Do you upgrade all of your clients sites every time a new version of WordPress comes out?

Q: If you develop websites with WordPress for clients, what do you do about upgrading their sites? Do you upgrade all of your clients sites every time a new version of WordPress comes out? Do you only upgrade when there’s a security risk? Do you tell your clients before you start that you will be upgrading their sites periodically, and there will be an additional charge each time you do it? Do you have a fixed price for upgrading, or do you charge by the hour? Sometimes it only takes a few minutes, but if a plugin doesn’t work with the upgrade, yikes, it could take a long time.

On another note, if you have a client who wants a static site and they will not be updating the content very often, do you still develop their site in WordPress? It seems like there are less things to worry about with a straight html site, because you don’t have to update the software or deal with security issues. Are there times when you think Dreamweaver (or another html editor) is more appropriate than WordPress?

Because of the security risk of PHP and MySQL, I think we need to be sure to explain to clients before setting up their WordPress sites that the WordPress application must be regularly updated. PHP risks are only going to increase over time, and the only way to protect websites is to keep up with the WordPress updates. The one-click update is great, but when 2.9 comes out, there will be many plugins that won’t work and that’s going to make updating a headache.

Here’s what I recommend:

1. Make sure the client understands the security risks of using a PHP web application.

Make sure YOU understand the security risks and how vulnerable PHP is to attack. Its popularity in web applications is making it more so. This includes other CMSs as well – Drupal and Joomla – as well as proprietary ones. If a client’s site gets hacked and it goes unnoticed for a time and the Google bots detect weird stuff coming out of the site (malicious code, etc.), then the site could be kicked off the search engine.

2. Make sure your client understands that in order to avoid having their site hacked, the WordPress version must be kept up to date.

This may take a few minutes once every 6 months or a couple hours if you’re having to deal with plugin issues. You can put this in your contract with the client to perform necessary security updates and estimate the number of hours (or minutes) each year for this based on the complexity of their site. All computer and website applications should be kept updated, and WordPress is no exception.

3. Choose your plugins wisely.

Try to write your own get_posts or wp_query queries (see http://codex.wordpress.org/Template_Tags/get_posts and http://codex.wordpress.org/Function_Reference/WP_Query) rather than use plugins whose developers do not keep their plugins up to date. Most of the more popular plugins are updated in anticipation of the new release of WordPress. Find plugin developers you can trust and be sure to make a contribution to their plugins.

4. Be sure to include in the cost of site development implementing various “hardening” or security steps.

Please see: Assesing the Security Risk of Using WordPress as a CMS for links to good articles on how to secure your WordPress install.

5. Understand the client’s needs.

Does the client need a CMS? Will creating a 4-page brochure site using Dreamweaver (and Contribute) meet their needs and goals in terms of interactivity, search engine optimization, ongoing updates, etc.? A site with more than 12-15 pages often becomes difficult to manage in flat file layout.

Having continually fresh content or being able to use various online marketing or e-commerce strategies necessitates having some sort of dynamic CMS. If the client just wants a blog but really doesn’t have the budget or desire to keep their WordPress version updated, perhaps WordPress.com or Blogger would be better solutions for them. The client’s needs and online business goals should drive their website solution. Assessing the overall cost benefit of any solution is important.

6. Backup before clicking that update button!

Backup the database and the contents of the wp-content folder and any other folders you may have created (such as an images folder in the root). You might also want to back up the entire FTP directory just in case you need to revert to the older version of WordPress for some reason (such as an incompatible plugin that you need time to troubleshoot or substitute).

---

I’ve been using WordPress for 2.5 years, and it wasn’t until this past summer that I realized the security issues. In 2008, Joomla!, WordPress, and Drupal all made the top ten chart of known software vulnerabilities, mostly because of their growing popularity and the inherent vulnerability of PHP and MySQL.  Hacks are more likely to increase than decrease, but the WordPress development teams seem to be quick to respond to known vulnerabilities with updates.

WordPress is very fun to work with, and it’s definitely a buzz kill to have to deal with security issues. But, as responsible “web developers,” we need to consider the risks and take the necessary precautions, including, YES — updating every time there is a security update.

Please let me know how you handle this with your clients by commenting below. Thanks!