When I first started working with WordPress five years ago, there was a lot of resistance to the CMS from clients. The main pushback I got was around security: They had heard rumours that WordPress wasn’t inherently secure and were worried about using it for their business site.
By that time, WordPress was fast becoming the world’s most popular CMS and taking security very seriously. I was able to reassure my clients that what they’d heard was a hangover from WordPress’ days as a blogging platform and that it was now being used to power sites for organisations like government and media for which security was a serious concern, and that it was now a very secure and stable platform on which to put their small business site.
But in recent weeks and months there has been a spate of security issues for WordPress plugins – most notably the cross-site scripting (XSS) vulnerability that has affected dozens of plugins, if not more, including big ones like Jetpack, Gravity Forms and Easy Digital Downloads – and some people have started to worry again.
I’m not a security expert, so if you’re looking for advice on that I recommend reading our ultimate guide to WordPress security, but what I can say is that one of the most important aspects of keeping your WordPress site secure, as well as ensuring that it’s running as smoothly and efficiently as possible, is to keep everything up to date.
So in this post I’m going to examine three things:
Why it’s crucial that you keep your site up-to-date.
What you need to keep up to date.
How to do it without it taking over your life.
Let’s start with the why: In case you weren’t already convinced, why should you keep your site up to date?
Why You Should Keep Your Site Updated
There are five main reasons for keeping every aspect of your WordPress site up to date, which are:
Each of these is important for different reasons, but it can be argued that security is the most important of all.
Keeping Your Site Updated Will Enhance Security
One of the reasons that WordPress is increasingly becoming the target of security attacks is because it’s so big. A CMS that powers up to a quarter of the internet will doubtless attract the attention of anyone wanting to insert malicious code, take sites down or steal data. But the very size of WordPress, and of its community of users and developers, is also an asset here.
Security vulnerabilities are spotted and dealt with quickly. This applies to WordPress core as well as to the biggest and most popular plugins. The fact that WordPress is open source means that anyone finding a problem can identify the cause of that problem and alert the right people straightaway, whether that be via the WordPress site or by alerting a plugin developer.
With smaller and lesser used plugins, and those that aren’t well supported, this is less the case. But the fact that all plugins are open source means that even if the plugin developer doesn’t fix the problem, someone else can.
All of this means that when a security vulnerability comes to light in WordPress core or in a major plugin, it can be quickly fixed, and an update released straightaway.
None of this will benefit you unless you keep your version of WordPress and your plugins and themes up to date. I’ll come to how you do this later in this post, and recommend some plugins that can help. But if you don’t install the updates, you’re vulnerable to security problems, and you’re the only one to blame.
An Updated Site Will Perform Better
Updates aren’t just for security. Often they’ll improve the performance of WordPress itself, or of a plugin or theme.
For example, WordPress 4.1 included improvements to complex queries to improve the performance of sites using these, and WordPress 3.9 included improvements to the performance of TinyMCE. Plugins also get updates to improve performance, perhaps to speed up scripts or queries or run more efficiently.
So keeping your WordPress version and your plugins up to date will help your site perform at its best.
Updating Can Eliminate Bugs
Aside from security patches, a reason for minor WordPress releases (the ones with a X.X.X version number, rather than X.X which is a major release) is to fix bugs.
Major releases tend to be very stable and bug-free thanks to the meticulous development cycle and the legions of people helping with testing, but sometimes a bug will slip through the net, and a minor release will come out to fix it. For example release 3.8.3 fixed a bug with the “Quick Draft” tool which was broken.
Plugins and themes are the same: Make sure you install updates in case they fix bugs that could be affecting your site.
Updates Can Enhance Compatibility (Or Sometimes Not!)
After a major WordPress release, a lot of plugins will get an update to ensure compatibility with the new version, or to make use of new features. Sometimes a plugin won’t need to be updated as it remains compatible, but the developer should check that it’s compatible and update its compatibility information which you see in the plugin repository.
Occasionally you might find that an update to WordPress or to a plugin results in compatibility problems with another plugin, which is why it’s important to back up your site before updating.
The best way around this is to get as many of your plugins as possible from the same source, and to get all of them from reputable developers who keep their plugins up-to-date. As a WPMU DEV member, I use the company’s plugins as much as possible as I can be confident that they’ll be compatible with each other. Where I need functionality not provided by WPMU DEV, I make sure I only get plugins that are consistently kept up-to-date.
Updates Can Introduce New Features
Keeping your site up to date also gives you access to new features. For example, recent releases of WordPress have included big improvements to the UX of the admin screens as well as accessibility improvements. Plugins can do this too, which means that keeping things up to date gives you access to the latest goodies.
