The Three-Month Verdict: Lessons from Our WordPress Maintenance Experiment

A little over 3 months ago I set up a test website with no intention of maintaining it. I posed the question, “Will it get hacked? Will it end up selling dodgy pharmaceuticals or will it just soldier on forever?”.

Now, 3 months on, I’ve got another update with data and insights for you. In the last (2-month) update I outlined how although I expected the experiment to find in favour of maintenance, I wasn’t entirely prepared for the results that I would get so early on. Our 3-month update will allow us to see whether trends have continued.

So, 3 months into the experiment, let’s see what has happened. This post expands upon the two previous reviews and as such will be shorter in length and information.

If you have already seen these posts then please do use the ‘jump to content’ below to get straight to the bits that might interest you.

Jump to content

1. How long has the experiment been running?
   
2. What changed in month 3 of the experiment?
   
   • WordPress Core
   • Themes
   • Plugins
   • Attacks
     
3. Lessons learned so far
   
4. Conclusions
   
5. Get ongoing updates and the final report when the experiment concludes

How long has the experiment been running?

The test website has been live now for 12 weeks although oddly, it feels longer. We saw in the previous 2-month review that we have already gained some valuable insight into what happens to a WordPress website when you don’t maintain it. Our 3-month review builds on this with another months data.

Let’s cut to the chase: What changed in month 3 of the experiment?

Although the final report will be the most valuable in terms of data and analysis ( I encourage you to sign up to receive it ), I can draw your attention to some interesting findings which have occurred in the first 3 months. The insights are best split into areas:

WordPress Core

In month three of the experiment, we can see that the number of cumulative missed updates to the WordPress core is 3. In the final report to be created at the end of the experiment, I will go into a bit more depth about what kind of updates have been missed but I’m sure you, like me, get a bit anxious when there is one outstanding. As the number of missed versions increases, so do the chances that one or more of those updates held some kind of security/vulnerability patch.

Themes

The website uses 1 theme which is live, and then has the three other standard bundled themes, namely 2020, 2021 and 2022.

Normally I would only retain the live theme and any parent theme it may rely upon and one alternative theme (normally one of the bundled WordPress themes) to use as an alternative during troubleshooting and as a fallback. However, I so commonly find these themes the first time I log into a client website that I have left them in place in this instance.

• By the end of week 1, three of the four themes on the site had one or more updates outstanding. This persisted until week 5 when the number rose to all four themes having missed updates.
• By end of week 8, all four themes were missing a total of 5 updates between them.
• By the end of week 12, all four themes were missing a total of 6 updates between them.

Something that is worth drawing attention to is that the theme that has the most missed updates is coincidentally the active theme on the website. Although any pending update to any software is essentially a risk to varying degrees, the live theme having a larger number of missed updates is significant.

Plugins

This section has been reduced in size due to the repetition of so much information from the 2-month review. Please go back and read that if you would like more information than what is here.

For this test website, we use a total of 16 plugins to provide features such as spam comment protection, maintenance tools etc. It is worth mentioning, however, that it isn’t uncommon for me to find upwards of 20-30 plugins when I first log into a client site.

If you consider that every plugin is a potential vulnerability, the more plugins you have, the higher your potential risk. How those plugins are chosen does of course matter and whether they are vetted and reputable or whether they have been added without consideration of risk.

With that bit of explanation out of the way, let’s look at some stats.

• In the first week, 37.5% of the plugins on the site had missed one or more updates. This is important because updates often include feature fixes, security fixes and changes to ensure compatibility with the latest version of WordPress.
• At week 4, 56.25% of all the plugins on the website had missed one or more updates.
• At week 8, 75% of the plugins on the website had missed one or more updates.
• At week 12, 87.5% of the plugins on the website had missed one or more updates.

Attacks

Some login attempts happened with sufficient frequency to trigger a lockout.

• Notable stats include week 2 having 56 blocked login attempts and 14 lockouts.
• By end of week 4, the site had experienced 109 blocked login attempts and 27 lockouts.
• By end of week 8, this had risen to 261 blocked login attempts and 35 lockouts.
• By end of week 12, this had risen to 313 blocked login attempts and 40 lockouts.

Interestingly even though the site is unmaintained we see that attacks have tapered off over time causing a plateau in the lockout figures. As far as I can see from my limited research, the drop in attempted logins and lockouts appears commensurate with a drop in the level of attacks at a global level.

Lessons learned so far

• In week 1 we had a missed update to WordPress core, 37.5% of plugins with missed updates, 75% of themes on the site with missed updates and the site had already started seeing malicious login attempts.

• By the 1 month mark over half of all the software had missed one or more updates and the site was routinely experiencing malicious login attempts. 
  
• By the end of the second month, over 75% of the software that runs the website had missed one or more updates and 229 malicious logins were blocked.
  
• By the end of the third month, over 87.5% of the software on the website had missed one or more updates.

Conclusions

To read the conclusions from the month 2 report click here. The following points are in addition to the comments made in that review.

By this point of the experiment, I think we can safely say that we are no longer making an argument for or against ongoing website maintenance. The data presented in the graphs should be sufficient to show that after only one month of not carrying out routine maintenance that the risk profile of the website was becoming unacceptable.

Where your tolerance for risk sits is going to be subjective and tied to the value of your site, brand, sales leads and sales that it generates. When assessing risk we look at opportunity cost and the real-world cost of repairing any issues or rebuilding the website.

One thing that people often forget is the potential cost to a business of having its website blacklisted by search engines.

Blacklisting can happen if a site has been hacked and contains malware or appears to be a phishing website. Blacklisting can be time-consuming and expensive to repair and may see your site removed from search engines and/or have a notice attached to it to make visitors aware of the risk. A quick way to damage a brand and lose trust and sales.

The situation I feel that we find ourselves in now is deciding not whether or not to maintain, but how often to do it. Although the experiment has not yet finished we already see some pretty convincing data. If the % of plugins having missed updates isn’t enough, consider that some of those plugins have missed multiple upgrades. For example, as of month three:

• SEO functions missed 9 updates
  
• Ecommerce functions missed 8 updates
  
• Payment gateway functions missed 5 updates

• Analytics software missed 5 updates

If you are running a business for commercial gain and make sales and/or harvest visitor/customer data on your website how would you justify to the Information Commissioners Office having so many updates pending? GDPR puts the obligation on you to safeguard any data you hold about your customers/visitors and your website is one of those storage locations where you hold such data.

Would the ICO believe that you were making every effort to safeguard the data of your customers if you clearly aren’t maintaining your website? Would your insurers be content with your efforts to keep your website secure? All worth considering when you weigh up the ongoing cost of site maintenance. It may be inconvenient but much like car maintenance, the ongoing costs of maintenance are small when compared to the cost of replacing a vehicle.

If you have any questions about this experiment please feel free to get in touch via the contact page and if you would like to be notified of future updates and receive the final experiment report when it is produced, please sign up using the below form.

Thanks again for your time. Should you feel that your website would benefit from a health check and/or ongoing maintenance please give me a call on 01903 527927 and I will do my best to help.