When I first started working with WordPress, there was a lot of resistance to the CMS from clients. The main pushback I got was around security: They had heard rumors that WordPress wasn’t inherently secure and were worried about using it for their business site.
By that time, WordPress was fast becoming the world’s most popular CMS and taking security very seriously. I was able to reassure my clients that what they’d heard was a hangover from WordPress’ days as a blogging platform and that it was now being used to power sites for organizations like government and media for which security was a serious concern, and that it was now a very secure and stable platform.
I’m not a security expert, so if you’re looking for advice on that I recommend reading our ultimate guide to WordPress security, but what I can say is that one of the most important aspects of keeping your WordPress site secure, as well as ensuring that it’s running as smoothly and efficiently as possible, is to keep everything up to date.
So in this post, I’m going to examine three things:
Let’s start with the why: In case you weren’t already convinced, why should you keep your site up to date?
- 1 Why You Should Keep Your Site Updated
- 2 What You Need to Keep Updated
- 3 Keeping Your Site Updated
- 4 Plugins to Help With Updating
- 5 Summary
Why You Should Keep Your Site Updated
There are five main reasons for keeping every aspect of your WordPress site up to date, which are:
- Bug fixes
Each of these is important for different reasons, but it can be argued that security is the most important of all.
Keeping Your Site Updated Will Enhance Security
One of the reasons that WordPress is increasingly becoming the target of security attacks is because it’s so big. A CMS that powers over 39% of the internet will doubtless attract the attention of anyone wanting to insert malicious code, take sites down or steal data.
But the very size of WordPress, and of its community of users and developers, is also an asset here.
Security vulnerabilities are spotted and dealt with quickly. This applies to WordPress core as well as to the biggest and most popular plugins.
The fact that WordPress is open source means that anyone finding a problem can identify the cause of that problem and alert the right people straight away, whether that be via the WordPress site or by alerting a plugin developer.
With smaller and lesser-used plugins and those that aren’t well supported, this is less the case. But the fact that all plugins are open source means that even if the plugin developer doesn’t fix the problem, someone else can.
All of this means that when a security vulnerability comes to light in WordPress core or in a major plugin, it can be quickly fixed, and an update released straightaway.
None of this will benefit you unless you keep your version of WordPress and your plugins and themes up to date. I’ll come to how you do this later in this post, and recommend some plugins that can help. But if you don’t install the updates, you’re vulnerable to security problems, and you’re the only one to blame.
An Updated Site Will Perform Better
Updates aren’t just for security. Often they’ll improve the performance of WordPress itself, or of a plugin or theme.
For example, WordPress 4.1 included improvements to complex queries to improve the performance of sites using these, and WordPress 3.9 included improvements to the performance of TinyMCE. Plugins also get updates to improve performance, perhaps to speed up scripts or queries or run more efficiently.
So keeping your WordPress version and your plugins up to date will help your site perform at its best.
Updating Can Eliminate Bugs
Aside from security patches, a reason for minor WordPress releases (the ones with an X.X.X version number, rather than X.X which is a major release) is to fix bugs.
Major releases tend to be very stable and bug-free thanks to the meticulous development cycle and the legions of people helping with testing, but sometimes a bug will slip through the net, and a minor release will come out to fix it. For example release 3.8.3 fixed a bug with the “Quick Draft” tool which was broken.
Plugins and themes are the same: Make sure you install updates in case they fix bugs that could be affecting your site.
Updates Can Enhance Compatibility (Or Sometimes Not!)
After a major WordPress release, a lot of plugins will get an update to ensure compatibility with the new version, or to make use of new features. Sometimes a plugin won’t need to be updated as it remains compatible, but the developer should check that it’s compatible and update its compatibility information which you see in the plugin repository.
Occasionally you might find that an update to WordPress or to a plugin results in incompatibility problems with another plugin, which is why it’s important to back up your site before updating.
The best way around this is to get as many of your plugins as possible from the same source and to get all of them from reputable developers who keep their plugins up-to-date. As a WPMU DEV member, I use the company’s plugins as much as possible as I can be confident that they’ll be compatible with each other.
Where I need functionality not provided by WPMU DEV, I make sure I only get plugins that are consistently kept up to date.
Updates Can Introduce New Features
Keeping your site up to date also gives you access to new features. For example, recent releases of WordPress have included big improvements to the UX of the admin screens as well as accessibility improvements. Plugins can do this too, which means that keeping things up to date gives you access to the latest goodies.
