Updating WordPress Plugins and Themes Safely

How often do you need to update WordPress core, themes, and plugins?

All the time! The longer you wait to update, the harder it will be. Some updates build on previous updates. Changes might be made to templates and how data is stored in the database that are more easily managed in increments. Also, more importantly, updates can be critical for security. So waiting even a few days for to perform a critical security update can put your site at risk. When a security vulnerability is discovered, the details of the exploitable code are published on the Internet. Hackers can immediately write bots to automatically crawl the web and exploit these vulnerabilities.

Outdated themes, plugins, and WordPress version are the number one way hackers gain access to your site (besides brute force hacks of your login). Even deactivated themes and plugins can leave your system vulnerable. Following are best practices for keeping your site up to date.

Many people offer maintenance plans to help you stay up to date. The problem with some of these plans is that they offer weekly, monthly, or quarterly updates. That approach does  not work due to the need for timely updates in the face of a security vulnerability. Those updates need to happen asap, not on a pre-determined schedule.

View Slideshare Presentation on How to Update WordPress Safely

Table of Contents

  1. Using a WordPress management plugin or software to do updates
  2. Which WordPress themes and plugins are safe to auto update
  3. Backing up your site before updating
  4. Creating a staging environment to test updates
  5. Updating plugins tips
  6. Updating themes tips
  7. Updating WordPress core
  8. Restoring WordPress Theme or Plugin Files
  9. What happens if an update breaks your site?

Using a WordPress management plugin or software to do updates

If you don’t want to worry about logging into your site constantly to perform updates, you can use one of these tools to automate tasks on your site or multiple sites: http://askwpgirl.com/wordpress-management-plugins/.

With each of these tools, you can select which plugins and themes are “safe” to auto update and which plugins or themes you should pay attention to and manually update.

Which WordPress themes and plugins are safe to auto update

Typically, plugins that run purely in the Dashboard with no front-end interface will be safe to automatically update, including:

  • SEO
  • Analytics
  • Admin tools such as duplicate post or columns
  • Broken link checkers
  • 301 redirect
  • Most form plugins
  • RSS feed
  • Jetpack
  • Database optimization
  • Backups
  • Other monitoring plugins
  • Image compression
  • Security
  • Patches and fixes to the plugins listed below
  • Patches to themes
  • Updates to the TwentySomething themes
  • Genesis parent theme

Plugins that have a front-facing interface that you should update manually and then check the site carefully (or update on a staging environment to test first) include:

  • E-commerce (e.g. WooCommerce)
  • Mutli-language (e.g. WPML)
  • Complex forms
  • Events calendars
  • Registration
  • Popups and lead generators
  • Galleries and media
  • Upgrades to any premium theme
BackupBuddy Plugin
Affiliate Link

Backing up WordPress before upgrading

Be sure you have a recent, good backup of your site you can use to restore from if an update or upgrade goes horribly wrong. Read this post on how to backup your files and database. Create both a FULL SITE (aka Complete) BACKUP as well as a DATABASE ONLY backup. Download both of these backups to your local computer.

  • BackWPUp – Free plugin, lots of options for scheduling and sending to remote location.
  • Duplicator – Pro version can be used for scheduling backups. Free version for duplicating the site quickly. Great for migrations.
  • BackupBuddy – Paid plugin. Great for scheduling and migrations.
  • UpDraftPlus – Similar to BackWPUp and BackupBuddy and fast becoming the more popular of the three. It has free and paid remote backup storage options.
  • VaultPress – An ideal backup service as you can restore to the previous day (or recent on-demand backup) with one-click. This allows you to be more bold with your upgrades. If something doesn’t work, you can quickly restore the backup. There is no need to setup schedules as VaultPress automatically backs up your site daily for 30 days.
  • WorpDrive – If you are managing multiple sites, then WorpDrive is going to be more cost-effective than VaultPress and works similarly. You enter your FTP credentials and let it run automatically. You can test your backups to make sure they are work properly in their interface as well as use their one-click restore feature.

Important: Keep backups to a reasonable size! Exclude large files and uploads folders.

