How often do you need to update WordPress core, themes, and plugins?
All the time! The longer you wait to update, the harder it will be. Some updates build on previous updates. Changes might be made to templates and how data is stored in the database that are more easily managed in increments. Also, more importantly, updates can be critical for security. So waiting even a few days for to perform a critical security update can put your site at risk. When a security vulnerability is discovered, the details of the exploitable code are published on the Internet. Hackers can immediately write bots to automatically crawl the web and exploit these vulnerabilities.
Outdated themes, plugins, and WordPress version are the number one way hackers gain access to your site (besides brute force hacks of your login). Even deactivated themes and plugins can leave your system vulnerable. Following are best practices for keeping your site up to date.
Many people offer maintenance plans to help you stay up to date. The problem with some of these plans is that they offer weekly, monthly, or quarterly updates. That approach does not work due to the need for timely updates in the face of a security vulnerability. Those updates need to happen asap, not on a pre-determined schedule.View Slideshare Presentation on How to Update WordPress Safely
Table of Contents
- Using a WordPress management plugin or software to do updates
- Which WordPress themes and plugins are safe to auto update
- Backing up your site before updating
- Creating a staging environment to test updates
- Updating plugins tips
- Updating themes tips
- Updating WordPress core
- Restoring WordPress Theme or Plugin Files
- What happens if an update breaks your site?
Using a WordPress management plugin or software to do updates
If you don’t want to worry about logging into your site constantly to perform updates, you can use one of these tools to automate tasks on your site or multiple sites: http://askwpgirl.com/wordpress-management-plugins/.
With each of these tools, you can select which plugins and themes are “safe” to auto update and which plugins or themes you should pay attention to and manually update.
Which WordPress themes and plugins are safe to auto update
Typically, plugins that run purely in the Dashboard with no front-end interface will be safe to automatically update, including:
- Admin tools such as duplicate post or columns
- Broken link checkers
- 301 redirect
- Most form plugins
- RSS feed
- Database optimization
- Other monitoring plugins
- Image compression
- Patches and fixes to the plugins listed below
- Patches to themes
- Updates to the TwentySomething themes
- Genesis parent theme
Plugins that have a front-facing interface that you should update manually and then check the site carefully (or update on a staging environment to test first) include:
- E-commerce (e.g. WooCommerce)
- Mutli-language (e.g. WPML)
- Complex forms
- Events calendars
- Popups and lead generators
- Galleries and media
- Upgrades to any premium theme
Backing up WordPress before upgrading
Be sure you have a recent, good backup of your site you can use to restore from if an update or upgrade goes horribly wrong. Read this post on how to backup your files and database. Create both a FULL SITE (aka Complete) BACKUP as well as a DATABASE ONLY backup. Download both of these backups to your local computer.
- BackWPUp – Free plugin, lots of options for scheduling and sending to remote location.
- Duplicator – Pro version can be used for scheduling backups. Free version for duplicating the site quickly. Great for migrations.
- BackupBuddy – Paid plugin. Great for scheduling and migrations.
- UpDraftPlus – Similar to BackWPUp and BackupBuddy and fast becoming the more popular of the three. It has free and paid remote backup storage options.
- VaultPress – An ideal backup service as you can restore to the previous day (or recent on-demand backup) with one-click. This allows you to be more bold with your upgrades. If something doesn’t work, you can quickly restore the backup. There is no need to setup schedules as VaultPress automatically backs up your site daily for 30 days.
- WorpDrive – If you are managing multiple sites, then WorpDrive is going to be more cost-effective than VaultPress and works similarly. You enter your FTP credentials and let it run automatically. You can test your backups to make sure they are work properly in their interface as well as use their one-click restore feature.
Important: Keep backups to a reasonable size! Exclude large files and uploads folders.
Testing WordPress Theme and Plugin Updates and Upgrades Locally or in a Staging Environment
There are many ways you can create a staging environment for your site to test updates without effecting the live site:
Creating a WordPress staging site using a localhost such as DesktopServer – $99.95
Ideally, you should keep a perpetual locally hosted copy of the websites you maintain. You can run all updates on the local site first then push the updates to the live server (using Git) or repeat the process on the live server. This helps avoid surprises on update. The only variation between your locally hosted WordPress and the server are PHP and MySQL versions. To better match your local environment to the live, hosted environment, many developers use Vagrants — virtual development environments.
