UPDATE ALL THE THINGS
I cannot stress this enough, want to stop things getting hacked, well after squish humans its squishy out of date sites. When a vulnerability is discovered plugin/theme and WordPress core developers roll out fixes in the form of updates. This means people on the latest version are no longer affected by that vulnerability but the act of releasing an update with a security fix means, now EVERY bad actor knows such a vulnerability exists. Suddenly your site is a target.
Update WordPress Core
There is no excuse to not update WordPress core, even between major versions that include from 4.9-5. The wonderful thing about the WordPress eco-system is if new features are added that you don’t want them then someone will have built a plugin to disable them.
If you have been avoiding updating to WordPress 5 because of Gutenberg install the classic editor.
By default WordPress automatically updates minor releases and the security team currently backport security fixes as minor releases for virtually every branch of WordPress back to WP3.7 though this is never guaranteed.
When I tell people to enable automatic updates, there are lots of push back, mostly by people claiming that they are worried it will cause a WSOD (White screen of death) the reality is you are much more likely to have a WSOD on a site without auto-updates where you are trying to update individual elements then keeping everything on the latest version.
Others say they test each release, and that sounds wonderful, do you? Do you really? Always? If you just answered yes 3 times then I would strongly recommend you look at acceptance testing as a way to automate that process.
Update WordPress Plugins
For exactly the same reason as WordPress core, your plugins are a huge attack surface and need to be kept up to date. Again I recommend automatically updating, including where you might have eCommerce and premium plugins. This also means if you have premium plugins you will always need to have a license to stay up to date. So consider the cost over the lifetime the plugin is on your site, not just the initial purchase.
How to setup automatic updates
This will depend, if you are on an awesome managed host, chances are they will do it for you. If you’re not then you can look at services like ManageWP, mainWP or similar. Otherwise, the Advanced Automatic Updater plugin does a fantastic job finally for the more technical WP-CLI is my prefered method.
So we were talking about updating all the things, why not themes? Well, the short answer is yes update themes, especially commercial ones where you have bundled plugins. Indeed in such a scenario make sure the plugins can be updated independently of the theme, even if this means you have to buy the plugin as well.
The problem with themes is that people regularly make changes to them be those style changes or adding things into functions.php file. This makes it difficult to update because you will lose your changes.
The solution to this is to use a “child theme” which is a theme, that inherits everything from the parent theme, but has your changes in. Child Themes are pretty easy to build, though don’t be put off by the term developer it is really a case of copy and paste. You can also use a plugin to create your child theme such as Child Theme Generator just remember to remove it once you are done.
Once you are in a position that your theme can also be updated, you should consider automatically updating it like WordPress core and Plugins.