Why You Should Have the Latest Version of WordPress

When I first started working with WordPress five years ago, there was a lot of resistance to the CMS from clients. The main pushback I got was around security: They had heard rumours that WordPress wasn’t inherently secure and were worried about using it for their business site.

By that time, WordPress was fast becoming the world’s most popular CMS and taking security very seriously. I was able to reassure my clients that what they’d heard was a hangover from WordPress’ days as a blogging platform and that it was now being used to power sites for organisations like government and media for which security was a serious concern, and that it was now a very secure and stable platform on which to put their small business site.

XSS vulnerability
The WordPress Codex has been blamed for misleading developers to use add_query_arg() and remove_query_arg() functions in an insecure way.

But in recent weeks and months there has been a spate of security issues for WordPress plugins – most notably the cross-site scripting (XSS) vulnerability that has affected dozens of plugins, if not more, including big ones like Jetpack, Gravity Forms and Easy Digital Downloads – and some people have started to worry again.

I’m not a security expert, so if you’re looking for advice on that I recommend reading our ultimate guide to WordPress security, but what I can say is that one of the most important aspects of keeping your WordPress site secure, as well as ensuring that it’s running as smoothly and efficiently as possible, is to keep everything up to date.

So in this post I’m going to examine three things:

  • Why it’s crucial that you keep your site up-to-date.
  • What you need to keep up to date.
  • How to do it without it taking over your life.

Let’s start with the why: In case you weren’t already convinced, why should you keep your site up to date?

Why You Should Keep Your Site Updated

There are five main reasons for keeping every aspect of your WordPress site up to date, which are:

  • Security
  • Performance
  • Bug fixes
  • Compatibility
  • Features

Each of these is important for different reasons, but it can be argued that security is the most important of all.

Keeping Your Site Updated Will Enhance Security

One of the reasons that WordPress is increasingly becoming the target of security attacks is because it’s so big. A CMS that powers up to a quarter of the internet will doubtless attract the attention of anyone wanting to insert malicious code, take sites down or steal data. But the very size of WordPress, and of its community of users and developers, is also an asset here.

Post Status Post
Post Status recently reported on the quick action the WordPress community took in patching the XSS vulnerability.

Security vulnerabilities are spotted and dealt with quickly. This applies to WordPress core as well as to the biggest and most popular plugins. The fact that WordPress is open source means that anyone finding a problem can identify the cause of that problem and alert the right people straightaway, whether that be via the WordPress site or by alerting a plugin developer.

With smaller and lesser used plugins, and those that aren’t well supported, this is less the case. But the fact that all plugins are open source means that even if the plugin developer doesn’t fix the problem, someone else can.

All of this means that when a security vulnerability comes to light in WordPress core or in a major plugin, it can be quickly fixed, and an update released straightaway.

None of this will benefit you unless you keep your version of WordPress and your plugins and themes up to date. I’ll come to how you do this later in this post, and recommend some plugins that can help. But if you don’t install the updates, you’re vulnerable to security problems, and you’re the only one to blame.

An Updated Site Will Perform Better

Updates aren’t just for security. Often they’ll improve the performance of WordPress itself, or of a plugin or theme.

Updates Sites
Updated sites perform better.
For example, WordPress 4.1 included improvements to complex queries to improve the performance of sites using these, and WordPress 3.9 included improvements to the performance of TinyMCE. Plugins also get updates to improve performance, perhaps to speed up scripts or queries or run more efficiently.

So keeping your WordPress version and your plugins up to date will help your site perform at its best.

Updating Can Eliminate Bugs

Aside from security patches, a reason for minor WordPress releases (the ones with a X.X.X version number, rather than X.X which is a major release) is to fix bugs.

Quick Draft
WordPress 3.8.3 resolved an issue with Quick Draft.

Major releases tend to be very stable and bug-free thanks to the meticulous development cycle and the legions of people helping with testing, but sometimes a bug will slip through the net, and a minor release will come out to fix it. For example release 3.8.3 fixed a bug with the “Quick Draft” tool which was broken.

Plugins and themes are the same: Make sure you install updates in case they fix bugs that could be affecting your site.

Updates Can Enhance Compatibility (Or Sometimes Not!)

After a major WordPress release, a lot of plugins will get an update to ensure compatibility with the new version, or to make use of new features. Sometimes a plugin won’t need to be updated as it remains compatible, but the developer should check that it’s compatible and update its compatibility information which you see in the plugin repository.

Occasionally you might find that an update to WordPress or to a plugin results in compatibility problems with another plugin, which is why it’s important to back up your site before updating.

WPMU DEV
WPMU DEV plugins are updated regularly and are compatible with each other.

The best way around this is to get as many of your plugins as possible from the same source, and to get all of them from reputable developers who keep their plugins up-to-date. As a WPMU DEV member, I use the company’s plugins as much as possible as I can be confident that they’ll be compatible with each other. Where I need functionality not provided by WPMU DEV, I make sure I only get plugins that are consistently kept up-to-date.

