How to patch WordPress

Q: How do I check which version of WordPress I am running?

Use: wp core version —or— the version shown in the admin footer (Admin dashboard / WP-CLI). Record the result before and after patching to confirm the update applied.

WordPress · CMS · 5 steps · WordPress security status → · updated June 2026

WordPress core is quick to update, but most real-world compromises come through outdated plugins and themes — so patch all three. Back up first, then update core, plugins and themes, and enable automatic security updates.

actively exploited (KEV)

581

tracked CVEs

7.0.0

latest supported

WordPress has 1 actively-exploited vulnerability on the CISA KEV list — patching is urgent.

Check your current version first

Before you patch, record what you're running (Admin dashboard / WP-CLI):

wp core version   —or—   the version shown in the admin footer

Or paste your version into the checker for an instant verdict.

Step by step

Back up files and database

Use a backup plugin (e.g. UpdraftPlus) or a host snapshot. WordPress touches the database on update, so back up both files and DB.

Update core

Dashboard → Updates → Update to the latest version; or with WP-CLI: wp core update && wp core update-db.

Update plugins and themes

This is where most breaches start. Update everything: wp plugin update --all and wp theme update --all (or via Dashboard → Updates). Remove plugins you no longer use.

Turn on automatic security updates

Minor/security core updates are automatic by default — keep that on, and consider enabling auto-updates for plugins and themes too.

Test the site

Load the site and key flows (login, checkout, forms) to catch any plugin/theme conflict from the update.

Watch out for:

Outdated plugins, not core, are the leading WordPress attack vector — patch them on the same cadence.
On a live store/site, test updates on a staging copy first where you can.

Official sources

Advisory: WordPress security releases ↗
Download: WPScan vulnerability database ↗

Don't patch blind. WordPress has 1 actively-exploited vulnerability on the CISA KEV list — patching is urgent. See exactly which versions are safe and what you're exposed to.

WordPress security status →

Stay ahead of the next one

WordPress security status & health score — score, open CVEs and safe version.
WordPress vulnerabilities — the full CVE list and what's exploited.
WordPress end-of-life dates — don't run a release that's stopped getting fixes.
Monitor WordPress — get an email alert the moment a new exploited vulnerability lands.

Frequently asked questions

What is the latest version of WordPress?

As of June 2026, the latest supported WordPress release we track is 7.0.0. Patch to the current release on your branch and confirm the version after updating.

How do I check which version of WordPress I am running?

Use: wp core version —or— the version shown in the admin footer (Admin dashboard / WP-CLI). Record the result before and after patching to confirm the update applied.

Is WordPress being actively exploited right now?

Yes — 1 WordPress vulnerability is on the CISA Known Exploited Vulnerabilities (KEV) list, so attackers are using it in the wild. Patch promptly. See the exploitation radar.

How do I patch WordPress safely without breaking production?

Always test in a non-production environment first, take a backup or snapshot, follow the official vendor advisory, and have a tested rollback. Patch one node at a time for clustered or high-availability setups.

Patch steps are general, well-established guidance for WordPress — always test in a non-production environment first and follow the official WordPress advisory for your exact version. IsItPatched is independent and not affiliated with WordPress; this is not a substitute for vendor documentation. See our disclaimer.

← All patching guides · Security guides →