Testing WordPress Theme and Plugin Updates and Upgrades Locally or in a Staging Environment

There are many ways you can create a staging environment for your site to test updates without effecting the live site:

Creating a WordPress staging site using a localhost such as DesktopServer – $99.95

Ideally, you should keep a perpetual locally hosted copy of the websites you maintain. You can run all updates on the local site first then push the updates to the live server (using Git) or repeat the process on the live server. This helps avoid surprises on update. The only variation between your locally hosted WordPress and the server are PHP and MySQL versions. To better match your local environment to the live, hosted environment, many developers use Vagrants — virtual development environments.

I personally use DesktopServer. It costs $99.95 (or $79.95 if you use my short-time discount code of Winter2016). With DesktopServer, you can quickly create a local replica of your hosted site, test your updates, make note of or fix issues, then repeat the process on your live site. To do this, you simply need to make a backup Zip of your site using one of the above WordPress backup plugins. Be sure to exclude any large directories, because you really don’t need every single uploaded media file to test an update. Download this zip file, and import it into DesktopServer. Badabing badaboom, you have a local version of the site and can break it at will.

desktopserver1

desktopserver2

desktopserver3

Creating a WordPress staging site using WP Staging plugin – $0

You can use WP Staging plugin to create a clone of your site in a subdirectory of your current hosting account. This plugin works on non-managed WordPress hosts, such as standard shared hosting at Host Gator or Blue Host.

  1. Install the plugin, select which items to clone.
  2. The cloned site will be installed in a subdirectory of your current site. Login to the cloned site.
  3. Customize theme, update plugins, etc. Test everything!
  4. Is it running as expected? You are safe to migrate all these modifications to your production site.

create-staging

Use a managed WordPress host for easy access to a staging environment

More and more, I am recommending hosts like WP Engine, Get Flywheel, and SiteGround because of their good performance, security, backups, and a one-click staging environments. Pretty soon, all of these things add up, and the cost of setting these things up manually versus taking advantage of the service makes more sense.

wpe-staging
WP Engine Staging Area
stage4
SiteGround Staging Area Tutorial

Creating a WordPress staging environment using WP Stagecoach – $4/month/site

  • Create a staging copy of your live site with one click.
  • Copy changes from your staging site back to your live site.
  • Choose which changes to import. You can import some or all of your file changes, and/or your database changes.

wpstagecoach
WP Engine Managed WordPress Hosting

Updating WordPress plugins

  • Replace abandoned plugins. Check the last update date of your plugins on WordPress.org (or wherever you purchased the plugin). If a plugin has not been updated in the past six months, investigate its viability. If it seems like support is no longer being offered, it might be time to find a newer plugin that is being better maintained. If the plugin has not been updated in two years or longer, then it’s really time to find an alternative. Using outdated plugins that are no longer maintained leaves your website vulnerable to either breaking or being hacked.
  • Update WordPress plugins regularly. Plugins need to be updated as soon as updates are available, particularly patches to plugins which are bug and security fixes. You may want to hold off on major upgrades to plugins and read the changelog on WordPress.org or the plugin’s website to be sure that the upgrade won’t break something on your site. Sometimes plugin upgrades are so big that you will need to recreate any customized template files or stylesheets or re-enter data. The changelog should contain this type of detail.
  • Update WordPress plugins first. If you are doing a major upgrade to your plugins and WordPress, you should update the plugins first and test them one at a time. After upgrading WordPress, you may be prompted to update the plugins again to be compatible with the latest version of WordPress. If a plugin goes with a theme, you may need to update the theme for the new plugin to work properly.

WordPress Plugin (and Theme) Version Guide

Here is a general guide to help you distinguish between updates, which usually won’t break your site, and upgrades, which can have some major consequences.

Reading changelogs

Changelogs will clue you into whether a major update has been made or simply minor bug or admin interface fixes as in these two examples:

changelogs

Standard software versioning

Every developer uses different numbering system, so this is not a fault-proof guide, but it can help inform you of major revisions you should approach with caution. The only way to truly know what has changed with the plugin or theme is to read the change log.

2.0 – This is a major version upgrade from 1.0 and will likely be entirely different from the original plugin. Backup, read the documentation, and upgrade with caution and spare time on your hands.

