The risks and pitfalls of WordPress auto-updates

When a new version of WordPress launched in August of 2020, something else came with it: a brand-spanking-new updates feature, along with the risks and pitfalls of WordPress auto-updates. This marked a step-up from previous WordPress releases, in which plugins and themes could only be manually updated. When version 5.5 was released, WordPress users were able to enable auto-updates for any plugin or theme on their site. 

Sounds great, right? In many ways it was. But here’s the catch. Auto-updates aren’t always the best thing since sliced bread and are in fact known to cause a whole load of problems ranging from mildly inconvenient formatting issues, to the downright catastrophic total site failures. If you’ve been thinking about enabling auto-updates for your website, you’ve come to the right place. In this blog, we’ll be running you through some common risks and pitfalls and how to avoid them.

What is an auto-update?

Auto-updates are updates to plugins and themes that take place automatically without the site owner having to do anything manually via WordPress. Unlike manual updates, there’s no need to initiate the process or download new versions of your existing plugins and themes. In WordPress 5.5, site owners can choose whether or not to use the auto-update feature. Each plugin and theme has its own ON/OFF option specifically for auto-updates. 

What are the risks?

Whatever kind of business you’re running – be it a small eCommerce store or a SaaS digital marketing agency, before enabling auto-updates on your WordPress site, it’s important to be aware of all the ‘side-effects’ – both good and bad. Auto-updates are convenient, but there can be some big drawbacks. 

Updates can cause technical issues

Updates have been known to sometimes cause problems on your website. This is more likely if you opt for comprehensive auto-updates across all plugins and themes. Updates will run in the background and you won’t even be aware of it most of the time. But sometimes updates cause technical issues or even ‘breaks’. Auto-updates can fail, especially when concurrent updates are happening simultaneously – with site functionality (e.g. mobile optimization) more likely to go askew. 

Updates can be hard to keep track of

If an update does mess up your site, you will need to know what caused it. Determining exactly what happened and when can be tricky. Especially if multiple updates all took place simultaneously. With selected automatic and manual updates, it can be easier to isolate the root issue and fix it. 

Some major releases may be incompatible

Sometimes auto-updates might include a major release. If a particular plugin (e.g. a plugin used to monitor cloud metrics) releases an update with a larger than normal installation base, it could cause problems. If you have auto-update enabled, you won’t have any control over whether or not you wish to deploy those changes. 

WordPress does not use a ‘Canary update’ testing process. Canary updates roll out code to test sites before official release. Without this, there’s no telling what a new update will do. Likewise with smaller plugins, top-notch quality assurance is not guaranteed. By enabling auto-updates you’re essentially handing over control to unknown quality assurance teams. 

The best way to run WordPress updates

There are safer ways to enjoy the benefits that automatic updates bring. Just proceed with caution. Now that you’re aware of some of those common issues, you can enjoy auto-updates without worrying too much about the consequences. 

With all the potential issues your site can be faced when updating your plugins and theme, it is vitally important to have a secure and recent backup of your site. Having a backup with UpdraftPlus can help save you. Even if you take all the necessary precautions, it is still possible to fall victim to a bad update and have your site die on you. Backing up your site with UpdraftPlus can be done in just a few minutes. Just download UpdraftPlus, follow these simple instructions and you won’t have to worry about an update permanently taking down your site again. 

While the latest update of WordPress can update your plugins automatically, we recommend that you turn off auto-updates for all/selected plugins and use Easy Updates Manager instead. Easy Updates Manager currently helps more than 300,000 WordPress users automatically keep their sites up to date and bug-free. It’s also highly customizable to give you real control over what updates to run.

Easy Updates Manager in action

Choose from manually update, disable update, enable auto updates, disable auto updates and choose per plugin/theme, so you always have full control over your site and what aspects are updated. This offers a greater degree of control and limits unnecessary risk or disruption – disruption that could potentially derail a business in its infancy. 

The potential business impact of an auto-update-related disruption could be catastrophic. If an automatic update interferes with your customer payment portal for example, the losses could be substantial for a well-established brand with high volume sales. 

Use UpdraftPlus and Easy Updates Manager today for the best backup and auto update options. 

Marjorie Hajim

The post The risks and pitfalls of WordPress auto-updates appeared first on UpdraftPlus. UpdraftPlus – Backup, restore and migration plugin for WordPress.

7 critical measures for protecting your WordPress admin area

Content management system platforms like WordPress have successfully democratized website building in the current digital era, with what used to be a potentially expensive and tedious and difficult process, now becoming easier and more accessible for both inexperienced and experienced site owners. But how do you go about protecting your WordPress admin area?

However, the issues of security have remained challenging for many WordPress site owners. According to a report by WordPress security plugin WordFence, almost 90,000 security issues were reported every 60 seconds on WordPress websites in 2020.

This data is even more troubling when we take into account login-based WordPress sites like eCommerce platforms, where sensitive information such as banking and debit card details are shared daily.

If you’re trying to build a website, using WordPress is a great idea, but you may be worried about the security of your WordPress admin area, especially given the sheer volume of cyber threats in the previous year. 

If you wish to reinforce your log-in mechanics, consider these seven simple measures to secure your admin area.

1. Change your passwords often

Let’s start with the basics of WordPress admin and login security. It may seem like the simplest solution when it comes to your site’s security, but changing passwords is often overlooked as an effective security measure.

This cybersecurity approach is essential to any login-based online service and should be implemented across all types of sites, from streaming platforms like Netflix, to social media sites like Instagram, to online group meeting apps like RingCentral. When it comes to preventing admin-related issues, changing a password regularly is a popular cybersecurity tactic. 