What You Need to Keep Updated
Keeping your site up to date isn’t just about updating WordPress itself. There are three aspects of keeping your WordPress installation up to date:
- WordPress itself
You can keep all of these up to date from one place: the updates screen, which you access via Dashboard > Updates:
For minor releases, both WordPress itself and some plugins will update automatically, but you should still keep an eye on things to ensure everything’s up to date. In the next section, I’ll look at how you can make that easier.
Keeping Your Site Updated
There are three main ways to keep your site up to date:
- Doing it all manually
- Via automatic updates
- Using a plugin
If you’re running a small site with only a few plugins and one theme, it’s realistic to do it manually. I’ll start with an outline of how you do that.
You can manage manual updates from the Updates screen.
To update themes or plugins, simply select the checkboxes and click the “Update Themes” or “Update Plugins” button. If you’ve got a lot of plugins to update, or you’re updating WordPress, it’s good practice to make a backup first. Even better, use a local or staging copy of your site to test everything works after the update before making the update on your live site.
Since WordPress 3.7, minor releases have automatically updated by default. This means that bug fixes and security patches are pushed to every WordPress site running the previous major or minor release, increasing the overall performance, reliability, and security of WordPress.
In addition, plugin and theme developers can opt into automatic plugin updates, meaning that security patches and bug fixes for those plugins and themes will also be pushed out automatically.
This happened in the case of WordPress SEO, which released a security update following the discovery of a vulnerability in March this year. This was automatically updated on all sites with the plugin installed.
Some people prefer not to have automatic updates activated, for example, if you have concerns over a plugin being updated and causing compatibility problems with other plugins, or you want complete control over your WordPress installation.
If you are a WPMU DEV member, The Hub features an Ignore Update option. This gives you the options to ignore updates for individual sites, ignore updates globally, ignore updates on site reports, and more. Be sure to read our article for detailed information.
Another option, if you’re into coding, is you can specify whether automatic updates are enabled, disabled, or only apply to minor releases by adding a line of code to your
For example, to switch off automatic updates of WordPress core, you’d add this to
And if you wanted to switch off all automatic updates, including themes and plugins, you’d use this:
However if you want to ensure that your site is kept secure and up to date, I would advise against changing the defaults for automatic updates. There’s more information on this in the Codex.
Getting Notified of Updates and/or Vulnerabilities
The biggest barrier to keeping your site up to date for a lot of users is the work involved in checking your site and completing the updates.
Automatic updates go some way towards doing this, meaning that you don’t have to manually perform all of the updates yourself. WordPress will also notify you when an automatic update to the core has taken place (but not when a plugin is updated).
But what if you want more control? The good news is that there are plugins that can help you with this as well as those that will manage automatic updates for you. Let’s take a look at some of them.
Plugins to Help With Updating
The following plugins will help you keep your site up to date, either by notifying you when you need to do something or by doing it for you.
With our very own Automate plugin, you can relax when it comes to updates. Automate features secure, scheduled, backed up, and automatically accessed updates.
Your site is automatically backed up and features pre-update screenshots of your site that you determine (up to five). Plus, if you ever need to revert, you can do so easily in The Hub.
There’s also an uptime/error check that ensures your site is up and error-free.
You’ll get email reports of uptime and error checks, and it comes with the screenshots and percentage of highlighted differences.
Automate is free to use for all WPMU DEV members.
The Updater plugin lets you change your WordPress settings so that all plugins and themes, as well as WordPress itself, update automatically.
You select the update mode (Auto or Manual) and you’ll get an email every time there’s an update. Additionally, you can log into your site to install the update after making a backup.
Updater lets you search updates and update for WordPress, plugins, themes, and translations. You can customize the email notifications to include additional users and edit the “From” field.
It’s a 4.5-star rated plugin that’s free to use. There is a Pro option, that gives you better customization, deletion of old backups automatically, support, and more.
These plugins will all help you manage the process of keeping your site up to date and could save you having to remember to check regularly, as well as minimizing the risk of you not updating soon enough after a security patch.
It’s also important that you keep your site backed up regularly, especially if you set your plugins to automatically update. For advice on backing up, see this post on the top backup plugins for WordPress.
Keeping your installation up to date is an important part of managing any WordPress site. It will ensure that your site performs as efficiently as possible and more importantly, it will keep on top of bug fixes and security patches. It’s one of the most effective methods for enhancing security, especially when teamed with the use of strong passwords.
In this post, you’ve learned why it’s important and what you need to keep updated. You’ve also seen some plugins that can help you with the process, saving you from having to do everything manually and helping you keep everything up-to-date.
Why 100 is NOT a Perfect Google PageSpeed Score (*5 Min Watch)
Learn how to use Google PageSpeed Insights to set realistic goals, improve site speed, and why aiming for a perfect 100 is the WRONG goal.