2.1 – This is an update to the major version. May contain features that effect the way the plugin works on the site.

2.1.1 – This is a patch and is safe to update without reading the changelog, though it might be helpful to find out what was fixed.

The example below is from the very popular NextGEN Gallery changelog:

1.9.12 – Bug fix

1.9.13 – Bug fix, security fix, styling fix

2.0 – All new interface, a few changes, a few fixes. This upgrade broke compatibility with many third-party plugins, and completely changed how the NextGEN plugin functioned, too. There were many bugs in this release, so people waited to upgrade or rolled back to the 1.9.13 version.

2.0.7 – Many bug fixes. If you were already at 2.0, then this update would be something you would want to do right away to fix problems.

2.0.66 – Over the course of the next ten months, many bug fixes were released until this version was achieved.

2.0.66.33 – Note the addition of the fourth set of digits. This might be because if they kept bug fixing 2.0, then were going to run out of digits in the third place! Again, it represents bug fixes and should be done right away.

 Updating premium plugins

  • Always enter license key for premium plugins. See Envato plugin example below.
  • Purchase premium plugins even if bundled with theme. Theme developers may be slow to update their bundled plugins.

revslider

Plugin Template/Style Updates

  • If plugin uses customizable templates (e.g. WooCommerce, NextGEN Gallery, The Events Calendar), compare child theme templates to update plugin templates.
  • Plugin may have moved, deleted, or renamed the stylesheets and templates you have mirrored in your child theme.

Updating WordPress themes

Updating themes can be a little tricky because updating will overwrite any customizations you’ve made to the theme’s files (if the changes were not made in a child theme), and can overwrite the theme options you’ve set, too.

Here are some things to keep in mind:

  • If you modified core theme files (in other words, you did not use a child theme), then you will need to compare any changes you’ve made to the files to the update theme and make those changes on the new theme. This could involve some time.
  • If you worked with a child theme, then you can probably update the parent theme without too much worry. However, you might need to compare any modified template files to the new parent theme’s template files to make sure your modified templates have compatible HTML. You may need to recreate your custom template files.
  • Since the new theme might have new HTML IDs and Classes, your stylesheet changes may not be applied. (See “What to do if a WordPress plugin or theme upgrade breaks your site” below.)
  • As with plugins, if the theme update is a “patch” (and you use a child theme), then you can update without worrying. If your theme contains major changes, plan on setting aside up to a day to upgrade! How much time this will take depends on: how major the upgrade, how old the original theme was, and how many customizations were made to the theme or child theme.
  • Old themes can cause problems with new plugins you want to use or may stop functioning correctly with the latest version of WordPress. This is why you need to update even if it’s a pain in the butt.

With very static HTML/CSS themes that don’t use any Javascript, you will likely never have to worry about “updating” the theme as there is unlikely to be anything in need of updating except perhaps some deprecated WordPress functions. But, if your theme is that old, your site is probably pretty boring, and you might want to change themes to not look dated.

Like cars, the latest and greatest WordPress themes have a lot more bells and whistles and are more time consuming to update. Current WordPress themes have a lot more moving parts and features that are all integrated together. They are more robust and interesting and will do everything but wash your dishes, but they do require upkeep which is time consuming if code has changed radically from one version to the next.

Updating WordPress core files

Some versions of WordPress will conflict with your outdated themes or plugins. Like themes and plugins, do not hesitate to click the Update button for patches, e.g. 4.0 to 4.0.1. With major updates, e.g. 4.0 to 4.1, you will want to make sure that your current plugins and themes are compatible. Testing the update in a local copy of the site is a good idea. I didn’t have issues with updating any sites from 3.9.2 to 4.0 except one site running the WordPress Multilingual  (WPML) plugin. Many people had issues with updating the WPML plugin. And, during the update process, I realized I had other issues on the site. For one, I also needed to update my theme! So, I backed everything up, did all the updates locally, cleared up any problems, then copied the site back up to the live site.

I usually check my plugins on WordPress.org or the plugin forums to make sure the plugin is current with the latest version of WordPress. If the WordPress upgrade contains an update to the jQuery library, the update may conflict with the jQuery library used with your plugins or theme. This will result in some jQuery functionality, like perhaps your theme’s slider or Ajax content editor, to no longer function correctly. Updating the theme along with WordPress is mandatory then.