Updates Can Introduce New Features

Keeping your site up to date also gives you access to new features. For example, recent releases of WordPress have included big improvements to the UX of the admin screens as well as accessibility improvements. Plugins can do this too, which means that keeping things up to date gives you access to the latest goodies.

What You Need to Keep Updated

Keeping your site up to date isn’t just about updating WordPress itself. There are three aspects of keeping your WordPress installation up to date:

  • WordPress itself
  • Plugins
  • Themes

You can keep all of these up to date from one place: the updates screen, which you access via Dashboard > Updates:

WordPress Updates Screen - everything up to date

For minor releases, both WordPress itself and some plugins will update automatically, but you should still keep an eye on things to ensure everything ‘s up to date. In the next section I’ll look at how you can make that easier.

Keeping Your Site Updated

There are three main ways to keep your site up to date:

  • Doing it all manually
  • Via automatic updates
  • Using a plugin

If you’re running a small site with only a few plugins and one theme, it’s realistic to do it manually. I’ll start with an outline of how you do that.

Updating Manually

You can manage manual updates from the  Updates screen. Below is the Updates screen for a site with one plugin and a few themes that need updating:

WordPress Updates screen

To update themes or plugins, simply select the checkboxes and click the “Update Themes” or “Update Plugins” button. If you’ve got a lot of plugins to update, or you’re updating WordPress, it’s good practice to make a back up first. Even better, use a local or staging copy of your site to test everything works after the update before making the update on your live site.

And here’s the same screen with everything up to date:

WordPress Updates Screen - everything up to date

You’ll notice in the screenshot that the Updates screen is also telling me that my WPMU DEV plugins and themes are up to date: if you’re a WPMU DEV subscriber, you can update your plugins and themes from this screen or from the WPMU DEWV screen, accessible via the admin menu.

Automatic Updates

Since WordPress 3.7, minor releases have automatically updated by default. This means that bug fixes and security patches are pushed to every WordPress site running the previous major or minor release, increasing the overall performance, reliability and security of WordPress.

In addition, plugin and theme developers can opt in to automatic plugin updates,  meaning that security patches and bug fixes for those plugins and themes will also be pushed out automatically. This happened recently in the case of WordPress SEO, which released a security update following the discovery of a vulnerability in March this year. This was automatically updated on all sites with the plugin installed.

Some people prefer not to have automatic updates activated, for example if you have concerns over a plugin being updated and causing compatibility problems with other plugins, or you want complete control over your WordPress installation.

You can specify whether automatic updates are enabled, disabled or only apply to minor releases by adding a line of code to your wp-config.php file.

For example, to switch off automatic updates of WordPress core, you’d add this to wp-config.php:

And if you wanted to switch off all automatic updates, including themes and plugins, you’d use this:

However if you want to ensure that your site is kept secure and up to date, I would advise against changing the defaults for automatic updates. There’s more information on this in the Codex.

Getting Notified of Updates and/or Vulnerabilities

The biggest barrier to keeping your site up to date for a lot of users is the work involved in checking your site and completing the updates. Automatic updates go some way towards doing this, meaning that you don’t have to manually perform all of the updates yourself. WordPress will also notify you when an automatic update to core has taken place (but not when a plugin is updated).

But what if you want more control? The good news is that there are plugins that can help you with this as well as those that will manage automatic updates for you. Let’s take a look at some of them.

Plugins to Help With Updating

The following plugins will help you keep your site up to date, either by notifying you when you need to do something or by doing it for you.

  • Updater

    updater

    The Updater plugin lets you change your WordPress settings so that all plugins and themes, as well as WordPress itself, update automatically. This is quite a risky thing to do in my opinion (and can be done via wp-config.php anyway) so I would advise using its other option, which is to send you an email every time a plugin, theme, or WordPress gets an update.

    Once you’ve done this, you’ll get an email every time there’s an update and you can log into your site to install the update after making a backup.

  • Automatic Plugin Updates

    automatic-plugin-updates

    This plugin has more configuration options. You can specify which of your installed plugins you want to update automatically via the plugin’s setting screen. This means that you can select those plugins that you’re happy auto-updating, but leave out those which you’re less sure about. Just set up notifications as well and manually update the plugins that aren’t auto-updated after making a backup.

    The plugin doesn’t notify you of updates, but the flexibility makes it one worth using.

  • Plugin Vulnerabilities

    plugin-vulnerabilities

    This plugin does a slightly different job: instead of notifying you when there’s an update available, it checks your plugins and lets you know if one of them has a vulnerability.

    You can then log in to your site and update the plugin if an update is available, or notify the plugin developer asking them to fix the problem.

These plugins will all help you manage the process of keeping your site up to date and could save you having to remember to check regularly, as well as minimising the risk of you not updating soon enough after a security patch.

It’s also important that you keep your site backed up regularly, especially if you set your plugins to automatically update. For advice on backing up, see this post on the top backup plugins for WordPress.