I personally use DesktopServer. It costs $99.95 (or $79.95 if you use my short-time discount code of Winter2016). With DesktopServer, you can quickly create a local replica of your hosted site, test your updates, make note of or fix issues, then repeat the process on your live site. To do this, you simply need to make a backup Zip of your site using one of the above WordPress backup plugins. Be sure to exclude any large directories, because you really don’t need every single uploaded media file to test an update. Download this zip file, and import it into DesktopServer. Badabing badaboom, you have a local version of the site and can break it at will.
Creating a WordPress staging site using WP Staging plugin – $0
You can use WP Staging plugin to create a clone of your site in a subdirectory of your current hosting account. This plugin works on non-managed WordPress hosts, such as standard shared hosting at Host Gator or Blue Host.
- Install the plugin, select which items to clone.
- The cloned site will be installed in a subdirectory of your current site. Login to the cloned site.
- Customize theme, update plugins, etc. Test everything!
- Is it running as expected? You are safe to migrate all these modifications to your production site.
Use a managed WordPress host for easy access to a staging environment
More and more, I am recommending hosts like WP Engine, Get Flywheel, and SiteGround because of their good performance, security, backups, and a one-click staging environments. Pretty soon, all of these things add up, and the cost of setting these things up manually versus taking advantage of the service makes more sense.
Creating a WordPress staging environment using WP Stagecoach – $4/month/site
- Create a staging copy of your live site with one click.
- Copy changes from your staging site back to your live site.
- Choose which changes to import. You can import some or all of your file changes, and/or your database changes.
Updating WordPress plugins
- Replace abandoned plugins. Check the last update date of your plugins on WordPress.org (or wherever you purchased the plugin). If a plugin has not been updated in the past six months, investigate its viability. If it seems like support is no longer being offered, it might be time to find a newer plugin that is being better maintained. If the plugin has not been updated in two years or longer, then it’s really time to find an alternative. Using outdated plugins that are no longer maintained leaves your website vulnerable to either breaking or being hacked.
- Update WordPress plugins regularly. Plugins need to be updated as soon as updates are available, particularly patches to plugins which are bug and security fixes. You may want to hold off on major upgrades to plugins and read the changelog on WordPress.org or the plugin’s website to be sure that the upgrade won’t break something on your site. Sometimes plugin upgrades are so big that you will need to recreate any customized template files or stylesheets or re-enter data. The changelog should contain this type of detail.
- Update WordPress plugins first. If you are doing a major upgrade to your plugins and WordPress, you should update the plugins first and test them one at a time. After upgrading WordPress, you may be prompted to update the plugins again to be compatible with the latest version of WordPress. If a plugin goes with a theme, you may need to update the theme for the new plugin to work properly.
WordPress Plugin (and Theme) Version Guide
Here is a general guide to help you distinguish between updates, which usually won’t break your site, and upgrades, which can have some major consequences.
Changelogs will clue you into whether a major update has been made or simply minor bug or admin interface fixes as in these two examples:
Standard software versioning
Every developer uses different numbering system, so this is not a fault-proof guide, but it can help inform you of major revisions you should approach with caution. The only way to truly know what has changed with the plugin or theme is to read the change log.
2.0 – This is a major version upgrade from 1.0 and will likely be entirely different from the original plugin. Backup, read the documentation, and upgrade with caution and spare time on your hands.
2.1 – This is an update to the major version. May contain features that effect the way the plugin works on the site.
2.1.1 – This is a patch and is safe to update without reading the changelog, though it might be helpful to find out what was fixed.
The example below is from the very popular NextGEN Gallery changelog:
1.9.12 – Bug fix
1.9.13 – Bug fix, security fix, styling fix
2.0 – All new interface, a few changes, a few fixes. This upgrade broke compatibility with many third-party plugins, and completely changed how the NextGEN plugin functioned, too. There were many bugs in this release, so people waited to upgrade or rolled back to the 1.9.13 version.
2.0.7 – Many bug fixes. If you were already at 2.0, then this update would be something you would want to do right away to fix problems.
2.0.66 – Over the course of the next ten months, many bug fixes were released until this version was achieved.
18.104.22.168 – Note the addition of the fourth set of digits. This might be because if they kept bug fixing 2.0, then were going to run out of digits in the third place! Again, it represents bug fixes and should be done right away.
Updating premium plugins
- Always enter license key for premium plugins. See Envato plugin example below.
- Purchase premium plugins even if bundled with theme. Theme developers may be slow to update their bundled plugins.
Plugin Template/Style Updates
- If plugin uses customizable templates (e.g. WooCommerce, NextGEN Gallery, The Events Calendar), compare child theme templates to update plugin templates.