Restoring WordPress Theme or Plugin Files

If an update to a plugin or theme goes horribly wrong, you can simply replace those theme or plugin files with the backup you made above. If you are using a backup plugin, you can unzip your full backup and then FTP the old version of the theme or plugin to the wp-content > themes or plugins folder and overwrite the new version of the theme or plugin with the backup.

Restoring an older version of a WordPress plugin from WordPress.org

If the upgrade issue was related to a plugin on WordPress.org, you can re-install the older version of a plugin easily without needing to go to your backups:

  1. Find the plugin on WordPress.org.
  2. Click the Developers tab.
  3. Download the older version of the plugin from the Other Versions list.
  4. De-activate and delete the new version of the plugin in the Plugins list in your WordPress dashboard.
  5. Click Add New plugin and upload the older version and activate it. If changes weren’t made to the database, this should work fine to restore your site to what it was before you upgraded the plugin.

Restoring the WordPress database

If you are not using VaultPress or don’t have access to a one-click restore of your site, you may have to restore both your files (via FTP) as well as your database manually. These instructions are a bit long, and I usually restore databases a bit more cavalierly. However, since I’m giving advice to you and not sure of your skill level, I want to make sure you don’t inadvertently delete the wrong database.

First, you will need to download the backup of your database you created before you upgraded. If you are using a backup plugin, unzip the database backup you created. You should see a file that ends with .sql.

  1. Login to your web hosting control panel.
  2. Go to the MySQL database wizard.
  3. Follow the steps to create a new database, user, and password. Take note of the database name, database username, and database password. Be sure to give the new user All Privileges.
  4. Click phpMyAdmin in your web hosting control panel.
  5. You may need the database username and password created in step 3 to login.
  6. Click the database name on the left side of the phpMyAdmin window.
  7. In the Structure tab, you should see “No tables found in database.”
  8. Across the top of the screen will be a row of tabs. Click the Import tab.
  9. On the next screen click the Browse button next to the file to use field.
  10. Click Browse. Locate the backup file stored on your computer.
  11. Make sure SQL is selected in the Format drop-down menu.
  12. Click the Go button. The database tables will be imported.
  13. Login to your site via FTP or your web host’s control panel File Manager.
  14. Make a copy of your wp-config.php file.
  15. Edit the original wp-config.php file to contain the database name, username, and password created in step 3.
  16. The old database is now restored.

Note: If you use BackupBuddy, you can use the importbuddy.php script to restore the database and overwrite the old database tables instead of creating a new database.

What to do if a WordPress plugin or theme upgrade breaks your site

First, you might want to restore the site from a backup if you broke the live site. If you are working in a staging environment, you can use the following tips to troubleshoot the site and move forward:

1 – Read the documentation, change log, and support forums

If other people have experiencing the same problems, there’s a good chance the fix (or at least an ongoing discussion) is waiting for you there.

2 – Re-save options and use correct shortcode

If a slider or other plugin feature doesn’t load properly after upgrading, you may need to click SAVE CHANGES or UPDATE to get the slider or feature to re-connect to the page or layout. Be sure all the images or other settings are the same as you had on the old version. Sometimes major updates have such big changes you need to re-choose all your options. With some updates, you just need to click a button to Save the options to get them to work again.

Some plugin or theme shortcodes may have changed, so you need to read the documentation and use the correct shortcodes.

3 – Clear your site cache and browser cache

Your site might look broken after an update/upgrade, but it might be because various cached files are interfering with the proper loading of the site. Conflicting cached files can cause all kinds of erratic behavior. Login to your WordPress Dashboard and delete any cached files in your caching plugin and then delete all the cached files in your browser. Try viewing the site from or logging in via a different browser.

