When you care about something, you want to give it proper love and attention. You love your WordPress site, right?
In this day and age it isn’t a matter of if your site will be hacked, it is a matter of when. So you have to do your best to put the right things in place to protect your site to prevent or minimize the damage. Lately everything and every plugin has suffered from Cross Site Scripting attacks.
Backups are your single best defence to protect your site. Seriously. If something crashes your site or compromises your site, backups are how you can get back up and running the quickest. And you need to back up often. You also need to be able to compare your backups. By observing what files were on your site when it was working fine and what files are there now, you can perhaps spot what if anything has been compromised. Or in the case of something being broke about your site, what broke it.
I have written previously about backups: Backup before going forward (Part 1) and Backup befor going Forward (part2). These just scratch the surface and talk about the free and cheap ways to backup your site. You may also want to look at plugins such as BackupBuddy that will let you backup to your favorite cloud drive and that provide automation of your backups. It costs money but being able to restore your site to working order is a big thing, right?
And WordPress (the self hosted version) has taken a beating as well and many valiant programmers have stepped up to the challenge to be sure it is as safe as possible. Hence 4.1, 4.2, and now 4.2.2 have all come out very quickly even in WordPress update terms. Read that article if you need more details.
So there are two things you have to think about, 1) Do I let WordPress auto-update everytime they release a new version? 2) Do I let my plugins auto-update every time there is a new version? Perhaps you have build your site(s) on an older version of WordPress. It may be time to get current or advise your customers to get current. Sure, some of the updates have broken “features” you have come to know and love. Often WordPress releases new features as a plugin first and then it winds up being part of the core. Again, if you backup often, you can perhaps afford to allow WordPress to auto-update. [clickToTweet tweet=”QOTD: Always Backup before moving Forward #WordPress” quote=”Always Backup before moving Forward”]
Next Plugins: You have to decide what is your strategy. Do you have a testing site before you roll in changes to your production site? Or do you perform everything on your “Live” server? The safest approach is perform all changes on your staging/test server first and then once tested, allow these updates on your live/production site. To make life easier, you should back up both your test site and production site before any updates so you won’t lose so much sleep putting it back to working order. Every made that “rut roh” change. You know, the one that happens in the “Oh No Second” Rats, I shouldn’t have done that. You know the last change you made that shouldn’t have but did break your site?
Conversely though, security is important and so many zero day attacks often happen to our favorite WordPress plugins. For my site, this is so important I have installed a plugin to allow auto-update of plugins. I know this comes with a level of risk but I backup often so I don’t have as much fear. The one I am currently using is called “Automatic Plugin Updates” 
I will not say it is the best and it has not been updated in a bit but it works and it works consistently, so that makes me happy. You can also exclude certain plugins so if you know one plugin updating might break something, you can exclude it from auto-updating. It also sends you an update every time it updates something. I am sure there are other plugins that do the same thing and perhaps they are better but the point is, if you are concerned about security to that level, this is a good tool to have in the arsenal.
You should also consider some type of security plugins to protect your site even more. Here is a great article I wrote about what I do to protect my site: My WordPress Security Essentials
What is your strategy to protect your WordPress site?
