WordPress itself, themes, and plug-ins are rarely found to be vulnerable, and their creators release updates to improve security, but updates can also cause problems with the site. In some cases, the update is forbidden by the company because it causes the site to malfunction.
This dilemma always revolves around the operation of WordPress. We will explain how to deal with it.


Update to improve WordPress security

More than half of all WordPress hacks and defacements are caused by vulnerabilities in plug-ins and other vulnerabilities.

Therefore, many sites always mention that they are constantly updating their programs to improve security.

While WordPress itself is automatically patched by default, plugins and themes do not distinguish between updating the entire program and updating security patches, and when updated, they are also updated to include functional improvements and changes. This is difficult because it may cause inconsistencies with other themes and plug-ins, which may cause problems with the site.

Using a test site to update plug-ins without causing problems

In such a case, a test site can be built to update the plugin without causing any problems.

Check for vulnerabilities and update the plug-in only.

Another option is to check for dangerous plugins with known vulnerabilities and update only those plugins.
This is slightly less secure than keeping the entire WordPress plugin up-to-date, but since many hacking attempts are made using tools that mechanically inspect and break through known vulnerabilities one after another, this method is also quite effective in preventing break-ins.

To check a plugin for vulnerabilities, from a large database of vulnerabilities called wpscan
https://wpscan.com/plugins
to find out which plug-ins are installed on your site.

However, since wpscan’s vulnerability database covers all kinds of minor vulnerabilities in addition to high risk vulnerabilities that can lead to site tampering, there is no immediate risk of tampering just because you are using a plugin that is vulnerable.

What is important is what kind of unauthorized activities are possible for hackers by using the vulnerabilities.

The [Free] WordPress: Malware Scan & Security Plug-in [Malware and Virus Detection and Removal] allows you to perform a free one-time scan only for the most dangerous vulnerabilities that can be used for tampering and other malicious activities.

Should I update my theme?

Themes often contain extensions that are unique to the creator and the site, and updating them is more likely to cause problems than plug-ins, such as the design disappearing or the site not displaying.

In addition, since theme creators often make changes to their themes that involve a complete change in functionality or layout, updating a theme is more difficult than updating a plugin, even if you are using a child theme, and WordPress Doctor does not recommend updating a theme.

Fortunately, themes that are independently produced or released by Japanese manufacturers have not been analyzed for vulnerabilities by hackers, and vulnerabilities in the themes themselves are rarely exploited in Japan.

What are the most dangerous cases of theme vulnerabilities?

However, if your site uses a theme that is made overseas and is very popular, there is a high risk that it will be breached and tampered with if the vulnerability has been analyzed by hackers and is known to them.

If this is the case, the following measures may be effective in improving security.

Check for updates by using the same test site as described above.
Adapt a program that only plugs vulnerabilities in the theme by creating your own program.
Change the folder name of the theme to prevent Dork.
Change the permissions of the entire theme folder to non-writable.