4 – Troubleshoot style issues after upgrading WordPress theme or plugin

CSS style modifications may not be applied to your new theme or plugin for a variety of reasons:

  • The HTML has changed. If the HTML IDs or Classes have changed, then the CSS used with the old theme and plugin will be ignored. To fix this, use Firebug or the Inspect Element feature in Chrome or Safari to identify the correct CSS selector and modify the selectors in your child theme’s stylesheet as needed.
  • The styles were overwritten. When you updated your theme or plugin, there may have been a stylesheet or styles included in the theme or plugin that got overwritten. I noticed this with major updates to the Revolution Slider. To resolve this issue, copy the styles or stylesheet to the appropriate location. This may be in the theme or plugin options or in the FTP directory. Comparing the old site to the new site will help you figure out where this needs to go.
  • The location for styles moved. As with updates to The Events Calendar and NextGEN Gallery, the location for your custom stylesheet may have changed. Read the plugin documentation for information on where the new stylesheet should be located in your FTP directory.

5 – If your WordPress breaks (doesn’t load) after upgrading:

You can identify PHP errors or Javascript/jQuery conflicts between your theme, theme plugins, and other plugins using these steps. The purpose of these steps is to eliminate as many variables as possible and then isolate the issue. You should only do this in a staging environment to avoid your live site going down during the process.

  1. Login to your site via FTP or the web host’s File Manager.
  2. Rename the plugins folder to plugins-old.
  3. Move your active theme out of the themes folder and loose in the wp-content folder.
  4. Login to your WordPress Dashboard and activate one of the default TwentySomething themes.
  5. Visit the plugins page. All the plugins should now be de-activated.
  6. Check your site. It will probably be fine now except it will look like hell because you aren’t using your theme.
  7. Go back into FTP or the File Manager and rename your plugins-old folder back to plugins and move your theme back into the themes folder.
  8. Edit your wp-config.php file in the public_html (or WordPress install directory) and change the line define(‘WP_DEBUG’, false); to define(‘WP_DEBUG’, true);
  9. Activate your original theme.
  10. Check your site. Take note of any errors.
  11. If the theme is dependent on any installed plugins, be sure those plugins have been updated as necessary and activate those.
  12. Check your site and take note of any errors.
  13. Check the theme or plugin’s support forums for information about how to resolve any errors. Some errors reported when the debug is turned on are not critical, though one would hope developers would pay attention to them. Unfortunately, many premium theme developers are apathetic and don’t keep up on maintaining their themes or plugins properly.
  14. If there are no errors with your theme or its required plugins, activate the other plugins one at a time, and take note of any errors. Check the support forums for known issues.
  15. Edit your wp-config.php file in the public_html (or WordPress install directory) and change the line define(‘WP_DEBUG’, true); to define(‘WP_DEBUG’, false);

By eliminating variables (such as removing all the plugins and themes) and turning on the debug feature, you can narrow down the source of the problem. You may not be able to solve the problem, but hopefully, you will have narrowed down the source of the issues.

Reward Yourself!

If you successfully upgraded everything and dealt with some hairy issues, you deserve a treat. Go for a walk, get a chair massage, buy a hot chai drink, take a bath, do some yoga, or drink a beer! You did it! Woot!

Angela Bowman

Front-end WordPress developer since 2007 building highly custom websites for nonprofits and small businesses. Experienced in nonprofit administration, grant writing, and technical writing. Love high altitude hiking and backyard chickens.

19 comments on “Updating WordPress Plugins and Themes Safely

    • Hah! Yes, I do contradict the Codex if it gives bad advice. You really do want to update plugins first as if you update WordPress first and a plugin is old and incompatible with the current version of WordPress, then it might crash the site.

      The Codex is written by volunteers and not all the material is checked. I might submit a suggested change to their article since it is an open-source project to get the Codex written. Also, with big updates to WordPress, I would recommend de-activating the plugins, then updating them, then updating WordPress, then activating the plugins one at a time.

  1. The person who created my website told me never to update the wordpress because it would cause problems with plug-ins or something. Anyway, it seems someone clicked on the update so now I cannot log in without updating the wordpress database. I’m now afraid to do so because the site is still up and I don’t want to eff it up. I don’t have access to the guy who created the site any more and I don’t know what to do. I can’t log in at all to back up anything. WordPress wants me to click “update wordpress database” as my only apparent option. What can I do???

    • Since they already updated WP, I would go ahead and update the database so the site works properly. It’s possible you might have issues with any themes or plugins that weren’t updated. For example, my client uses the Enfold theme. He updated to the new WP without updating Enfold, and several things broke. I updated the theme, and everything was good again.

