For many users, new WordPress updates come as a bit of surprise. After all, how many people really keep an eye on the release schedule? Like now, with the current release of WordPress 5.8. Plugins and themes updates also tend to cause uncertainty. Johannes Mairhofer reveals how to keep your WordPress system up to date and which update strategy has proven successful.
WordPress is the most widely used content management system (CMS) worldwide. According to w3techs, WordPress is now used by 41 percent of all websites - and that share is rising. By 2025, it's quite possible that half of all websites will be based on WordPress. Its ubiquity has also made WordPress an attractive target for potential attackers. But your WordPress site is very unlikely to get attacked by a human. Attacks usually happen through automated bot networks that search the entire internet for known vulnerabilities and security holes and exploit them.
To secure yourself and your WordPress, you can find plenty of tools and tips here in the magazine. At the same time, it's also incredibly important to keep your entire system up to date and perform regular updates. And that's what I'll show you now.
Updates in the WordPress dashboard
You can see whether you have pending updates in your WordPress Admin Dashboard. When you log in and updates are available, you'll see a double arrow turned into a circle at the top of the status bar. If you click on this icon, an overview of the pending updates will be displayed and you can easily run them - either all at once or individually.
In my preferred update strategy, I distinguish between the plugin and theme updates and the updates from WordPress itself. I'll explain why in the next section.
When it comes to themes, less is usually more.
In addition to the active theme on your WordPress, you should ideally only have one other current standard theme installed as a fallback. This way the system can automatically switch to the standard theme if your current theme causes errors.
In my example installation, you can see I've activated and am using the theme "Neve". Additionally, I've only installed the current default theme from WordPress "Twenty Twenty-One". If errors occur with my actual theme "Neve", WordPress can automatically switch to "Twenty Twenty-One".
When it comes to updating WordPress themes, I recommend downloading any pending updates directly. The risk of an update leading to serious damage is very low and can be cushioned in any event by the standard fallback theme. Nevertheless, you should still always make a backup of your website before every update - just in case you do encounter any problems.
Important: If you customize your theme and don't want your changes to be lost during an update, you should definitely use a child theme. When you update your WordPress themes, all file themes, including your customizations, will be overwritten.
WordPress has grown tremendously in the last few years and usually comes with almost everything you need built in already. But there are times where you'll want to extend a certain function with a plugin.
What I said above about WordPress themes also applies to plugins: only install what you really need to and only when you have no other way of solving your issue. Because every plugin opens a door for potential attackers. And ultimately, every plugin is code and makes your site that little bit slower.
Unfortunately, plugins are often installed on a whim and then promptly forgotten about. That's why I'd like to briefly discuss when it's a good idea to install plugins and what you need to watch out for:
You should only install plugins if:
- ... you can't do without the function.
- ... you can't implement the function "in-house" via the WordPress system of your host.
- ... you're fully aware of the consequences in terms of data protection.
- ... you're prepared to carry out regular updates.
If these points apply to your use case, you can install new plugins via your WordPress dashboard in the section Plugins → Add plugins.
Now you'll see an overview of all available plugins. Using the sorting function at the top, you can find, for example, popular, new or recommended plugins from the official WordPress Plugin directory. If you're not sure whether a plugin is safe, there are four factors you can use to guide your decision. I'll show you what they are using the contact form example above.
Example contact form
First of all, enter "Contact form" in the search field. The results page will now show you there are over 5,000 plugins that match your search request. Let's take a look at Contact Form 7 - one of the best-known WordPress plugins for contact forms.
Four factors to help you decide whether or not to install a plugin:
- The stars are the ratings from other users. Similar to online shops or the app store of your smartphone operating system, you can see here how others have rated the plugin.
- The number of installations tells you how often the plugin has already been installed. Several million is a very good sign of widespread use.
- Last Updated shows you when the last update for the plugin was published. The shorter the better, but anything up to half a year I'd consider good if all the other points are positive, e.g. a high number of installs and good reviews.
- You can see whether the plugin is compatible with your WordPress version in the last point. If you don't know exactly what you're doing, I strongly advise against installing a plugin that's not compatible with your WordPress version. At the very least, you should ask the plugin publisher.
These four factors help you judge if you need the plugin and whether it's a good idea to install it. At the same time, I recommend not only deactivating any unnecessary plugins but also deleting them entirely. If you have the option available, it's always best to test any plugins in a staging environment first before you activate them on your live website.
WordPress plugins: Spoilt for choice
For a detailed explanation of how you can evaluate the quality of WordPress plugins, I recommend the article "13 Tips for Making the Right Plugin Choices" by Torsten Landsiedel.
As with themes, I recommend you run available plugins updates pretty swiftly after release. Again, the likelihood of a serious error is very low. If errors do occur, you can usually just remove the plugin from the plugin folder and your site will be up and running again. However, don't forget to always make a backup of your website before updating!
For some time now, WordPress has even offered the option of automatically installing updates for many plugins. Alternatively, your host may offer managed WordPress hosting and take care of all updates and backups for you.
For plugins with high download numbers and good ratings, automated updates usually don't cause any issues. For plugins you're not certain about, you can do the updates by yourself manually. Although the probability is low, there are cases where errors can occur during plugin updates. With a manual update, you'll notice the issue immediately whereas it may only become apparent later on with an automatic update.
In addition to saving you time, automated updates have a great advantage in that your plugins will always run on the latest version and so any occurring security holes and vulnerabilities won't remain open for long. If you update your plugins manually and wait with the update, your website is exposed to the risk of an attack for longer than with automatic plugin updates.
WordPress core updates
This brings us to the most important part. While theme and plugin updates may only affect you to a limited extent because you only have a few (or none) installed, the updates for the actual WordPress system - the so-called "core updates" - are relevant for all users.
With WordPress updates, an important distinction is made between minor updates (three digits, e.g. WordPress 5.7.1) and major updates (two digits, e.g. WordPress 5.8). Minor updates can usually be implemented without problems as they only fix minor bugs or make small adjustments to existing features. Major updates, on the other hand, bring larger adjustments and new functions to the WordPress core.
It may surprise you but especially with major WordPress updates, I recommend you wait at least 10 days before updating. The reason is that major updates are more likely to have conflicts with plugins or themes that cause massive bugs. An example of such compatibility issues caused by an update was the jump to WordPress 5.0. This WordPress version introduced the new Gutenberg editor and many plugins and themes were not prepared for it at the time. Plugin and theme creators have caught up by now and compatibility with the block editor is standard.
My tip: When a major update is released, monitor the WordPress community or ask your host for their assessment. This way you'll find out quite quickly if a WordPress update causes errors. If you don't read any hints about faulty WordPress updates after 10 to 14 days, you can go ahead and update your system. As always, remember to make a backup first and then update!
Despite all precautions and mitigation of risks, something can still always go wrong. It's also understandable if you don't have the time or inclination to deal with these issues yourself. In that case, there are specialized managed WordPress hosts like RAIDBOXES to help you manage your websites. They can help mitigate risks with automated backups, managed updates and by reducing the number of plugins you need with their features.
It's advisable to have an update strategy, at the very latest, from when your website goes beyond being just a hobby and needs to be available at all times. Premium hosting with managed backups and updates on your host's side cushion dangers and provides reassurance. This enables you to focus on the most important part of your website: your content.