WordPress security tips have been on my short list of topics to write about for quite awhile now and I planned to cover them right after focusing on security for popular Smartphone devices. Fate had other ideas. Many people theorize that experience is the best teacher and it is impossible to teach without learning yourself and to a large extent I agree with that. So now that I have experienced my first WordPress plugin update problem I am better prepared to share my learnings and reflections with you.
WordPress plugins are popular and add a lot of functionality to a WordPress site but are potential sources of security vulnerabilities that could lead to your site getting hacked. For this reason I regularly check my admin panel and quickly update my plugins when a new version is released. Today, I caught myself on the bleeding edge of the upgrade curve as I experienced my first ever issue while applying a WordPress plugin update. The end result was that my wp-admin panel was inaccessible and I was no longer able to administer my own site. One of the central principles of of information security is to ensure availability and I no longer had it due to a security upgrade, how Shakespearean!
Lesson # 1 – Don’t panic, you have a current WordPress backup right?
Fortunately for me I have a daily automated backup created so I was confident that I could restore my site with minimal inconvenience (ironically a handy plug in helps me with that). This gave me the peace of mind to be calm and know that I would recover so if you do not perform regular backups I recommend that you do.
Lesson # 2 – You can solve nearly anything with Google, including when a plug in update corrupts your wp-admin section.
Since I had never experienced an issue with a WordPress plug in update before I was not quite sure how to handle the situation. Luckily for me we have Google. On the first page of my search query titled “WordPress plugin made wp-admin inaccessible” I was able to find a quick and easy solution which involved accessing my web hosting file manager, navigating to my site’s plugin directory and renaming the plugin that caused the denial of service on my admin page. After performing these actions my admin panel was again operational.
Lesson #3 – Security patches need time to test most of the time you don’t want to be on the bleeding edge
In the name of all things security I was on the bleeding edge of applying new patches to avoid potential hacker issues. In general that is not a bad approach but security patches themselves may have bugs that can lead to the lack of availability of your systems. It is often a balance to apply an update right away (prevent a hacker) vs. creating a corresponding risk to the availability of your system. For a WordPress site that can be quickly restored this may not be as big an issue but if you were dealing with a mission critical ERP system it would be an altogether different equation requiring detailed development environment testing of the patch.
Information security is always a bit of a balancing act and this is a great example of assessing the risks between being bleeding edge vs. allowing for patch burn in testing time. No matter which approach you choose make sure you have balanced the risks of both scenarios.