WordPress 4.8.2 was released last night. This is a security update rather than an update that expands the features of WordPress.
The update includes a fix to help protect against SQLi injection attacks. Without the update, WordPress itself is not vulnerable to SQLi injection attacks directly, but certain plugins and themes may be vulnerable depending on how they use certain functions in their code. You can read more about this security release here.
What You Need to Do
If We Run Your Updates…
If we manage your updates, you’re covered – we’ve already run the update and you’re now on WordPress 4.8.2. You can stop reading this blog post and go on about your day. 😁
If You Run Your Own Updates…
However, if you manage your own updates, we recommend that you update your site immediately. Now that the existence of these vulnerabilities is public (with the release notes), it becomes much more likely that they will be exploited. It is very important that you update as soon as possible to WordPress version 4.8.2.
Updating Your Site Protects You From Being Hacked
In the last few weeks, we have noticed an uptick in the number of past clients, those who maintain their own websites, getting hacked. Because of that, we’re posting this update as an urgent reminder to keep your website’s software – WordPress, theme and plugins – up to date.
To update manually now you can sign into your WordPress site, mouse over the Dashboard on the top left, click ‘Updates,’ and complete the update process.
In some instances, you may have noticed that your host has run the security update automatically for you. If not, you’ll see a notification on your dashboard. There are a variety of ways to see that you have updates pending on your WordPress website. This website, for example, has four updates pending and is notifying the site owner in four different places:
1. WordPress Admin Toolbar
This toolbar is visible on both the backend and frontend of your website if you’re logged in as a user that has the ability to run site updates. The updates notification here will include all pending updates: those for WordPress itself, your theme, and plugins. If you click on this updates notification, it will go to the main updates dashboard where you can see and run all pending updates.
2. Dashboard Notification
Some plugins, themes, and even WordPress core will add a notification to your dashboard when an update is pending. In the above image you can see a notification from the Gravity Forms plugin that an update is pending. This may be visible only on the main dashboard when you first log in (/wp-admin) or may be visible throughout the entire backend of your website.
3. Updates Page
The main updates page that shows all the pending updates on your site can be found by clicking on Dashboard > Updates or going directly to YourWebsite.com/wp-admin/update-core.php. You need to be an administrative level user to access this page on the backend of WordPress. As you can see in the above image, there is a red-orange circle next to the “Updates” link with the number 4 in it – this is WordPress notifying you that 4 updates are pending and you should go look at that screen.
4. Plugins Page
Since the largest volume of updates and most frequent updates on your site will come from installed plugins, you can also see a notification on the plugins screen. The same red-orange circle with a number in it will appear next to “Plugins” on the dashboard navigation, and when you click into the plugins page, you’ll see notifications on each individual plugin that has an update pending. Here’s the plugin screen for that same website:
On the plugins page, you can update your plugins individually or in bulk by checking the box next to them and choosing “Update” from the “Bulk Actions” dropdown.
Don’t Forget to Backup Your Website!!!
It’s very important to backup your website before you hit update. If you’re on our hosting with WP Engine, your website files and database are automatically updated daily. You will also be prompted to log into your WP Engine dashboard to make a backup whenever you initiate an update. We highly recommend that you do this.
If you don’t host with us, we likely installed a copy of Backup Buddy on your website at time of launch. You can use this to create abackup of your website prior to running any updates.
Even Better: Run Updates on a Staging or Test Version of your Website First
Another great way to test updates before you run them on your live site is to copy everything over to staging and run the updates there.
All of our hosting plans have a free staging site included, which is ideal for testing updates to see if there are incompatibilities away from the eyes (and mouse) of your customers.
Testing updates in a staging environment is especially important for eCommerce websites and other websites with specialized functionality. If you have any questions about how staging sites work, feel free to leave a comment below or send us an email.
We Can Help Update You to WordPress 4.8.2
If you are unable to backup and update your website or need help with this, please send an email to firstname.lastname@example.org and someone from our team can help. If you would like assistance on an ongoing basis, we’d be happy to help with that too. Learn more about our hosting & support packages here.