    • Good question! I did write some troubleshooting tips on this post as well as how to restore the database, so you might want to check that out. Depending on whether or not the database was updated in the update will determine what you need to do:

      1 – You update a plugin, and it breaks the site. If the plugin didn’t modify the database (read the changelog — they usually don’t unless it’s a major upgrade to the plugin), then you can just reinstall the old version of the plugin (read my post on how to find and download the subversions). This can all be done in the Dashboard in the Plugins window — de-activate and delete the new plugin then upload the old plugin and activate. Even if it did modify the database, you might possibly be able to use the subversion of the plugin until you’ve had time to troubleshoot more. This happened with me with an update to the WPML plugin. They had some issues with a version of WordPress, so I rolled back to older version of the plugin until the issues were resolved, then updated.

      2 – If you did a WordPress core update AND the database was modified, you would need to FTP the subversion of the WordPress files as well as delete and reimport the WordPress tables from a database backup. This is much more technical, so I’d hire someone familiar with PHP to assist and backup the updated database as well just in case you are stuck with using that.

      This is why it’s always a good idea to do major updates in a staging environment.

      Good luck! And I hope the 4.5 WP upgrade goes smoothly for you. If you have any unusual plugins or use Visual Composer, be sure to update all your plugins first before updating WP.

    • Yes, Jetpack is awesome for doing auto updates. I think auto updates are fine when you have backend plugins that are “safe” to update. However, some plugins, like e-commerce, multi-language, events calendars, and others with front-facing features might break the site when you update if you are not careful. This is because many people customize various templates that may change with time. So, yes, set auto update on the simple plugins but be sure to test any updates to more complicated plugins with front-facing features in a staging environment.

  2. Hi.
    You may consider this off-topic and if so, ignore me and accept my apologies!
    I’m having troubles updating pages / clearing cache on a WP-HOSTED site for a friend. I got to this page because I know she has to clear the cache but there doesn’t seem to be a way to do this as she can’t install plugins like WP-Super-Cache on a free site. Googgling this prob has so far only led to solutions re: SELF-hosted WP sites: are you able to point me in the right direction, please?
    Again, apologies if I’m wasting your time. 🙂

    • Hi DP,

      Who is her web host?

      Some web hosts having caching enabled on the hosting control panel, so that is where you would find a button to clear the cache.

      Angela

  3. To everyone who has problems upgrading WordPress using the ways mentioned in this fine article, you can use WP-Cli which is a command line interface for managing WordPress installations.
    Thank god i found out about this excellent utility from my web hosting company blog.
    I think that you will find WP-Cli very useful.

    • Hi Joao, Thank you for your comment. Great to mention WP-CLI. What I find is a lot of more novice users who might upgrade WordPress before updating plugins and break their site. This has been a big issue for the 4.3 update. Lots of sites breaking because people didn’t update plugins first. More advanced users will appreciate WP-CLI.

  4. I haven’t been able to update any plugins for the last few days using 4.2.2 . I click “update” on the two plugins that need it and they just spin. Was working fine a week ago. Any ideas?

    • Hi Ken,

      Yes, I’ve had that issue and many others. Here are some things to check and try:

      1 – De-activate the plugin, then try to update. This seems to work for a lot of people.

      2 – Update your PHP to version 5.4 (go to your cpanel and php Configuration).

      3 – Check your site for hacks. You have Rev Slider installed, and you may have been hacked before you got a chance to update to the safe version. Install Wordfence plugin and check the options to scan the core, themes, and plugins. Look for any weird files in your WordPress installation. I’d actually be inclined to delete all your WP files (but keep wp-content folder, wp-config.php, and .htaccess) and reupload fresh files. Since you did have old rev slider at some point, I imagine, I’d be pretty careful about checking your FTP directory for hacked files, not that this is related to your issue.

      4 – Check your error logs.

      Here’s an interesting forum post on WordPress.org about this issue:

      https://wordpress.org/support/topic/unable-to-update-plugins-after-upgrade-to-42

      Angela

Leave a Reply

Your email address will not be published. Required fields are marked *