Updating WordPress Plugins and Themes Safely

How often do you need to update WordPress core, themes, and plugins?

All the time! The longer you wait to update, the harder it will be. Some updates build on previous updates. Changes might be made to templates and how data is stored in the database that are more easily managed in increments. Also, more importantly, updates can be critical for security. So waiting even a few days for to perform a critical security update can put your site at risk. When a security vulnerability is discovered, the details of the exploitable code are published on the Internet. Hackers can immediately write bots to automatically crawl the web and exploit these vulnerabilities.

Outdated themes, plugins, and WordPress version are the number one way hackers gain access to your site (besides brute force hacks of your login). Even deactivated themes and plugins can leave your system vulnerable. Following are best practices for keeping your site up to date.

Many people offer maintenance plans to help you stay up to date. The problem with some of these plans is that they offer weekly, monthly, or quarterly updates. That approach does  not work due to the need for timely updates in the face of a security vulnerability. Those updates need to happen asap, not on a pre-determined schedule.

View Slideshare Presentation on How to Update WordPress Safely

Table of Contents

1. Using a WordPress management plugin or software to do updates
2. Which WordPress themes and plugins are safe to auto update
3. Backing up your site before updating
4. Creating a staging environment to test updates
5. Updating plugins tips
6. Updating themes tips
7. Updating WordPress core
8. Restoring WordPress Theme or Plugin Files
9. What happens if an update breaks your site?

Using a WordPress management plugin or software to do updates

If you don’t want to worry about logging into your site constantly to perform updates, you can use one of these tools to automate tasks on your site or multiple sites: https://askwpgirl.com/wordpress-management-plugins/.

With each of these tools, you can select which plugins and themes are “safe” to auto update and which plugins or themes you should pay attention to and manually update.

Which WordPress themes and plugins are safe to auto update

Typically, plugins that run purely in the Dashboard with no front-end interface will be safe to automatically update, including:

• SEO
• Analytics
• Admin tools such as duplicate post or columns
• Broken link checkers
• 301 redirect
• Most form plugins
• RSS feed
• Jetpack
• Database optimization
• Backups
• Other monitoring plugins
• Image compression
• Security
• Patches and fixes to the plugins listed below
• Patches to themes
• Updates to the TwentySomething themes
• Genesis parent theme

Plugins that have a front-facing interface that you should update manually and then check the site carefully (or update on a staging environment to test first) include:

• E-commerce (e.g. WooCommerce)
• Mutli-language (e.g. WPML)
• Complex forms
• Events calendars
• Registration
• Popups and lead generators
• Galleries and media
• Upgrades to any premium theme

Backing up WordPress before upgrading

Be sure you have a recent, good backup of your site you can use to restore from if an update or upgrade goes horribly wrong. Read this post on how to backup your files and database. Create both a FULL SITE (aka Complete) BACKUP as well as a DATABASE ONLY backup. Download both of these backups to your local computer.

• BackWPUp – Free plugin, lots of options for scheduling and sending to remote location.
• Duplicator – Pro version can be used for scheduling backups. Free version for duplicating the site quickly. Great for migrations.
• BackupBuddy – Paid plugin. Great for scheduling and migrations.
• UpDraftPlus – Similar to BackWPUp and BackupBuddy and fast becoming the more popular of the three. It has free and paid remote backup storage options.
• VaultPress – An ideal backup service as you can restore to the previous day (or recent on-demand backup) with one-click. This allows you to be more bold with your upgrades. If something doesn’t work, you can quickly restore the backup. There is no need to setup schedules as VaultPress automatically backs up your site daily for 30 days.
• WorpDrive – If you are managing multiple sites, then WorpDrive is going to be more cost-effective than VaultPress and works similarly. You enter your FTP credentials and let it run automatically. You can test your backups to make sure they are work properly in their interface as well as use their one-click restore feature.

Important: Keep backups to a reasonable size! Exclude large files and uploads folders.

Testing WordPress Theme and Plugin Updates and Upgrades Locally or in a Staging Environment

There are many ways you can create a staging environment for your site to test updates without effecting the live site:

Creating a WordPress staging site using a localhost such as DesktopServer – $99.95

Ideally, you should keep a perpetual locally hosted copy of the websites you maintain. You can run all updates on the local site first then push the updates to the live server (using Git) or repeat the process on the live server. This helps avoid surprises on update. The only variation between your locally hosted WordPress and the server are PHP and MySQL versions. To better match your local environment to the live, hosted environment, many developers use Vagrants — virtual development environments.