Summary

Keeping your installation up to date is an important part of managing any WordPress site. It will ensure that your site performs as efficiently as possible and more importantly, it will keep on top of bug fixes and security patches. It’s one of the most effective methods for enhancing security, especially when teamed with the use of strong passwords.

In this post you’ve learned why it’s important and what you need to keep updated. You’ve also seen some plugins that can help you with the process, saving you having to do everything manually and helping you keep everything up-to-date.

8 Responses

    oliverfr

    Hello.

    Mere feedback about your page, the background with the 2 cars. Even though they were only 118 kb large, the image took 5 seconds to load after your page’s text was shown, previously it was all black in stead. Only my sluggish reflexes prevented me from calling it quit and closing the tab.

    Now, something else.
    You mention that themes must be updated.
    Right.
    But there’s an issue that is vastly overlooked : as soon as you create a child theme, you’re partly or entirely giving up on benefitting from the updates brought to a theme.
    Why ? Because you’re telling wordpress : “look here, for that precise php file, you’re going to use MY version, stored separately, and not anymore the official theme’s php file”.
    Which means that, unless you maniacally follow every update brought to themes, you’re falling behind. To make it worse, even for the more popular themes, there is no easy documentation on what precise changes are brought. It’s all about downloading a zip copy of the new theme and running a binary comparison utility, if you ever have the time and courage to do it.
    I mentioned the problem in a wordpress forum post here https://wordpress.org/support/topic/child-themes-change-just-a-part-without-giving-up-on-theme-updates?replies=2 – but, sadly, that didn’t receive any constructive result, the problem seems to be here to stay.
    TLDR; : don’t use child themes, or if you really must, then go against immediate logic and choose a theme that is only very rarely updated.

      Ian

      I totally agree Oliverfr and have wondered this myself for some time.
      whether to double check a parent theme after upgrading and compare the changes to the child theme files or not bother?
      like using the Twenty Ten, it has had several upgrades, but the handful of child theme files used are likely to be several patches behind.
      should this be a concern? do you need to compare parent and child themes for differences after every parent theme upgrade?
      such a pain once created a custom theme based on a parent one :(

    mickie_n7

    If you manage a lot of WordPress website then I cannot recommend https://wpremote.com/ highly enough. Add all your wordpress sites here and manage updates all from a single dashboard.
    An added benefit is you can use this as a way to jump to your WordPress site front ends or backends with the handy admin links for each website.

    Greg

    The “update update update” mantra is a bit simplistic.

    Only hobbyist bloggers, for the most part, can afford to blindly update to the latest point release of everything. A website of any complexity needs to be updated and tested in a development environment before changing the production site. That’s *if* you can get the client to see the need for it.

    Not saying that you *shouldn’t* update, of course, just adding that “it’s not that simple.”

    oliverfr

    Huhu. Latest wordpress 4.2 is leaving lots of webmasters infuriated that their “title=…” fields cannot be completed anymore with the visual editor. Why ? Because wordpress feels the title field is useless now that there are many mobile users who can’t hover above a link. I regret the move (mobile users are most of the time only a minority), but at worst there’s a temporary plugin to restore the functionality.
    Still, that’s a bad case to show that sometimes updates bring unwanted changes :D

    Nikolas

    As far as it concerns the auto-update of core, plugins & themes it’s something that I don’t do. I want to have control over the updates (just in case something breaks).

    This is why I wrote a simple plugin “k-OutDated Checker (k-OC)” https://wordpress.org/plugins/k-outdated-plugin-checker-k-opc/ which “Scans automatically, twice a day, all of your installed plugins against the WordPress Plugin Directory for outdated plugins and email an alert for update.”

    Any feedback would be much appreciated!

    Connie

    I am 70 years old, but have been blogging since 2007. I know nothing about computers (other than how to turn them on and off) and every “update” has screwed up my blog. This latest one (and I am writing this on June 21, 2015) has made it impossible to insert pictures into the text and/or do anything at all with pictures—which research has shown are far more what readers of a blog want (i.e., pictures to accompany text). I went to a Bette Midler concert in Chicago on June 18 and took many great pictures. I can’t insert ANY of them into the blog. At first, I kept getting something that indicated I couldn’t post anything AT ALL, so I had to have my web girl (a computer science college graduate) get me back online at all .She has done so, but neither one of us can get any pictures to insert into the text and she says most of the changes are “dumb.” I don’t honestly give much of a rat’s ass about “security.” I’m a hobbyist blogger and whatever you are doing to make the site ‘secure’ is screwing up the ability to add visual interest. The little “insert media” thing on the left does nothing and the “Insert Feature Media Picture” thing was the only thing that the computer science grad could get to work, so none of the 20 or so pictures I hoped to insert is up at WeeklyWilson.com. I just want this to work and when the computer science graduates start in about flash drive updating and anything the least bit technical, I’m looking at paid help. I wrote, for years, without any problems. All I can see that has been created is a much more difficult to use site (maybe it’s more secure, but that’s not MY main concern at all) which is driving me nuts.