Even if you have an inactive theme, you should still update the theme.

We don’t recommend this as you never know which updates will create a conflict between the various pieces of code and software on your site. Your site could be broken or showing an error for weeks and you’d never know about it until you examine the front end of the site.

This is an additional step to hide your login url from hackers and spammers. We don’t recommend this as a one-size-fits-all solution, but it may be applicable for some sites. The problem with this is that it makes life difficult for the actual users of WordPress who will have to remember the new login url. Other WordPress experts argue that this is unnecessary as long as you enforce strong passwords.

The most common method to update your PHP version involves logging into your hosting account and searching for “MultiPHP Manage” via your C-Panel dashboard. If your web host does not use C-Panel as many high-quality WordPress hosts do not, you will want to do a search engine query for how to update PHP on your particular host’s server. Ex: “how to update PHP on WP Engine” or “Bluehost updating php [...]

Most required updates will be displayed in your WordPress backend. Login to your site and look for orange circles with the number of updates that need to be performed. You can do all of your updates at once by going to “Dashboard” (the first item in the left-hand sidebar) and looking for “updates.” But please, make sure to test your changes on a staging site first!

Yes, the most common cause of a WordPress site getting hacked or having malware injections is failing to update your WordPress Core version.

Yes, you need to update WordPress in order to keep up with important security updates.  Security patches are also released for old versions of WordPress, so, for example, it is possible to stay on WordPress 4 by updating your site each time a security update is released. See a full list of WordPress releases