Nearly every WordPress website that is not updated will be hacked sooner or later. Hackers make scripts that search the internet for vulnerability in WordPress plugins and themes. As soon as plugin vulnerabilities are known hackers can automatically scan WordPress websites to see if the relevant plugin is being used. For this reason, we sincerely recommend you update your website regularly. You can outsource this WordPress onderhoud (Dutch link) to WpUpgraders, but you can also do it yourself. In this article we’ll give tips both unexperienced administrators and professionals can use to keep your WordPress website up to date.
A number of links in this article are embedded with affiliate code.
Tips unexperienced website administrators
Conquer your fear
Many WordPress website administrators are afraid to update their websites. They are afraid of potential consequences, like a plugin that stops working or layout changes in a theme. But all we can do is advise you to get over your fear and update anyway. The consequences of a potential hack are much greater than the consequences of the update.
Keep your website simple
An important tip is to keep your website simple. A simple website is simple to update. Complex websites are more difficult to update.
- Limit the number of plugins; each extra plugin you install brings extra risk. We don’t limit the number of plugin that we use when developing a website, but we know where the risks lie and we are the ones responsible for the updates. If you are not experienced it’s better to use a limited number of plugins.
- Avoid complex plugins like multilingual plugins (like WPML), e-commerce (like WooCommerce) and layout editors (like Visual Composer).
- Avoid multi-purpose themes. We often use Enfold. This multi-purpose theme is technically solid. Even so, we have to pay close attention when updating. We are not as pleased with other multipurpose themes. Like Jupiter. Good looking theme, but it’s a hassle to update.
- When purchasing plugins and themes check to see if they can be updated automatically, so that you avoid having to do updates at FTP level.
- Want to make changes in the code of your theme? Use a child theme, this way you can update the main theme yourself. Read here to learn how to make a child theme.
Remove unused plugins and themes
During the development of a website various plugin and themes are often tested. Some of them don’t end up being used, but can make your website venerable to being hacked. Remove these plugins and themes so that they don’t have to be updated.
It’s best if you can update as soon as an update is released, but this might not be do-able. Small websites can be updated periodically. Once or twice a month, for example. Set a reminder in your agenda to update every first Monday of the month.
Backup before you update
Always make an update before you update. If the update happens to cause problems you can always go back to the situation before the update. Many hosting providers make automatic back-ups. Or you have an admin panel (cPanel, DirectAdmin) you can use to make a backup yourself. You can also make a backup with the WordPress admin using a plugin. We like to use UpdraftPlus, a premium plugin with a good basic version. Alternatives are BackWPup, BackupBuddy or VaultPress.
Update WordPress first and then plugins/theme
First update the core of WordPress and then your plugins and theme.
Updates in your e-mailbox
When you are logged in to the back end of WordPress you will see notifications in the lefthand menu when there are updates available. Many people forget to update because they don’t update their website when it gets busy. You can remind yourself. For example with the plugin WP Updates Notifier, it sends you an e-mail when new versions of WordPress, plugins or themes are available.
Is updating just not your thing? Outsource your web maintenance. Or choose a website via WordPress.com instead of a WordPress installation on your own server. WordPress.com is a Software-as-a-Service (SaaS). Your website wil be hosted on the Automattic servers (the company behindWordPress). They will make sure your website is up-to-date. WordPress.com gives you less freedom compared to your own WordPress version of WordPress.org. However, you don’t have to worry about safety and speed. And it is relatively cheap.
Tips for professionals
Make an inventory of risky plugins
There are plugins that cause little harm when updating. Take, for example, a plugin that adds a small functionality to the media library. Which plugins generally don’t give any update problems?
- Statistic /Google Analytics plugins;
- SEO plugins;
- Backup plugins;
- Database optimization plugins (Note, we are taking about updating the plugin, not the optimization);
- Media library plugins;
- Security plugins;
- Admin plugins, that add extra functions to the WordPress back end;
- RSS-feed plugins;
- Development plugins.
Other types of plugins bring more risks.
- E-commerce plugins like WooCommerce and add-ons;
- Multilingual plugins like WPML;
- Layout editor/Page builder plugins like Visual Composer;
- Shortcode plugins;
- Slider plugins;
- Image presentation plugins;
- Contact form plugins;
- Event calendar plugins;
- Pop-up and lead generation plugins.
Check the plugin change log to inventory any risks that may be expected.
Update premium plugins and themes
Most WordPress plugins can be automatically updated from the WordPress plugin repository. For plugins and themes you have purchased it doesn’t work like this unfortunately. You don’t always get a notification when an update is available. And you can only update the plugin or theme by overwriting the files on FTP level. Updating premium plugins is more complicated. Unfortunately we don’t have any standard solutions to this problem.
Use admin tools
Do you manage multiple websites? Use an admin tool like ManageWP, MainWP, WP Remote or InfiniteWP. We use this last tool. An admin tool gives you overview of which websites need updating. You can also perform updates directly from the tool.
Don’t forget to test after you have updated the website. The most important thing to test is the functionality of the front end. You will find any potential problems in the back-end when managing the website. What is the best way to test?
- Check the homepage and a few other pages;
- Fill in a form and/or other call to actions;
- Check to see that the multilingual function is working;
- Check extra moving elements like sliders, pop-ups, cookie bar;
- Test the search function;
- Test any API links. For example MailChimp or CreateSend.
Use a staging
Want to really update safely? Use a staging environment. You perform the update in the stage and, after testing, overwrite the live environment with the staging. It takes more time, but prevents users from coming across any problems the update may have caused. How do you use a staging environment?
- Hosting providers. We usually use a staging environment provided via the hosting provider. WP Engine, one of our hosting partners, has great facilities.
- Plugins. Work with a staging via free plugin WP Staging or the paid plugins WP Stagecoach and RAMP.
- Software. Develop and push changes via DesktopServer, a program on your own computer.
There are plugins available that will help you update your WordPress website.
- WP Update Settings; use this plugin to change settings via the back-end of WordPress that pertain to the update proces.
- Automatic Plugin Updates; plugin for automatic updates.
- Plugin Vulernabilities: plugin lets you know when vulnerabilities have been found in the plugins that are used on the website.
- Plugin Security Scanner: plugin e-mails the website administrator if any vulnerabilities are found in the plugins that are present.
- WP-UserOnline: plugin shows how many users are active on your website. Wait to update until there are almost no visitors at the website.
What to do when it goes wrong?
- During the update WordPress switches to maintenance mode. The website is not accessible while updates are being made. Usually for no more than a minute. Does the website get stuck in maintenance mode while updating? No problem. Wait ten minutes, the maintenance mode overrides itself. Or go to the server via FTP and remove the .maintenance file from the root.
- Activate your backup and update themes and plug one by one so that you know which update causes the problem.
- Google the problem and see if you the solution is known.
- Get in touch with the theme or plugin builder and ask if there is a solution to the problem.