Why You Should Always be Using the Latest Version of WordPress

At ATAK, most of the websites we build incorporate WordPress, and this should be no surprise. WordPress is nearly ubiquitous, powering 28% of all websites. In our work in web development for clients, we’ve worked with WordPress in considerable depth, sifted through many, many themes, and installed countless plugins and security updates. We’ve launched hundreds of websites since 2006, and we’ve learned a lot in the process.

Why WordPress Updates are Important

We have talked about the benefits and drawbacks of open source software on the blog before. WordPress is an open source CMS, meaning that all WordPress websites are based on the same structural code that anyone can access and manipulate. This is one of WordPress’s strengths, in that this allows smart developers from around the world to build improvements for the WordPress CMS, which can become updates that are shared to everyone through WordPress updates.

There is one main concern, however: the popularity of the WordPress CMS increases the likelihood that your website could be targeted by hackers when a new vulnerability is uncovered. The popularity of WordPress attracts the attention of malicious developers who are trying to get a hold of as much personal user information as possible.

Of all websites hacked in Q3 2016, 74% of those were using WordPress.

Bleeping Computer

Because of this, WordPress is secured through patches and updates when vulnerabilities in the CMS are identified. This was previously a manual process, putting many sites at risk. Website administrators were shown a message at the top of their WordPress dashboard, which could confuse some users, and the message alone did not ensure that security updates were installed.

WordPress version 3.7 introduced automatic updates for maintenance and security, reducing the risk that many sites would fall prey to vulnerabilities found in the CMS. Below are some specific reasons why these updates are so important.

Security Updates for WordPress

One of the biggest challenges faced by the internet is the technology arms race between bad guys who want to steal your information and hijack your website; and good guys (like us!) who want to create functional, secure websites for businesses.

The consequences of being targeted by a hacker who has uncovered a WordPress vulnerability can be wide ranging, but include:

  • Losing administrator control over your account
  • Having customer financial data stolen
  • Illegal content being hosted on your site
  • Damage to the code and structure of your website

When WordPress issues a security update, the community has discovered a part of WordPress that is vulnerable to hacking techniques. The tactics and technology are always changing, making regular updates a part of life online.

Website Speed and Performance Updates

Browser standards, mobile usability standards, and other features of the always-updating internet technology scene, mean that website performance technology must also shift with time.

“In the most recent update to WordPress (version 4.8.2), there were nine security updates, most of them involving involving cross-scripting vulnerabilities. WordPress practices responsible disclosure. Part of that is making vulnerabilities public once they are fixed. As soon as a vulnerability is made public, the hackers know exactly how to exploit your site. This makes it even more important that you update immediately and don’t turn off the automatic updates that are now built into WordPress core.” – Jules Sherred, Developer at ATAK Interactive

Some of these are continual improvements, like site speed which is great for Search Engine Optimization (SEO), on top of improving user experience. With this in mind, the community of WordPress developers are constantly working to improve loading times for its websites. Thus, enhanced site speed is usually part of the package with a WordPress update.

From time to time, a larger update will come along which adds or upgrades built in WordPress features.

When you ignore these updates, you’re forfeiting the opportunity to give your visitors the best possible experience.

Bug Fixes

‘Bug fixes’ aren’t the highest priority for updates, unless you’re being impacted by one of the bugs. Usually, they just help every part of the site work the way it’s supposed to.

“Over 70% of the websites I’ve personally reviewed this past year were compromised due to either outdated WordPress plugins or outdated WordPress installations.” Jim Walker, Hack Repair Guy

When and How To Update WordPress Websites

Critical updates are going to need to be done no matter what; your business can’t afford to risk a data breach. Bug fixes and performance updates, however, can be spaced out so that they suit your development schedule and budget.

First things first: If your WordPress site includes custom coding and design, it’s best to leave the updates to your development team. Because WordPress functions often share code, unexpected complications can arise from updates that require a developer’s knowledge to navigate.

Similar to ensuring that your business operates with the most up-to-date practices and technologies available in your industry, making sure that your website is running on the latest version of WordPress should also be part of your routine in keeping your business competitive.

WordPress Updates Do Matter

When WordPress makes a high-priority update, these fixes can be comparable to an antivirus software update. Threats and vulnerabilities are always changing within digital systems, which underscores the value of having a digital marketing partner who can be on the lookout for the latest risks, and how to avoid them.

A development team like the one at ATAK Interactive can help your business navigate every part of online security, from CMS vulnerabilities to transaction encryption.