What You Need to Keep Updated
Keeping your site up to date isn’t just about updating WordPress itself. There are three aspects of keeping your WordPress installation up to date:
You can keep all of these up to date from one place: the updates screen, which you access via Dashboard > Updates:
For minor releases, both WordPress itself and some plugins will update automatically, but you should still keep an eye on things to ensure everything ‘s up to date. In the next section I’ll look at how you can make that easier.
Keeping Your Site Updated
There are three main ways to keep your site up to date:
Doing it all manually
Via automatic updates
Using a plugin
If you’re running a small site with only a few plugins and one theme, it’s realistic to do it manually. I’ll start with an outline of how you do that.
You can manage manual updates from the Updates screen. Below is the Updates screen for a site with one plugin and a few themes that need updating:
To update themes or plugins, simply select the checkboxes and click the “Update Themes” or “Update Plugins” button. If you’ve got a lot of plugins to update, or you’re updating WordPress, it’s good practice to make a back up first. Even better, use a local or staging copy of your site to test everything works after the update before making the update on your live site.
And here’s the same screen with everything up to date:
You’ll notice in the screenshot that the Updates screen is also telling me that my WPMU DEV plugins and themes are up to date: if you’re a WPMU DEV subscriber, you can update your plugins and themes from this screen or from the WPMU DEWV screen, accessible via the admin menu.
Since WordPress 3.7, minor releases have automatically updated by default. This means that bug fixes and security patches are pushed to every WordPress site running the previous major or minor release, increasing the overall performance, reliability and security of WordPress.
In addition, plugin and theme developers can opt in to automatic plugin updates, meaning that security patches and bug fixes for those plugins and themes will also be pushed out automatically. This happened recently in the case of WordPress SEO, which released a security update following the discovery of a vulnerability in March this year. This was automatically updated on all sites with the plugin installed.
Some people prefer not to have automatic updates activated, for example if you have concerns over a plugin being updated and causing compatibility problems with other plugins, or you want complete control over your WordPress installation.
You can specify whether automatic updates are enabled, disabled or only apply to minor releases by adding a line of code to your wp-config.php file.
For example, to switch off automatic updates of WordPress core, you’d add this to wp-config.php:
And if you wanted to switch off all automatic updates, including themes and plugins, you’d use this:
However if you want to ensure that your site is kept secure and up to date, I would advise against changing the defaults for automatic updates. There’s more information on this in the Codex.
Getting Notified of Updates and/or Vulnerabilities
The biggest barrier to keeping your site up to date for a lot of users is the work involved in checking your site and completing the updates. Automatic updates go some way towards doing this, meaning that you don’t have to manually perform all of the updates yourself. WordPress will also notify you when an automatic update to core has taken place (but not when a plugin is updated).
But what if you want more control? The good news is that there are plugins that can help you with this as well as those that will manage automatic updates for you. Let’s take a look at some of them.
Plugins to Help With Updating
The following plugins will help you keep your site up to date, either by notifying you when you need to do something or by doing it for you.
The Updater plugin lets you change your WordPress settings so that all plugins and themes, as well as WordPress itself, update automatically. This is quite a risky thing to do in my opinion (and can be done via wp-config.php anyway) so I would advise using its other option, which is to send you an email every time a plugin, theme, or WordPress gets an update.
Once you’ve done this, you’ll get an email every time there’s an update and you can log into your site to install the update after making a backup.
This plugin has more configuration options. You can specify which of your installed plugins you want to update automatically via the plugin’s setting screen. This means that you can select those plugins that you’re happy auto-updating, but leave out those which you’re less sure about. Just set up notifications as well and manually update the plugins that aren’t auto-updated after making a backup.
The plugin doesn’t notify you of updates, but the flexibility makes it one worth using.
This plugin does a slightly different job: instead of notifying you when there’s an update available, it checks your plugins and lets you know if one of them has a vulnerability.
You can then log in to your site and update the plugin if an update is available, or notify the plugin developer asking them to fix the problem.
These plugins will all help you manage the process of keeping your site up to date and could save you having to remember to check regularly, as well as minimising the risk of you not updating soon enough after a security patch.
It’s also important that you keep your site backed up regularly, especially if you set your plugins to automatically update. For advice on backing up, see this post on the top backup plugins for WordPress.
Keeping your installation up to date is an important part of managing any WordPress site. It will ensure that your site performs as efficiently as possible and more importantly, it will keep on top of bug fixes and security patches. It’s one of the most effective methods for enhancing security, especially when teamed with the use of strong passwords.
In this post you’ve learned why it’s important and what you need to keep updated. You’ve also seen some plugins that can help you with the process, saving you having to do everything manually and helping you keep everything up-to-date.