How to Safely Update Your WordPress Website

The most common reason for your website to malfunction are bugs in WordPress or your plugins. These bugs also causes WordPress websites to get hacked because attackers gain entry through the bugs.

Therefore, updating your plugins frequently is the most important thing you can do to protect your website from bugs and hackers. By updating your plugins, you will receive bug fixes and new features as well. 

In addition to plugins, remember to update themes and WordPress itself too. Keeping your website up to date is the most effective thing you can do to keep your website running smoothly and hacker-free.

Unfortunately, there are some risks to updating your website. In this article, we’ll explain some of those risks and how to mitigate them so you can safely and confidently update your WordPress website. 

The WordPress Updates screen

WordPress updates can be tricky

WordPress has a built-in tool that makes it easy to update your site. You can find these from the Dashboard → Update Core screen. 

In theory, it makes updating your site super easy: click the button and everything gets updated. In practice however, it’s a little more complicated.

Updates can and do cause unintended consequences. For example, things may look and work differently after the updates. Sometimes the update gets stuck or fails, which breaks your site. If updating is the first line of defense against bugs and hackers, why is it so problematic?

The WordPress ecosystem is made up of thousands of plugins and themes, created independently by thousands of different developers. It’s impossible for them to communicate and coordinate their development, hence leading to unintended consequences mentioned above. It’s no wonder that many website owners have “update anxiety” and avoid updating.

We’re telling you this not to scare you, but to be fully transparent. Besides, the risk of not updating far outweighs the risks of a bad update. For example, some bugs are invisible to you, but can be used by hackers to gain access to your site. That’s why I strongly recommend that you make updating a habit and regular part of your routine.

There are several steps to ensure a safe and successful update process. We’ll run through these steps and soon you’ll be able to confidently click that update button.

How to update your website safely

Wouldn’t it be great if you could know what changes are coming before you update your plugins? That way you could decide whether to defer or avoid them altogether. 

Look before you leap

And because that is such a great idea, this feature is built into WordPress. Every plugin and theme distributed from wordpress.org includes 2 tools to help you understand what to expect when updating them: version numbers and the changelog.

You can find these under each plugin’s name on the WordPress Updates screen:

The version numbers tell you what version you have installed on your site, and what version you can update to. The “view version xx details” link opens up the changelog. 

Let’s understand how these tools help you update safely. 

Version Numbers

WordPress plugin and theme developers follow a specific numbering scheme. Big changes are only intentionally added to major version updates, e.g. v3.9.3 to v4.0.0, and warrant extra caution before updating. 

Minor updates (e.g. v1.0.0 to v1.1.0) and patch updates (e.g. v2.0.7 to v2.0.8) are generally safe to update as they only contain enhancements and bug fixes.

In the example above, there are 2 plugins that require updating.

WooCommerce v3.9.3 is presently installed and the current version is v4.1.1 – a major update that will require more care and testing to update.

WooCommerce Price Based on Country is presently at v2.0.6 and the current version is v2.0.8 – a patch update which should only fix bugs and not cause any issues.

Some plugins will even warn you when you try to update to a new major version.

The Changelog

The changelog is a record of all of the versions and the changes made to each version. The details in the changelog expands on the information provided by version numbers.

Responsible and professional plugin developers will always include detailed changelog notes. They will also state in the changelog when a major update will require extra caution when updating.

The WordPress Updates screen shows all of the plugins and themes that have available updates, with a handy link to “view version details”. Clicking on the link opens a window with the plugin changelog. 

The plugin changelog

Sometimes the changelog is too long to display, and the plugin will direct you to their website where the full changelog can be found.

How to use the changelog

The changelog lists out the changes for each version of the plugin. Read the changelog to anticipate what will be changed and how it might affect your site.

Here’s an example from the Seriously Simple Podcasting plugin:

2.2.0

– [NEW] New Blocks! Standard Audio Player block and customisable Podcast List Block

– [FIX] Fixes a bug related to the HTML5 player icons conflicting with third party font icons like FontAwesome

– [TWEAK] Adds an episode number field to the series widget, to limit episodes loaded by series (props lordneeko)

2.1.1

– [FIX] Fixes a bug which crashes sites using a version of WordPress older than 5.0

2.1.0

– [NEW] Block Editor support – adds a Castos Player block to the block editor, for use on posts and pages

– [NEW] Minor UI message changes to the Hosting and Import settings

– [FIX] Fixes a bug where in some instances, Castos users experience problems syncing episode data to their Castos account

– [FIX] Fixes a bug in the Dashboard widget

In v2.2.0, the developers added a fix for icons. So if you’ve been having problems with your icons, updating to v2.2.0 might fix that issue.

If you see the changelog describe a change to a feature that you depend on, and you don’t have the time to learn how it works now, you may decide to defer the update till later.

In summary, the changelog gives you more detail about the update so you can better prepare or decide if you should proceed with updating.

Dealing with major updates

We’ve learnt that it is generally safe to proceed with minor and patch updates. But what about major updates? How can we safely update, especially when we don’t have any technical skills? Here are 2 strategies for you.