I personally use DesktopServer. It costs $99.95 (or $79.95 if you use my short-time discount code of Winter2016). With DesktopServer, you can quickly create a local replica of your hosted site, test your updates, make note of or fix issues, then repeat the process on your live site. To do this, you simply need to make a backup Zip of your site using one of the above WordPress backup plugins. Be sure to exclude any large directories, because you really don’t need every single uploaded media file to test an update. Download this zip file, and import it into DesktopServer. Badabing badaboom, you have a local version of the site and can break it at will.

Creating a WordPress staging site using WP Staging plugin – $0

You can use WP Staging plugin to create a clone of your site in a subdirectory of your current hosting account. This plugin works on non-managed WordPress hosts, such as standard shared hosting at Host Gator or Blue Host.

1. Install the plugin, select which items to clone.
2. The cloned site will be installed in a subdirectory of your current site. Login to the cloned site.
3. Customize theme, update plugins, etc. Test everything!
4. Is it running as expected? You are safe to migrate all these modifications to your production site.

Use a managed WordPress host for easy access to a staging environment

More and more, I am recommending hosts like WP Engine, Get Flywheel, and SiteGround because of their good performance, security, backups, and a one-click staging environments. Pretty soon, all of these things add up, and the cost of setting these things up manually versus taking advantage of the service makes more sense.

Creating a WordPress staging environment using WP Stagecoach – $4/month/site

• Create a staging copy of your live site with one click.
• Copy changes from your staging site back to your live site.
• Choose which changes to import. You can import some or all of your file changes, and/or your database changes.

Updating WordPress plugins

• Replace abandoned plugins. Check the last update date of your plugins on WordPress.org (or wherever you purchased the plugin). If a plugin has not been updated in the past six months, investigate its viability. If it seems like support is no longer being offered, it might be time to find a newer plugin that is being better maintained. If the plugin has not been updated in two years or longer, then it’s really time to find an alternative. Using outdated plugins that are no longer maintained leaves your website vulnerable to either breaking or being hacked.
• Update WordPress plugins regularly. Plugins need to be updated as soon as updates are available, particularly patches to plugins which are bug and security fixes. You may want to hold off on major upgrades to plugins and read the changelog on WordPress.org or the plugin’s website to be sure that the upgrade won’t break something on your site. Sometimes plugin upgrades are so big that you will need to recreate any customized template files or stylesheets or re-enter data. The changelog should contain this type of detail.
• Update WordPress plugins first. If you are doing a major upgrade to your plugins and WordPress, you should update the plugins first and test them one at a time. After upgrading WordPress, you may be prompted to update the plugins again to be compatible with the latest version of WordPress. If a plugin goes with a theme, you may need to update the theme for the new plugin to work properly.

 Updating premium plugins

• Always enter license key for premium plugins. See Envato plugin example below.
• Purchase premium plugins even if bundled with theme. Theme developers may be slow to update their bundled plugins.

Plugin Template/Style Updates

• If plugin uses customizable templates (e.g. WooCommerce, NextGEN Gallery, The Events Calendar), compare child theme templates to update plugin templates.
• Plugin may have moved, deleted, or renamed the stylesheets and templates you have mirrored in your child theme.

Updating WordPress themes

Updating themes can be a little tricky because updating will overwrite any customizations you’ve made to the theme’s files (if the changes were not made in a child theme), and can overwrite the theme options you’ve set, too.

Here are some things to keep in mind:

• If you modified core theme files (in other words, you did not use a child theme), then you will need to compare any changes you’ve made to the files to the update theme and make those changes on the new theme. This could involve some time.
• If you worked with a child theme, then you can probably update the parent theme without too much worry. However, you might need to compare any modified template files to the new parent theme’s template files to make sure your modified templates have compatible HTML. You may need to recreate your custom template files.
• Since the new theme might have new HTML IDs and Classes, your stylesheet changes may not be applied. (See “What to do if a WordPress plugin or theme upgrade breaks your site” below.)
• As with plugins, if the theme update is a “patch” (and you use a child theme), then you can update without worrying. If your theme contains major changes, plan on setting aside up to a day to upgrade! How much time this will take depends on: how major the upgrade, how old the original theme was, and how many customizations were made to the theme or child theme.
• Old themes can cause problems with new plugins you want to use or may stop functioning correctly with the latest version of WordPress. This is why you need to update even if it’s a pain in the butt.

