WordPress & Joomla – Release Summary

Keeping your website software up to date is probably the single most important step for a secure website. Out of date software can make it easier for hackers to find ways to break into your website. For more information, see Software Maintenance & Website Security.

Release Summary – November, 2016

WordPress.org

  • There were no new releases this month
  • Current release: 4.6.1
    SECURITY RELEASE
    – Release date: September 7, 2016
  • Next scheduled release: 4.7, on December 6, 2016

Joomla.org

  • There were no new releases this month
  • Current release: 3.6.4
    SECURITY RELEASE
    – Release date: October 25, 2016
  • Next scheduled release: 3.7, in March, 2017

WordPress & Joomla – Release Summary – September 2016

WordPress.org
  • Current release: 4.6.1
    NEW
    SECURITY RELEASE
    – released September 7, 2016
  • Next scheduled release: 4.7, December 6, 2016
Joomla.org
  • No new releases this month
  • Current release: 3.6.2 – released August 4, 2016
  • Previous release: 3.6.1
    SECURITY RELEASE
    – released August 3, 2016
    Note: there is a special procedure to update to 3.6.1.
  • Next scheduled release: 3.7, 3rd quarter, 2016

Don’t Update Your Website Software

Don't Update Your Website Software

Key Points

If you see a software update prompt on your website, notify the website administrator
It’s dangerous to have a higher level of authority than you need. If you only need to post articles, you should not have authority to update software
Updating website software involves some degree of risk. Buggy or incompatible software can cause undesired results (i.e. website crash)
A website admin will take a website backup before updating software to ensure a path to recover from any problems during the update process
A website admin will test new software in a test environment first to ensure the update on the live website goes smoothly
For best results, have a website administrator update all software. He/she will take all necessary precautions.
What??! But I thought you always said I should update my website software to avoid problems with hackers and malware. What gives?

Well, that’s correct, you should update your website software… figuratively speaking, of course. When I say “You should update your software”, well, I don’t necessarily mean YOU, yourself, should do it. I mean you should ensure that it gets done… that someone does it.

Software Update Prompts

So why do I bring this up? Well, when you login to your site’s admin screen or dashboard, you may have seen messages telling you that updates are available and asking you to proceed to update your site. And technically, if you can see the prompts, you can perform the updates with just a few clicks. However, those messages are really meant for website administrators. And often, these messages are seen by other users, not just administrators. So if you aren’t the website administrator, it’s best to notify him/her about these messages.

Are You A Website Administrator?

Many website owners are set up with a login username on their site by someone else, maybe a web designer or an administrator did it for them. Many times, the owner is set up with a role that has more authority than he/she really needs… including the highest level, a super admin. This can be a very dangerous thing!

Do you know what your role is on the website? Do you just need to add new articles or posts once in a while? Or maybe you need to approve other users’ articles before publishing? Are you the website administrator who takes care of all the technical stuff? Do you really need to log in to the admin area / dashboard at all?

The point is, it’s important to know your role on your website, and your authority / access should reflect that role. For example, if you only need to post articles, you should not have authority to update software. The website administrator’s role is typically to install, update, remove and test software. They also will create website backups to ensure a way to recover from problems. If this doesn’t sound like what you normally do, then you probably shouldn’t be updating website software.

About Those Software Update Prompts…

Some examples:

Software Maintenance & Website Security

hacker

Key Points

Software vulnerabilities are an inevitable byproduct of having a content management website
To ensure security, website software should be checked and updated on a regular basis
If software is not updated, your site will eventually be hacked
Google flags websites as “unsafe” if they are hacked or contain malware
Automatic software updates are conceptually a good idea but there are many considerations before deciding to use them

Your content management (CMS) website, be it WordPress or Joomla, needs periodic maintenance to ensure adequate security.

When you choose to use a content management website, you must make a commitment to periodically maintain it. If software updates are not applied, it’s not a question of IF a website will be hacked, it’s a question of WHEN. If your site gets hacked or infected with malware, Google will flag your site as “unsafe” and warn people not to visit it.

On a content management site, there are many software components such as the core platform, various plugins, a theme, etc. At any given time, this mix of software often contains security vulnerabilities. This is an unfortunate and inevitable byproduct of open source content management systems.

“…the leading cause of infection could be traced to the exploitation of software vulnerabilities in the platform’s extensible components… the integration of plugins, extensions, components, modules, templates, themes…”
from Sucuri’s blog post Website Hacked Trend Report 2016 – Q1

That said, these vulnerabilities usually get fixed relatively quickly thus minimizing the threat to your website. But here’s the problem: website owners must take action to get these fixes applied to their websites. And they very likely don’t know they have software that needs updating. They don’t know their sites are at risk of being hacked. If vulnerable software is not updated, hackers will eventually find a way to gain access to the site. The best defense is to simply keep your site software updated.

As a rule of thumb, have your website software checked and updated at least monthly. It’s critically important to your website’s security to have software updates applied on a regular basis.

But What About Automatic Updates?