If you think your website is in need of an update, talk to us and we can help identify exactly where you could use a bit of sprucing up and how to do it.

Protecting Small Business Systems from Ransomware: Interview

Last month, one of the largest globally targeted ransomware attacks in history hit the news – taking out the computer systems in England and Scotland, disabling digital records and equipment in their healthcare facilities.

Most businesses are much smaller organizations than the globally-recognized NHS, but we wanted to know – does that make them safe from ransomware attacks? If not, what can be done to protect systems and data? ATAK Interactive reached out to our technology partner, INC Technologies. President Aramis Hernandez gave us a primer on what you need to know.

1. Do you see ransomware attacks with your IT clients?

AH: Fortunately, we don’t see it as much with our existing clients. However, most of our new IT clients arrive at our doorstep because they lacked the proper care and security. The process starts with home or business computers. Usually, these are machines running Windows – since it’s the most popular operating system, and many users don’t keep their computer security and operating systems up to date, making that computer the most likely candidate to be subjected to a phishing attack.

While everyone has learned not to trust email attachments, email links are another story. Think about how many links you click every day – that’s the most common way we see ransomware make its way into a machine. You’re much more likely to click a link, than download an unusual looking file.

2. Tell us some more about that – how does ransomware end up on someone’s machine?

AH: In an email phishing attack, an attacker represents itself as a person or group that you trust, like Paypal or Google. Then you download a file or click a link, and the software will exploit a vulnerability in your computer.

This can also be links posted in other places, too –  like social media sites, or search results. The page you end up at exploits a weakness in your browser or your operating system, and installs the ransomware.

3. How do these attacks work?

AH: You’ll turn on your computer and be locked out, and see a message asking you for money to deactivate the software and give you access to your computer. The amounts van be very low – on average, $100 is the unlock ‘cost’. These hackers work on high volume, asking for an amount low enough that it’ll hit your wallet, but you’re unlikely to refuse.

4. How can users protect their systems from ransomware?

AH: This is a case where your best bet is proactive care. Make sure that you’re using the latest operating system, the latest browser, and you’re updating your security and antivirus programs.

In the case of websites, managed hosting is a way to protect your website. This means that your web host maintains your security and backups (Like ATAK’s hosting partner, Zerolag), so that you can leave your security and data to the experts.


Ransomware Takeaways for Small Business 


What surprised us most on this call with Aramis was the prevalence of ransomware attacks they see in their support operations. High-profile ransomware attacks give the impression you’re safe if you aren’t a big business, but that is definitely not the case.

The biggest difficulty when it comes to ransomware is that nobody wants to think they’re vulnerable – and nobody wants to admit they were attacked. This is what the hackers are really banking on. Embarrassed computer owners will pay the ransom in order to avoid admitting they were hacked in public.

Recently, the podcast Reply All did an episode about this dimension of phishing attacks, called “What Kind of Idiot Gets Phished?”. After a host’s question about phishing is taken as a personal slight by one of his colleagues, the hosts experiment with phishing, and discover how easy it can be to fall for it, and how personal that deception can feel.

The personal dimension to ransomware is why it’s critical to have IT help that you can trust, before you find yourself wanting to hide an embarrassing situation.

The second interesting point in what Aramis told us was how often a phishing attack is a link, instead of a file. It often feels harmless to click a link in an email that’s unusual, or an email that you open while in a rush. This mistake can really hit you in the wallet.

Using an extra layer of browser security can help defend your accounts from phishing attacks. Enabling your firewall’s browser protections, and using a Chrome extension like Google’s Password Alert can keep your passwords safe.

The last line of defense, though, is personal judgment and patience. When you’re sent a link you aren’t sure about, investigate before you click it. Learn to identify common phishing URL tricks that are used to make a scam URL look legit:

  • Unicode tricks, like using Cyrillic characters to make a URL look like it belongs to another company: аррӏе.com is using cyrillic characters to look like apple.com – the second URL is the real one!
  • Fake URLs in an email. The typed link looks valid, like “google.com”, but if you hover over the link, you can see that the website you’re actually being sent to is something else.
  • Misleading URLs in an email. This was how the Gimlet Media team fell for a phishing attack in the podcast episode linked above. “Gimlet” and “Girnlet” look similar enough to work.
  • Fake login pages. These are very popular. Be very wary about giving your login details for Google, Dropbox, and banking sites on pages you were linked to in an email or IM. When in doubt, type in the address of the real thing to log in.

If you’re looking for an IT partner to support your systems, we highly recommend INC Technologies. And if you’re looking for digital marketing security and managed hosting, give ATAK a call today.