll be somewhat limited if they canโ€™t access your site at the file level.
  7. Use SSL everywhere. With may hosts offering SSL certificates for free or a small fee, there’s no excuse for not using SSL for your website.

Simplify your WordPress experience with SiteCareCare

Take the headache out of managing your WordPress updates by signing up for a SiteCare plan today!

Ryan Sullivan Avatar
Chief of Staff

โ€ข

8 min read

Optimize Your WordPress Site with Expert Insights!

Get expert tips, actionable insights, and exclusive strategies to boost your site’s speed, security, and SEO—delivered straight to your inbox.

Diagnose and Optimize Your Site 

Get Your Free WordPress Health Score

Share to...