← back to blog
4 min read
  • #security
  • #updates
  • #patching
  • #small-business

Updates are a security feature, not an annoyance

Once a security patch is published, attackers scan for everyone who has not installed it. Here is what to auto-update and a 15-minute monthly checklist for the rest.


That update notification you keep dismissing is not about new features. Most of the time it is closing a security hole that somebody already found, wrote up, and published. And once a hole is published, attackers start scanning for everyone who has not closed it yet.

I am studying for Security+ right now, and patch management shows up all over the material. There is a reason. Unpatched software is one of the most common ways real businesses get broken into, and it is also one of the cheapest problems to fix.

A patch is a public confession

When a vendor ships a security update, they usually publish what it fixes. The details land in a public database called CVE, which anyone can read. That includes attackers. They compare the patched code to the old code, figure out exactly where the hole is, and write a scanner for it. Then they point that scanner at the whole internet.

This is the part small-business owners get wrong. Nobody is sitting in a basement targeting your dog grooming site in Heber City. They do not have to. The scanner does not care how big you are. It checks version numbers, finds the ones that are still old, and reports back. Being small does not make you invisible. Being patched does.

The Equifax breach in 2017 is the textbook case. The patch for the hole the attackers used had been available for about two months before the break-in. 147 million people had their data exposed because of an update that was sitting there, ready to install.

The same pattern plays out at small scale every day. When a popular WordPress plugin discloses a flaw, exploit attempts against unpatched sites often start within days, sometimes hours. If your salon site runs that plugin and you have not updated since last spring, you are on the list.

The excuses, honestly weighed

"It might break something." This one is real, and I will not pretend otherwise. Updates do sometimes break things. A plugin update can conflict with your theme and take your booking page down. That is a genuine tradeoff. The fix is a backup before you update, not skipping the update. A broken page is a bad afternoon. A breach is customer card data, cleanup costs, and a trust problem you cannot patch.

"I do not have time." Fair. That is why the answer is auto-update wherever the option exists, so most of this happens without you.

"It works fine." Working and secure are different properties. The site looked fine at Equifax too.

Auto-update everything you can

Flip these on once and stop thinking about them:

  • Your phone and laptop operating systems. Both have automatic update settings. Turn them on.
  • Your browser. Chrome, Edge, and Firefox update themselves. Just restart the browser when it asks instead of keeping the same tabs open for three weeks.
  • WordPress plugins and themes. WordPress has supported per-plugin auto-updates since version 5.5. Enable them for everything you run.
  • Site builders like Squarespace and Wix patch their platforms for you. That is an honest point in their favor, and I will grant it even as someone who builds sites for a living.

When I built the site for Susy Nails here in Heber City, I made it static on purpose. No database, no plugins, no admin login to attack. Fewer moving parts means fewer patches to miss. That choice is not right for every business, but for a small local site it removes most of this problem.

The 15-minute monthly checklist

For the things that will not update themselves, put a repeating reminder on your calendar. Once a month:

  1. Back up your website. Most hosts have a one-click backup. Do this first, every time.
  2. Update your website platform, plugins, and themes. Then load your own site and click through the pages a customer would.
  3. Delete plugins and apps you no longer use. Old, abandoned code is a hole waiting to be found, and you cannot forget to patch something you deleted.
  4. Log into your router and check for firmware updates. This is the one everyone forgets. I forgot it too until I started studying for these exams.
  5. Check your point-of-sale system and card reader software for pending updates.
  6. Glance at anything else on your network: cameras, smart thermostat, printer.

That is the whole job. Fifteen minutes a month closes the door that automated scanners are checking every day.

If you have a website and you are not sure what is quietly out of date on it, I do a free 24-hour site audit. Three real findings, yours to keep either way. If everything is current, I will tell you that too.

$ share

community rating

$ ls ./comments

sign in or create an account to rate and comment.

no comments yet, be first.