Do you upgrade all of your clients sites every time a new version of WordPress comes out?

Q: If you develop websites with WordPress for clients, what do you do about upgrading their sites? Do you upgrade all of your clients sites every time a new version of WordPress comes out? Do you only upgrade when there’s a security risk? Do you tell your clients before you start that you will be upgrading their sites periodically, and there will be an additional charge each time you do it? Do you have a fixed price for upgrading, or do you charge by the hour? Sometimes it only takes a few minutes, but if a plugin doesn’t work with the upgrade, yikes, it could take a long time.

On another note, if you have a client who wants a static site and they will not be updating the content very often, do you still develop their site in WordPress? It seems like there are less things to worry about with a straight html site, because you don’t have to update the software or deal with security issues. Are there times when you think Dreamweaver (or another html editor) is more appropriate than WordPress?

Because of the security risk of PHP and MySQL, I think we need to be sure to explain to clients before setting up their WordPress sites that the WordPress application must be regularly updated. PHP risks are only going to increase over time, and the only way to protect websites is to keep up with the WordPress updates. The one-click update is great, but when 2.9 comes out, there will be many plugins that won’t work and that’s going to make updating a headache.

Here’s what I recommend:

1. Make sure the client understands the security risks of using a PHP web application.

Make sure YOU understand the security risks and how vulnerable PHP is to attack. Its popularity in web applications is making it more so. This includes other CMSs as well – Drupal and Joomla – as well as proprietary ones. If a client’s site gets hacked and it goes unnoticed for a time and the Google bots detect weird stuff coming out of the site (malicious code, etc.), then the site could be kicked off the search engine.

2. Make sure your client understands that in order to avoid having their site hacked, the WordPress version must be kept up to date.

This may take a few minutes once every 6 months or a couple hours if you’re having to deal with plugin issues. You can put this in your contract with the client to perform necessary security updates and estimate the number of hours (or minutes) each year for this based on the complexity of their site. All computer and website applications should be kept updated, and WordPress is no exception.

3. Choose your plugins wisely.

Try to write your own get_posts or wp_query queries (see and rather than use plugins whose developers do not keep their plugins up to date. Most of the more popular plugins are updated in anticipation of the new release of WordPress. Find plugin developers you can trust and be sure to make a contribution to their plugins.

4. Be sure to include in the cost of site development implementing various “hardening” or security steps.

Please see: Assesing the Security Risk of Using WordPress as a CMS for links to good articles on how to secure your WordPress install.

5. Understand the client’s needs.

Does the client need a CMS? Will creating a 4-page brochure site using Dreamweaver (and Contribute) meet their needs and goals in terms of interactivity, search engine optimization, ongoing updates, etc.? A site with more than 12-15 pages often becomes difficult to manage in flat file layout.

Having continually fresh content or being able to use various online marketing or e-commerce strategies necessitates having some sort of dynamic CMS. If the client just wants a blog but really doesn’t have the budget or desire to keep their WordPress version updated, perhaps or Blogger would be better solutions for them. The client’s needs and online business goals should drive their website solution. Assessing the overall cost benefit of any solution is important.

6. Backup before clicking that update button!

Backup the database and the contents of the wp-content folder and any other folders you may have created (such as an images folder in the root). You might also want to back up the entire FTP directory just in case you need to revert to the older version of WordPress for some reason (such as an incompatible plugin that you need time to troubleshoot or substitute).

I’ve been using WordPress for 2.5 years, and it wasn’t until this past summer that I realized the security issues. In 2008, Joomla!, WordPress, and Drupal all made the top ten chart of known software vulnerabilities, mostly because of their growing popularity and the inherent vulnerability of PHP and MySQL.  Hacks are more likely to increase than decrease, but the WordPress development teams seem to be quick to respond to known vulnerabilities with updates.

WordPress is very fun to work with, and it’s definitely a buzz kill to have to deal with security issues. But, as responsible “web developers,” we need to consider the risks and take the necessary precautions, including, YES — updating every time there is a security update.

Please let me know how you handle this with your clients by commenting below. Thanks!

Angela Bowman

Front-end WordPress developer since 2007 building highly custom websites for nonprofits and small businesses. Experienced in nonprofit administration, grant writing, and technical writing. Love high altitude hiking and backyard chickens.

View all posts by Angela Bowman

5 comments on “Do you upgrade all of your clients sites every time a new version of WordPress comes out?

