If you build and maintain sites for customers, site security is a top priority.
WordPress moved to a two-week schedule for minor releases after WordPress 5.0 was released. Each WordPress minor release will include security fixes. These same security changes are backported to older versions of WordPress (e.g., in the case of the 4.9.X branch, the security release would be 4.9.10). You need to set a minimum version of WordPress that you will support on client sites, no later than two versions. It is easier to keep the child sites updated to the most current version, rather than running a security risk by using outdated WordPress core versions.
Now comes the next most important part; also the part of WordPress that gives it one of the best eco-systems out there, plugins! With using plugins on child sites, you need to make sure those imports are updated, as plugin updates will include both feature improvements, new features, and security fixes. To get a basic top-level idea of those numbers of plugin security issues, go to WPScan, which will show WordPress core, plugins, and themes security issues, and the specific release that those issues have been fixed in.
Having a child site with outdated plugins means that each plugin not updated is a security risk. You do not want to have a child site with outdated WordPress core, plugins, and theme. You are opening the site to being hacked if those open security issues have not been fixed.
Common sense goes a long way with keeping a site secure.
Do not use common admin usernames, something you keep hearing about, but it still happens with sites using admin which has a user id of 1. Other common user admin names that will be used include editor, webmaster, siteowner, and anything which seems obvious and easily hackable.
Never use plugins which have not been updated in years and have been abandoned. Replace those with similar plugins, which have been updated. WordPress.org as a decent gauge for the number of closed support issues, and the number of positive reviews. Plugins which have been recommended, which work well, have regular updates and do not cause performance issues. Stick with those if you can.
If you are using a parent theme on a child site, please keep it updated. If the theme comes recommended from WordPress.org, or if that theme is from a theme marketplace, always keep it updated.
“I do not update plugins all the time since they will break the site.” It is very easy to create a staging site, either using one provided by your hosting company or alternatively, you can use other solutions to create a staging site to test plugin and theme updates before updating on the live site.
“WordPress now releases minor updates so often that I can not keep up and do not update all of the time.” If you have built and currently maintain a child site for a client, part of your job is to keep the site updated, which means keeping WordPress core updated. If the site is using WordPress, you need to make sure it is updated. Sometimes minor releases might come out sooner than you would think, due to a direct security release. Stay in the loop on WordPress updates, and take time to look at the blog on WordPress.org.
Focus on these key things before thinking that a security plugin is going to magically keep your site safe since it kept wp-login.php renamed. It is very easy to create a false sense of site security, each plugin which has not been updated, might not seem like an issue now, but stack those multiple plugins outdated over a very short time frame, then you are looking at major security issues. Stay focused on the small things, since very soon they will not be. Having to deal with a site which was hacked, was defaced or malware has been infected in WordPress core files. Dealing with those issues to try to fix it yourself or pay another company to fix the infection. Also in the case of plugins not updated, you cleaned up WordPress core, but the root vector of the hack is still there since you have not patched it and if could happen again.