With very static HTML/CSS themes that don’t use any Javascript, you will likely never have to worry about “updating” the theme as there is unlikely to be anything in need of updating except perhaps some deprecated WordPress functions. But, if your theme is that old, your site is probably pretty boring, and you might want to change themes to not look dated.

Like cars, the latest and greatest WordPress themes have a lot more bells and whistles and are more time consuming to update. Current WordPress themes have a lot more moving parts and features that are all integrated together. They are more robust and interesting and will do everything but wash your dishes, but they do require upkeep which is time consuming if code has changed radically from one version to the next.

Updating WordPress core files

Some versions of WordPress will conflict with your outdated themes or plugins. Like themes and plugins, do not hesitate to click the Update button for patches, e.g. 4.0 to 4.0.1. With major updates, e.g. 4.0 to 4.1, you will want to make sure that your current plugins and themes are compatible. Testing the update in a local copy of the site is a good idea. I didn’t have issues with updating any sites from 3.9.2 to 4.0 except one site running the WordPress Multilingual  (WPML) plugin. Many people had issues with updating the WPML plugin. And, during the update process, I realized I had other issues on the site. For one, I also needed to update my theme! So, I backed everything up, did all the updates locally, cleared up any problems, then copied the site back up to the live site.

I usually check my plugins on WordPress.org or the plugin forums to make sure the plugin is current with the latest version of WordPress. If the WordPress upgrade contains an update to the jQuery library, the update may conflict with the jQuery library used with your plugins or theme. This will result in some jQuery functionality, like perhaps your theme’s slider or Ajax content editor, to no longer function correctly. Updating the theme along with WordPress is mandatory then.

Restoring WordPress Theme or Plugin Files

If an update to a plugin or theme goes horribly wrong, you can simply replace those theme or plugin files with the backup you made above. If you are using a backup plugin, you can unzip your full backup and then FTP the old version of the theme or plugin to the wp-content > themes or plugins folder and overwrite the new version of the theme or plugin with the backup.

Restoring an older version of a WordPress plugin from WordPress.org

If the upgrade issue was related to a plugin on WordPress.org, you can re-install the older version of a plugin easily without needing to go to your backups:

1. Find the plugin on WordPress.org.
2. Click the Developers tab.
3. Download the older version of the plugin from the Other Versions list.
4. De-activate and delete the new version of the plugin in the Plugins list in your WordPress dashboard.
5. Click Add New plugin and upload the older version and activate it. If changes weren’t made to the database, this should work fine to restore your site to what it was before you upgraded the plugin.

Restoring the WordPress database

If you are not using VaultPress or don’t have access to a one-click restore of your site, you may have to restore both your files (via FTP) as well as your database manually. These instructions are a bit long, and I usually restore databases a bit more cavalierly. However, since I’m giving advice to you and not sure of your skill level, I want to make sure you don’t inadvertently delete the wrong database.

First, you will need to download the backup of your database you created before you upgraded. If you are using a backup plugin, unzip the database backup you created. You should see a file that ends with .sql.

1. Login to your web hosting control panel.
2. Go to the MySQL database wizard.
3. Follow the steps to create a new database, user, and password. Take note of the database name, database username, and database password. Be sure to give the new user All Privileges.
4. Click phpMyAdmin in your web hosting control panel.
5. You may need the database username and password created in step 3 to login.
6. Click the database name on the left side of the phpMyAdmin window.
7. In the Structure tab, you should see “No tables found in database.”
8. Across the top of the screen will be a row of tabs. Click the Import tab.
9. On the next screen click the Browse button next to the file to use field.
10. Click Browse. Locate the backup file stored on your computer.
11. Make sure SQL is selected in the Format drop-down menu.
12. Click the Go button. The database tables will be imported.
13. Login to your site via FTP or your web host’s control panel File Manager.
14. Make a copy of your wp-config.php file.
15. Edit the original wp-config.php file to contain the database name, username, and password created in step 3.
16. The old database is now restored.