- Plugin may have moved, deleted, or renamed the stylesheets and templates you have mirrored in your child theme.
Updating WordPress themes
Updating themes can be a little tricky because updating will overwrite any customizations you’ve made to the theme’s files (if the changes were not made in a child theme), and can overwrite the theme options you’ve set, too.
Here are some things to keep in mind:
- If you modified core theme files (in other words, you did not use a child theme), then you will need to compare any changes you’ve made to the files to the update theme and make those changes on the new theme. This could involve some time.
- If you worked with a child theme, then you can probably update the parent theme without too much worry. However, you might need to compare any modified template files to the new parent theme’s template files to make sure your modified templates have compatible HTML. You may need to recreate your custom template files.
- Since the new theme might have new HTML IDs and Classes, your stylesheet changes may not be applied. (See “What to do if a WordPress plugin or theme upgrade breaks your site” below.)
- As with plugins, if the theme update is a “patch” (and you use a child theme), then you can update without worrying. If your theme contains major changes, plan on setting aside up to a day to upgrade! How much time this will take depends on: how major the upgrade, how old the original theme was, and how many customizations were made to the theme or child theme.
- Old themes can cause problems with new plugins you want to use or may stop functioning correctly with the latest version of WordPress. This is why you need to update even if it’s a pain in the butt.
Like cars, the latest and greatest WordPress themes have a lot more bells and whistles and are more time consuming to update. Current WordPress themes have a lot more moving parts and features that are all integrated together. They are more robust and interesting and will do everything but wash your dishes, but they do require upkeep which is time consuming if code has changed radically from one version to the next.
Updating WordPress core files
Some versions of WordPress will conflict with your outdated themes or plugins. Like themes and plugins, do not hesitate to click the Update button for patches, e.g. 4.0 to 4.0.1. With major updates, e.g. 4.0 to 4.1, you will want to make sure that your current plugins and themes are compatible. Testing the update in a local copy of the site is a good idea. I didn’t have issues with updating any sites from 3.9.2 to 4.0 except one site running the WordPress Multilingual (WPML) plugin. Many people had issues with updating the WPML plugin. And, during the update process, I realized I had other issues on the site. For one, I also needed to update my theme! So, I backed everything up, did all the updates locally, cleared up any problems, then copied the site back up to the live site.
I usually check my plugins on WordPress.org or the plugin forums to make sure the plugin is current with the latest version of WordPress. If the WordPress upgrade contains an update to the jQuery library, the update may conflict with the jQuery library used with your plugins or theme. This will result in some jQuery functionality, like perhaps your theme’s slider or Ajax content editor, to no longer function correctly. Updating the theme along with WordPress is mandatory then.
Restoring WordPress Theme or Plugin Files
If an update to a plugin or theme goes horribly wrong, you can simply replace those theme or plugin files with the backup you made above. If you are using a backup plugin, you can unzip your full backup and then FTP the old version of the theme or plugin to the wp-content > themes or plugins folder and overwrite the new version of the theme or plugin with the backup.
Restoring an older version of a WordPress plugin from WordPress.org
If the upgrade issue was related to a plugin on WordPress.org, you can re-install the older version of a plugin easily without needing to go to your backups:
- Find the plugin on WordPress.org.
- Click the Developers tab.
- Download the older version of the plugin from the Other Versions list.
- De-activate and delete the new version of the plugin in the Plugins list in your WordPress dashboard.
- Click Add New plugin and upload the older version and activate it. If changes weren’t made to the database, this should work fine to restore your site to what it was before you upgraded the plugin.
Restoring the WordPress database
If you are not using VaultPress or don’t have access to a one-click restore of your site, you may have to restore both your files (via FTP) as well as your database manually. These instructions are a bit long, and I usually restore databases a bit more cavalierly. However, since I’m giving advice to you and not sure of your skill level, I want to make sure you don’t inadvertently delete the wrong database.
First, you will need to download the backup of your database you created before you upgraded. If you are using a backup plugin, unzip the database backup you created. You should see a file that ends with .sql.
- Login to your web hosting control panel.
- Go to the MySQL database wizard.
- Follow the steps to create a new database, user, and password. Take note of the database name, database username, and database password. Be sure to give the new user All Privileges.
- Click phpMyAdmin in your web hosting control panel.
- You may need the database username and password created in step 3 to login.
- Click the database name on the left side of the phpMyAdmin window.
- In the Structure tab, you should see “No tables found in database.”
- Across the top of the screen will be a row of tabs. Click the Import tab.
- On the next screen click the Browse button next to the file to use field.
