For many users, new WordPress updates come as a surprise. After all, very few follow the release schedule, such as the current one for WordPress 5.8. Available updates for plugins and themes also often cause uncertainty. Today, Johannes Mairhofer reveals how to keep your WordPress system up to date and which update strategy has proven successful.Â
WordPress security
WordPress is the most widely used content management system (CMS) in the world. According to w3techs, WordPress is now used by 41 percent of all websites, and the trend is rising. It is quite realistic that half of all websites will be based on WordPress by 2025. This widespread use also makes WordPress interesting for potential attackers. This is because you are very rarely attacked by someone personally. This usually happens through automated bot networks that search the entire internet for known vulnerabilities and security gaps and exploit them.
To secure yourself and your WordPress, there are of course numerous tools and tips, which you can also find here in the magazine. However, it is also important to keep your entire system up to date and carry out regular updates. I'll show you how to do this now.
Updates in the WordPress dashboard
You can see whether you have any pending updates in your WordPress admin dashboard. You can recognize it immediately after logging in by the double arrow turned into a circle at the top of the status bar. If you click on this icon, you will see the pending updates in the overview and can easily perform them - either all at once or individually.
In my preferred update strategy, I differentiate between plugin and theme updates and updates to WordPress itself. I'll explain why I recommend this in the following.
WordPress Themes
The general rule for themes is: less is more.
In addition to the active theme, you should ideally only have one other current standard theme installed, which is used as a fallback. This allows the system to automatically switch to this default theme if your current theme causes errors.
In my example installation, you can see that I have activated and am using the "Neve" theme. In addition, I have only installed the current standard WordPress theme "Twenty Twenty-One". If errors occur with my actual "Neve" theme, WordPress can automatically switch to "Twenty Twenty-One".Â
Updates for themes
For WordPress themes, I recommend that you make any pending updates directly. The risk of an update causing serious damage is very low and can be mitigated by the default theme if the worst comes to the worst. Nevertheless, you should make a backup of your website before every update to be on the safe side in case problems do occur.
Important: If you make customizations to your theme and do not want them to be lost during an update, you should definitely use a child theme. This is because all theme files, including your individual customizations, will be overwritten when you update your WordPress theme.
WordPress plugins
WordPress has grown enormously in recent years and usually comes with almost everything you need already integrated. However, it can happen that you need to extend a desired function with a plugin.Â
As with WordPress themes, the same applies to plugins: only install what you really need and can't solve otherwise. Because every plugin opens a door for potential attackers. In addition, of course, every plugin ends up being code that makes the website a little bit slower.
What many people also fail to consider: In addition to the two points mentioned above, "security" and "performance", which speak against too many plugins, another argument has been added in recent years: Many popular plugins, such as the contact form, are relevant to data protection and must be included in the privacy policy. When using such plugins, I definitely recommend intensive research or even contacting a lawyer.Â
Installation of plugins
Unfortunately, plugins are often installed very quickly and then forgotten. I would therefore like to briefly explain when it is advisable to install plugins and what you should bear in mind when doing so:
You should only install plugins if ...
- ... you can't do without the function.
- ... the function cannot be implemented "in-house" via the WordPress system or your hoster.
- ... you are aware of the consequences in terms of data protection.
- ... you are prepared to take care of regular updates.
If these points apply to your use case, you can install new plugins via your WordPress dashboard in the Plugins → Add section.
After opening this page, you will see an overview of all available plugins. You can use the sort function at the top to find popular, new or recommended plugins from the official WordPress plugin directory, for example. If you're unsure whether a plugin is secure, there are four factors you can use as a guide. I'll show you what these are using the contact form example above.
Example contact form
To do this, enter "Contact form" in the search. You will now land on the page with the results, which has found over 5,000 suitable plugins. Let's take a closer look at Contact Form 7 - one of the best-known WordPress plugins for contact forms.Â
There are four factors that will help you decide whether or not to install the plugin:
- The stars are the ratings of other users. Similar to online stores or the app store of your smartphone operating system, you can see here how others have rated the plugin.
- The number of installations tells you how often the plugin has already been installed. Several million is a very good sign of widespread use.Â
- Last Updated shows you when the last update for the plugin was provided. The shorter the better, but I would see anything up to half a year as unproblematic if all other points here are positive. For example, many installations and good ratings.
- You can see whether the plugin is compatible with your WordPress version in the last point. If you do not know exactly what you are doing, I strongly recommend that you do not install a plugin that is not compatible here, or ask the plugin publisher.
From these four factors, you can see whether an installation makes sense and is recommended. Nevertheless, I would not only deactivate all unnecessary plugins, but also delete them. If you have the opportunity, it is best to test new plugins in a staging environment before activating them on your live website.
WordPress plugins - spoiled for choice
Updates for plugins
As with the themes above, I recommend that you update available plugins promptly. The probability of a serious error is also very low here. If it does happen, the plugin can usually simply be removed from the plugin folder and your website will work again. Nevertheless, you should make a backup of your website before every update to be on the safe side!
For some time now, WordPress has even offered the option of installing updates automatically for many plugins. Or your host offers managed WordPress hosting and takes care of all updates and backups for you.
Automated updates are usually unproblematic for plugins that are widely used and have good ratings. For plugins that you are unsure about, you can update them manually. Although the probability is low, there are cases where errors occur during the plugin update. With a manual update you will notice this immediately, with automatic updates you may only notice it later.
In addition to saving time, however, automated updates offer the major advantage that your plugins always run the latest version in the event of known security vulnerabilities, meaning that vulnerabilities never remain open for long. If you update your plugins manually and wait to update them, your website is exposed to the risk of an attack for longer than with automatic plugin updates.
WordPress Core Updates
This brings us to the most important part. While theme and plugin updates may only affect you to a limited extent because you may not have installed any or only a few of them, the updates for the actual WordPress system - the so-called "core updates" - are relevant for all users.
When it comes to WordPress updates, there is an important distinction between minor updates (three-digit, e.g. WordPress 5.7.1) and major updates (two-digit, e.g. WordPress 5.8). Minor updates can usually be carried out without any problems, as they only fix minor bugs or make small adjustments to existing features. Major updates, on the other hand, bring major adjustments and new functions to the WordPress core.
It may surprise you, but especially with major WordPress updates, I recommend that you wait at least 10 days before updating. The reason is that major updates are more likely to cause conflicts with plugins or themes that cause massive errors. One example of such compatibility problems caused by an update was the jump to WordPress 5.0, as this version introduced the new Gutenberg editor, for which many plugins and themes were not yet prepared at the time. In the meantime, however, plugin and theme manufacturers have caught up and compatibility with the block editor is now standard.Â
My tip: Observe the WordPress community after the release of a major update or ask your host for an assessment. This way, you'll quickly find out whether a WordPress update is causing errors. You should only update your system if you don't see any indications of faulty WordPress updates after 10 to 14 days. As always, the same important advice applies here: first make a backup, then update!
Conclusion
Despite all the precautionary measures and mitigation of risks, it can of course happen that something goes wrong. It's also understandable if you don't have the time or inclination to take care of these issues yourself. In this case, there are specialized managed WordPress hosters like Raidboxes that can help you manage your websites. For example, risks can be mitigated through automated backups, managed updates and the elimination of plugins.Â
An update strategy is highly recommended at the latest from the point at which your website goes beyond the hobby and must always function. Premium hosting with managed backups and host-side updates cushion the risks and allow you to remain completely relaxed. This allows you to focus exclusively on the most important part of your website: your content.