Defer major updates to the 1st patch

The easiest way to deal with major updates is to delay updating until the first patch or minor version has been released. For example, let’s say a new major version of the plugin has been released, version 5.0.0. The first patch and minor versions following that would be 5.0.1 and 5.1.0 respectively.

If there are any bugs in the major version, the plugin developer would have released an update to fix it. So by delaying you skip the bugs in the initial release. Easy!

Of course, don’t wait too long before you update. We recommend a 2-week deferment at most. After 2 weeks you can be confident that there aren’t any show-stopping bugs.

Test the update on a staging site

Staging sites are like crash test dummies

A staging site is a private, duplicate copy of your site. Its main function is to be a crash test dummy for your website. Staging sites are useful for testing a new theme or design, experiments, or in this case plugin updates.

Using a staging site is the recommended way to test plugin updates, but it is time-consuming and may be complicated depending on your hosting setup. That’s why we feel it’s sufficient to only test on a staging site for really major updates, the kind that may impact your business. 

For example, if you operate a website that offers online courses, it makes sense to test major updates to your online course plugin. Other major updates can be deferred as described above. Staying up to date is important, but so is using your time wisely and effectively.

When using a staging site to test plugin updates:

  • Check that the plugin doesn’t crash the site
  • Check that your site still looks the same
  • Ensure all critical features of the site functions as before
  • If your website allows customers to login, test that it still works

If the update passes all the checks above, congratulations! You can safely update the plugin on the live site.

If the staging site doesn’t pass the checklist above, you’ll want to identify the specific incompatibilities and problems caused by the plugin. You may need to reach out to the plugin developer to ask why their plugin update is causing problems.

Don’t forget to backup before you update

Backup. Backup. Backup.

There is one last step before updating your website: Backing up your website.

It’s better to be safe than sorry, so it’s best to have a full backup of the site just in case something goes wrong. We explain how to backup your website in the next chapter.

Performing the Update

You have taken note of the version numbers, read the changelog and made your decision about how to handle major updates. You’ve also made a full backup of your website so you’re insured against any update problems.

It is finally time to perform the update! Head on over to the Dashboard → Updates screen. Depending on what updates are available, you may see something like this.

The Updates screen is divided into 3 categories:

  1. Updates for WordPress itself
  2. Plugin Updates
  3. Theme Updates

You can select multiple plugins and themes to be updated at the same time, but you’ll need to update each category separately. Select the plugins you want to update, then click Update Plugins

Once you do that, WordPress will begin working to update the selected items. It may take up to 5 minutes so please be patient. Once the update is complete you’ll see a screen like this:

Maintenance Mode

During an update, WordPress will enable a Maintenance mode. While Maintenance mode is active you’ll see the following screen if you navigate away from the Updates screen.

This is only visible during the duration of the update which usually takes less than 5 minutes. However it may also be visible to your website visitors, so updating your site during a low traffic period may help avoid that.

Tips to ensure that updating goes smoothly

Don’t update >10 things at once. Your web server has a limited amount of CPU and memory resources. Long-running processes like a big bunch of updates may take more time and resources than your web server can handle.

Don’t navigate away from the Updates screen when updates are in progress. This serves a double function. First, you want to allow your website the time and resources to complete the update, so you’ll want to avoid loading other pages or saving settings during the update. Second, the update process relies on your browser to check in periodically to usher the process along.

Clear your website cache. Once the update process has completed, empty the website cache to ensure that your website’s visitors receive the updated version of your website too.

Conclusion & Checklist

Well done, you’ve successfully updated your website’s plugins. Don’t forget to update the themes and WordPress itself too.

I know that it’s a lot to digest, but trust us, after doing this several times it will become second nature and you you will be undaunted by the process.

You might still be asking yourself:

If everything is working now, why should I update? Why can’t we just leave things they way it is?

That seems like a valid strategy. After all, if it’s not broke, why fix it? 

Unfortunately that’s only true if nothing is broken. But in the world of software development, there are always bugs that slip through that the developer and the site owner is unaware of. 

Hackers are constantly looking for these undiscovered bugs. If they find one, they can take advantage of it silently. Even when the website owner and plugin developer catches on, it will still take days or maybe weeks to patch the bug so the attacker can still prey on your website while it’s vulnerable. 

The situation described above is called a zero-day exploit. Do a quick Google search for ‘wordpress zero day’ and you’ll find many examples and previous instances. Learn more about zero-day attacks for WordPress

That means the best defense against hackers is still to patch any bugs in your plugins, and that means to update your plugins, themes and WordPress frequently.

Checklist for Updating WordPress

  • Check the WordPress Updates screen for available updates
  • Determine the type of update (major, minor or patch)
  • Decide what to do with major updates
  • If necessary, test updates on a staging site
  • Create a backup of your website
  • Update in small batches to avoid overwhelming the server
  • Clear your website cache
  • Repeat weekly
Back to: Keep Your Website Hacker-Free and Running Smoothly