Note: If you use BackupBuddy, you can use the importbuddy.php script to restore the database and overwrite the old database tables instead of creating a new database.

What to do if a WordPress plugin or theme upgrade breaks your site

First, you might want to restore the site from a backup if you broke the live site. If you are working in a staging environment, you can use the following tips to troubleshoot the site and move forward:

1 – Read the documentation, change log, and support forums

If other people have experiencing the same problems, there’s a good chance the fix (or at least an ongoing discussion) is waiting for you there.

2 – Re-save options and use correct shortcode

If a slider or other plugin feature doesn’t load properly after upgrading, you may need to click SAVE CHANGES or UPDATE to get the slider or feature to re-connect to the page or layout. Be sure all the images or other settings are the same as you had on the old version. Sometimes major updates have such big changes you need to re-choose all your options. With some updates, you just need to click a button to Save the options to get them to work again.

Some plugin or theme shortcodes may have changed, so you need to read the documentation and use the correct shortcodes.

3 – Clear your site cache and browser cache

Your site might look broken after an update/upgrade, but it might be because various cached files are interfering with the proper loading of the site. Conflicting cached files can cause all kinds of erratic behavior. Login to your WordPress Dashboard and delete any cached files in your caching plugin and then delete all the cached files in your browser. Try viewing the site from or logging in via a different browser.

4 – Troubleshoot style issues after upgrading WordPress theme or plugin

CSS style modifications may not be applied to your new theme or plugin for a variety of reasons:

• The HTML has changed. If the HTML IDs or Classes have changed, then the CSS used with the old theme and plugin will be ignored. To fix this, use Firebug or the Inspect Element feature in Chrome or Safari to identify the correct CSS selector and modify the selectors in your child theme’s stylesheet as needed.
• The styles were overwritten. When you updated your theme or plugin, there may have been a stylesheet or styles included in the theme or plugin that got overwritten. I noticed this with major updates to the Revolution Slider. To resolve this issue, copy the styles or stylesheet to the appropriate location. This may be in the theme or plugin options or in the FTP directory. Comparing the old site to the new site will help you figure out where this needs to go.
• The location for styles moved. As with updates to The Events Calendar and NextGEN Gallery, the location for your custom stylesheet may have changed. Read the plugin documentation for information on where the new stylesheet should be located in your FTP directory.

5 – If your WordPress breaks (doesn’t load) after upgrading:

You can identify PHP errors or Javascript/jQuery conflicts between your theme, theme plugins, and other plugins using these steps. The purpose of these steps is to eliminate as many variables as possible and then isolate the issue. You should only do this in a staging environment to avoid your live site going down during the process.

1. Login to your site via FTP or the web host’s File Manager.
2. Rename the plugins folder to plugins-old.
3. Move your active theme out of the themes folder and loose in the wp-content folder.
4. Login to your WordPress Dashboard and activate one of the default TwentySomething themes.
5. Visit the plugins page. All the plugins should now be de-activated.
6. Check your site. It will probably be fine now except it will look like hell because you aren’t using your theme.
7. Go back into FTP or the File Manager and rename your plugins-old folder back to plugins and move your theme back into the themes folder.
8. Edit your wp-config.php file in the public_html (or WordPress install directory) and change the line define(‘WP_DEBUG’, false); to define(‘WP_DEBUG’, true);
9. Activate your original theme.
10. Check your site. Take note of any errors.
11. If the theme is dependent on any installed plugins, be sure those plugins have been updated as necessary and activate those.
12. Check your site and take note of any errors.
13. Check the theme or plugin’s support forums for information about how to resolve any errors. Some errors reported when the debug is turned on are not critical, though one would hope developers would pay attention to them. Unfortunately, many premium theme developers are apathetic and don’t keep up on maintaining their themes or plugins properly.
14. If there are no errors with your theme or its required plugins, activate the other plugins one at a time, and take note of any errors. Check the support forums for known issues.
15. Edit your wp-config.php file in the public_html (or WordPress install directory) and change the line define(‘WP_DEBUG’, true); to define(‘WP_DEBUG’, false);

By eliminating variables (such as removing all the plugins and themes) and turning on the debug feature, you can narrow down the source of the problem. You may not be able to solve the problem, but hopefully, you will have narrowed down the source of the issues.