  1. is a nightmare for updates. It’s OK if you do it yourself, but expecting clients to do it, is probably a bad idea. They could be trained, but you’d probably have to skip the ‘back up the database’ part, as they probably wouldn’t be able to do it (yet another step). Also a lot of clients don’t take security seriously until something bad happens, so they might become lazy with updates.

    I’m tempted to just use It’s far more secure in a lot of ways because it’s pretty much a closed system. If you need any extra functionality though, you’re forced out of, towards (or some other system).

    I feel trapped between the two at the moment. A client wants a system where it’s easy to edit pages (either .com or .org would therefore be suitable), but they don’t want any unnecessary complexity (i.e. they probably don’t want to do plugin updates). However they do want a little bit of functionality that’s outside of So it looks like a no win situation.

    I could just do a straight HTML site, with a few PHP scripts to handle the extra functionality. However this feels less secure. There would be no updates, because the PHP scripts would be one-offs just for the client, or third-party ones with no easy way to update them without me doing it.

    I’m wondering if I need to be straight with them about the options, then they can weight up the pros and cons of each system. e.g. they could have the version without functionality they want! Or they could have all the functionality and use, but they’d need to do the updates themselves, and be aware they’d have to pay if something goes wrong. The HTML / PHP option, they might actually be happy with, as they think they’ll never be hacked (this one is good for me, as they probably won’t blame me for getting hacked!).

    • Hi Mike,

      I feel your pain. I often end up referring people to SquareSpace because of their nice templates if they are the type of client who isn’t going to do much with their content and needs a basic brochure site.

      With others who are more committed to developing content and blogging, I set them up with my iControlWP account and do the updates for them as well as backups. I charge a pretty modest fee for low-budget clients to keep things up to date but also tell them that I won’t be “laying hands” on their site, so they need to keep an eye on it to make sure their contact forms work and nothing breaks. For higher level clients, I charge more $/month and really check the site carefully a couple times a month, and particularly after large updates. Things that tend to break are e-commerce, multi-lingual, and contact form plugin functionality. So I test each of those.

      I use one theme and a standard set of plugins, so I rarely have issues. I let everyone know to consult with me before installing additional plugins. Once they break the site one time, they usually remember to check with me first.

      I would say for ethical purposes, be very honest about the need for updates and backups. I won’t work with anyone who isn’t on board for regular updates and backups for my minimal fee. I feel like it’s not good to set up WordPress then leave them on their own. I have long-term relationships with all my clients. I never leave them to their own devices.

      Even random PHP scripts can be hacked if they generate an error log that hackers can find. I guess I’d rather recommend SquareSpace or than a DIY site. Mostly, I think people should have a business reason for using WordPress and take advantage of the SEO, blogging, social integration, etc.

      I think you’ll find if you stick to a really set theme and set of plugins and good web host, you won’t have issues with updates. And be sure to get them to sign at least a minimal maintenance contract. iControlWP makes it all super easy.

      Good luck!


  2. Hi Wpgirl 🙂 I have a few questions regarding WordPress version. Hope you can help me.

    – Do you have to keep updating WordPress every time?
    – I have a web site with few plugins. If I have to update versions because of security reasons, that means that all my plugins or work will get messed up or even worse, will they stop working at all? What would happen?

    Thanks for the information and for this useful posting.

    • Hi,

      It depends on the update/upgrade available. For security updates, I will read what the security update is for and determine if it effects my clients’ sites. Some of the security updates only affect some of my clients’ sites because it might fix a problem with Author users for example, but most of my clients don’t have author users. Also, the little security patches from 3.0.4 to 3.0.5 for example usually never affect plugins, so you don’t have to worry about plugins breaking.

      With major upgrades (from 3.0.5 to 3.1), I usually wait quite awhile until the plugins I’m using are also working. I have a locally installed version of WordPress on my computer, so I can test whether or not the plugins break with the update. You can check the plugin repository at to see what other people are saying about your plugins and if they say they are working or not.

      So, definitely update if you think the security risk may effect your site, and you can wait to do the major upgrade a bit until your plugins are updated or you know they won’t break or until the current version also uncovers some security loophole related to your version.

      Good luck!

  3. Good points Wpgirl. For now, all the websites I have are my own, so I do update WP regularly (more than I update the sites themselves). But for some more static ones I am going to be doing for others, I might rethink and do those in Dreamweaver or something.

Leave a Reply

Your email address will not be published. Required fields are marked *