- Click Browse. Locate the backup file stored on your computer.
- Make sure SQL is selected in the Format drop-down menu.
- Click the Go button. The database tables will be imported.
- Login to your site via FTP or your web host’s control panel File Manager.
- Make a copy of your wp-config.php file.
- Edit the original wp-config.php file to contain the database name, username, and password created in step 3.
- The old database is now restored.
Note: If you use BackupBuddy, you can use the importbuddy.php script to restore the database and overwrite the old database tables instead of creating a new database.
What to do if a WordPress plugin or theme upgrade breaks your site
First, you might want to restore the site from a backup if you broke the live site. If you are working in a staging environment, you can use the following tips to troubleshoot the site and move forward:
1 – Read the documentation, change log, and support forums
If other people have experiencing the same problems, there’s a good chance the fix (or at least an ongoing discussion) is waiting for you there.
2 – Re-save options and use correct shortcode
If a slider or other plugin feature doesn’t load properly after upgrading, you may need to click SAVE CHANGES or UPDATE to get the slider or feature to re-connect to the page or layout. Be sure all the images or other settings are the same as you had on the old version. Sometimes major updates have such big changes you need to re-choose all your options. With some updates, you just need to click a button to Save the options to get them to work again.
Some plugin or theme shortcodes may have changed, so you need to read the documentation and use the correct shortcodes.
3 – Clear your site cache and browser cache
Your site might look broken after an update/upgrade, but it might be because various cached files are interfering with the proper loading of the site. Conflicting cached files can cause all kinds of erratic behavior. Login to your WordPress Dashboard and delete any cached files in your caching plugin and then delete all the cached files in your browser. Try viewing the site from or logging in via a different browser.
4 – Troubleshoot style issues after upgrading WordPress theme or plugin
CSS style modifications may not be applied to your new theme or plugin for a variety of reasons:
- The HTML has changed. If the HTML IDs or Classes have changed, then the CSS used with the old theme and plugin will be ignored. To fix this, use Firebug or the Inspect Element feature in Chrome or Safari to identify the correct CSS selector and modify the selectors in your child theme’s stylesheet as needed.
- The styles were overwritten. When you updated your theme or plugin, there may have been a stylesheet or styles included in the theme or plugin that got overwritten. I noticed this with major updates to the Revolution Slider. To resolve this issue, copy the styles or stylesheet to the appropriate location. This may be in the theme or plugin options or in the FTP directory. Comparing the old site to the new site will help you figure out where this needs to go.
- The location for styles moved. As with updates to The Events Calendar and NextGEN Gallery, the location for your custom stylesheet may have changed. Read the plugin documentation for information on where the new stylesheet should be located in your FTP directory.
5 – If your WordPress breaks (doesn’t load) after upgrading:
- Login to your site via FTP or the web host’s File Manager.
- Rename the plugins folder to plugins-old.
- Move your active theme out of the themes folder and loose in the wp-content folder.
- Login to your WordPress Dashboard and activate one of the default TwentySomething themes.
- Visit the plugins page. All the plugins should now be de-activated.
- Check your site. It will probably be fine now except it will look like hell because you aren’t using your theme.
- Go back into FTP or the File Manager and rename your plugins-old folder back to plugins and move your theme back into the themes folder.
- Edit your wp-config.php file in the public_html (or WordPress install directory) and change the line define(‘WP_DEBUG’, false); to define(‘WP_DEBUG’, true);
- Activate your original theme.
- Check your site. Take note of any errors.
- If the theme is dependent on any installed plugins, be sure those plugins have been updated as necessary and activate those.
- Check your site and take note of any errors.
- Check the theme or plugin’s support forums for information about how to resolve any errors. Some errors reported when the debug is turned on are not critical, though one would hope developers would pay attention to them. Unfortunately, many premium theme developers are apathetic and don’t keep up on maintaining their themes or plugins properly.
- If there are no errors with your theme or its required plugins, activate the other plugins one at a time, and take note of any errors. Check the support forums for known issues.
- Edit your wp-config.php file in the public_html (or WordPress install directory) and change the line define(‘WP_DEBUG’, true); to define(‘WP_DEBUG’, false);
By eliminating variables (such as removing all the plugins and themes) and turning on the debug feature, you can narrow down the source of the problem. You may not be able to solve the problem, but hopefully, you will have narrowed down the source of the issues.
If you successfully upgraded everything and dealt with some hairy issues, you deserve a treat. Go for a walk, get a chair massage, buy a hot chai drink, take a bath, do some yoga, or drink a beer! You did it! Woot!