2. Keep your plugins updated

Let’s go back to that WordFence data we mentioned earlier. In one study conducted by WordFence researchers, it was found that over half of WordPress cybersecurity issues (52%) were caused by plugins. 

As such, he first step toward securing your WordPress site is investing in WordPress security plugins. Many of these track and record login attempts to analyze any possible admin area threats.

Additionally, it’s important to get rid of outdated WordPress plugins. These pose a threat to your site’s security since they stop updating, meaning their security measures end up being lacking. The safest course of action is to uninstall them, as disabling doesn’t get rid of the additional (and weak) code. Use UpdraftCentral to efficiently manage, update and backup multiple website plugins, themes and backups from one place for sites on which UpdraftPlus is installed.

3. Implement SSL login pages

SSL stands for “secure sockets layer”. This security protocol is generally used on websites that store sensitive data, especially those that require authentication to log in. In essence, SSL measures activate a digital lock – technically, an HTTPS protocol – that guarantees a secure connection from the server to the browser.

Usually your run-of-the-mill hosting provider will include these measures in your subscription. If they do not, consider purchasing an SSL certificate and installing it on your WordPress server. 

This is especially useful for eCommerce WordPress sites, which ask their clients to log in with a profile to automate the checkout process when paying via credit or debit card.

4. Limit login attempts

Restricting the number of possible login attempts is one reliable cybersecurity tip to protect data, especially if you’re looking to prevent potential brute force attacks. 

These cybersecurity breaches are achieved by bombarding an admin platform with every conceivable combination of characters to form passwords, using a simple but effective cracking method of trial and error. 

By limiting login attempts, you can protect your users and your page from attacks of this nature.

Limit login attempts WordPress security image

Image Source

However, when it comes to WordPress admin security issues, it’s important to note that not every hazardous log-in attempt comes from criminals looking to steal data. Sometimes, admin platforms are subjected to non-malicious intrusions performed by users.  

If you’re running a WordPress site that provides user registration, there’s a chance that your users – or yourself – will get locked out of their account by accident. Forgetting your password has happened to everyone at some point after all.

The best way to separate malware attacks and non-malicious intrusions is to implement a network intrusion detection system that can track, record, and analyze potential login or admin issues, without interfering with the traffic it monitors. This way, you can ensure you’re not punishing forgetful users, but are keeping them protected nonetheless.

5. Use two-factor authentication

Two-factor authentication is a security protocol that enforces an additional check on users looking to gain access to WordPress sites. This protection method adds an extra layer of security to passwords by asking for a unique one-use-only code that’s sent to your smartphone.

These apps and plugins are installed on your smart device and will send the codes so you can access your WordPress login screen. This approach is seen as a more secure way of changing your passwords regularly and is particularly recommended for eCommerce sites.

6. Implement IAM solutions

Identity and access management (IAM) software solutions are used to limit the number of remote users accessing online platforms via admin areas and login accounts. In the digital era, the IAM market has grown rapidly and the current list of IAM solutions available can overwhelm newcomers and inexperienced WordPress site owners alike.

There’s a basic list of points to follow to make the most of your IAM service, regardless of which IAM option you choose. Here’s a shortlist of what to do before you commit to a particular provider:

  • Access the IT architecture.
  • Look for any possible incompatibilities between the OS, third-party application or plugins, and the IAM tool.
  • Verify that your IAM system is compliant with guidelines and laws in your industry, market, and country.

Security WordPress image

Image Source

7. Have a backup

The sad truth is, some things are unavoidable. It may be difficult to read, but there’s a chance that even if you do everything right, hackers will still be able to gain access to and attack your admin area. If that happens, it’s important to have a plan of action ready.

Imagine the worst-case scenario: your site has been attacked and hacked. There are no more prevention measures to implement. 

First things first, remember not to panic. Work to identify the problem and react accordingly. The best way to know if you’ve fallen victim to a cybersecurity breach is to look for possible signs of a hacking attack: 

  • You’re unable to log in.
  • Your site is redirecting elsewhere.
  • Your content has disappeared or there is new strange content and links.
  • Your site is running slower than usual.

Once you’ve identified the problem, the fastest way to fix any possible issues is to restore your WordPress website using UpdraftPlus. This will allow you to undo any hazardous changes and get back to normal as quickly as possible. To do so, you must have an older version of your site as a backup somewhere secure – such as a cloud storage platform.

As you may be aware, having your data backed up is one of the most essential things to do in terms of cybersecurity. If you want to keep a record of past versions of your site separate from your site, cloud-storage solutions offer safe and secure backups that can help you relaunch your site in just minutes after an attack.


Now you have read seven effective security tips for your WordPress admin area, let’s reiterate what we’ve learned so far:

  • Change your passwords often.
  • Install login security plugins (and uninstall old or obsolete plugins).
  • Implement SSL encryption-based protocols.
  • Combat brute force attacks by limiting login attempts.
  • Use additional one-use-only passwords and codes by adding 2FA.
  • Limit your log-in possibilities with IAM software solutions.
  • Have a contingency plan to fight security breaches, malware, and ransomware viruses.
  • Keep a backup version of your site and use it during cybersecurity emergencies.

If you follow these measures, your WordPress site should be protected from any attacks and ready to combat and react to any issues, should the worst happen. 

What are you waiting for? Go out there and turn your WordPress page into an online fortress using UpdraftPlus and UpdraftCentral today!

John Allen has written for websites such as Hubspot and Toolbox.

The post 7 critical measures for protecting your WordPress admin area appeared first on UpdraftPlus. UpdraftPlus – Backup, restore and migration plugin for WordPress.