WordPress is a great CMS for many organizations and, with a little maintenance, you can be confident your information is staying secure. However, many people ignore a critical portion of staying secure – managing regular WordPress and Plugin updates.
Much like your car has recommended maintenance to stay running, safe, and reliable, like regular oil changes, 10,000-mile check-ins with your mechanic, and looks under your hood, so does any CMS running your website.
So, what’s the recommended maintenance for your WordPress site? While the process will always vary a bit depending upon your setup, there are a few general paths to take, each with its own pros and cons:
- Reliable backups are your site’s best friend! The first step should always be to have a strong backup system in place before any automatic or manual updates are completed for the WordPress core files and site plugins
- While WordPress and plugin developers continue to get better about avoiding site-breaking bugs, there’s always the potential for something to go wrong on your site after updating, as your unique setup may run into issues plugin and core developers could not account for, or haven’t seen yet, to troubleshoot.
- The WordPress core version can be set to automatically update to either the latest major release (i.e. 6.0 from 5.9) or to only minor releases (i.e. 5.9 to 5.9.1 to 5.9.4, etc.)
- Given the more complex changes in major releases, auto-updating here can sometimes be more problematic and more likely to cause issues on your site than minor releases
- Minor releases generally do not contain new functionalities, as they’re most often focused on security updates and vulnerability fixes
- For this reason, it is highly recommended to at least auto-update to the latest minor release for your current version
- This WP core auto-update should be set on your site by default but is also fairly easy to re-enable if needed, barring any unique server limitations
- As long as your site is on version 5.5+ of WordPress, you can automate both WordPress and plugin updates
- It’s important to be notified as these auto-updates happen so that the site can be QA’d for any obvious issues before potential issues would affect too many users. Key functionalities being broken and major styling issues being introduced are particularly important to catch quickly.
- If you don’t have a WordPress developer on staff, having a development team resource to turn to when issues arise is critical. Maintaining an ongoing relationship is ideal, as the better a development team knows your code, the faster they can fix any problems, saving you money in both support hours and website downtime.
- Alternately, you can regularly update the WordPress core and/or plugins on the site manually, for more control over the process and QA testing
- Backups, as always, are critical before running any updates
- You’ll want to manually check your plugins every 1-2 weeks, particularly watching for security or vulnerability fix updates
- For additional security, having a security plugin or functionality that regularly checks for site and plugin vulnerabilities is also extremely helpful. For instance, the free version of iThemes Security will scan your site for vulnerabilities every 12 hours and notify you immediately about any critical updates needed
- With manual updates, you also have the flexibility to clone the current site to a staging server and test updates before making them to your live site. While this adds development time and requires a detail-oriented approach, it also reduces the risk of bugs being presented to your users, as you’re able to catch most, if not all, ahead of time.
- The manual approach can only work with diligence from your developers or development support team. Without auto-updates, your site is opened up to security vulnerabilities if the manual updates are de-prioritized for any reason.
- If your site is on WordPress version 5.4 or below, only WordPress core updates can be automated. Plugin updates have to be run manually.
- See the notes about manual updates and what that entails above
- Updating to WordPress 5.5+ will add the plugin auto-updating functionality, along with numerous feature enhancements
- With a bit of love from your developers or development support team, there is likely no reason your current site cannot be updated to the latest major version. Ideally, this is a process you will want to test on a staging server first, as there are likely to be at least a few bugs to work through after your updates.
While WordPress is a fantastic platform that is constantly evolving and adding great new functionalities, every CMS platform must be properly maintained in order to stay secure. Bad actors on the web are evolving every day, too, and code needs to be updated to seal any cracks as they are found.
Staying up-to-date is, of course, just part of the security puzzle. The right security settings on a server level and a WordPress security plugin, such as iThemes or Wordfence Security, are also critical to protecting your site.
While it may seem daunting at first, with the right approach and proper attention from your developers or your development support team, you can stay confident that your site, your business, and your user’s data are always staying as safe as possible.