Posted by Jesus Gonzalez on March 17, 2026

image of a person typing on their laptop with the words "Updating Files" overlaid.

Most hacks don’t happen because a hacker “targeted” you. They happen because something on your site was outdated — a plugin, a theme, your CMS, or even your server software. Attackers scan the internet looking for known vulnerabilities, and outdated tools are basically an open invitation. After a hack, updating everything is non‑negotiable. Even if you restored from a clean backup, you’re still vulnerable if the underlying software is old. Updating isn’t just maintenance — it’s closing the exact door the hacker used to get in.

What to Update (and Why It Matters)

1. Your CMS (WordPress, Joomla, Drupal, etc.)

The core platform is often the biggest target. Updates patch security holes, fix bugs, and harden your site against known exploits. If your CMS is several versions behind, you’re at high risk of reinfection.

2. Plugins and Extensions

These are the #1 source of website hacks. Many plugins are created by small teams who don’t always update quickly. If a plugin hasn’t been updated in years, it’s safer to replace it entirely.

Signs a plugin should be removed:

  • No updates in 12+ months
  • Poor reviews or abandoned support
  • Known vulnerabilities listed online
  • You don’t actually use it anymore

3. Themes

Themes aren’t just design — they contain code. Outdated themes can contain vulnerable scripts, outdated libraries, or insecure templates.

If you’re using a custom or heavily modified theme, make sure it’s rebuilt or reviewed by a developer after a hack.

4. PHP Version

Your website runs on PHP, and older versions stop receiving security patches. Running PHP 7.4 or older is a major risk.

Upgrading PHP improves:

  • Security
  • Speed
  • Compatibility with modern plugins and themes

5. Server Software

Your hosting environment matters just as much as your CMS.

Make sure your host updates:

  • Apache or Nginx
  • MySQL or MariaDB
  • cPanel or hosting control panels
  • Firewall and malware tools

If your host doesn’t keep things updated, it may be time to switch.

6. API Keys and Integrations

If your site was hacked, assume your API keys may have been exposed.

Update or regenerate keys for:

  • Payment processors
  • Email marketing tools
  • CRM systems
  • Mapping or analytics services
  • Any third‑party integration

This prevents attackers from abusing your connected services.

If Something Hasn’t Been Updated in Years… Replace It

Old plugins, abandoned themes, outdated page builders — these are all liabilities. Sometimes the safest move is to remove and rebuild instead of trying to patch something ancient.

Think of it like replacing a broken lock instead of trying to fix it with duct tape.

Next Up: Locking Down Your Site Before Relaunching

Once everything is updated, the next step is tightening security so the hack doesn’t happen again. We’ll cover that in the next post.

Need Help?

Not sure what needs updating?
Green Monkeys Studio can audit your entire site and update everything safely.

Get Help Now

Call us at (206) 551-6177 or schedule a free consultation here at https://greenmonkeysstudio.com/book-a-consultation

Ready to strengthen your security?

Get a Free Vulnerability Assessment

Click to get your free assessment and uncover hidden risks, protect sensitive data, and keep your business safe from cyber threats—starting today.

Free Vulnerability Assessment