There are three main parts to WordPress that you need to keep updated: WordPress core (the main WordPress program), your plugins, and your theme. Keeping all of these up-to-date is very important.
- Updates help keep your site from being hacked. Outdated code is the single most common way for sites to get hacked, and updates often fix security vulnerabilities.
- Updates help keep everything working well together. Good plugin authors will fix issues as they’re discovered, and will keep their plugins compatible with the latest version of WordPress. That helps keep your site running smoothly.
- Skipping updates can introduce new problems by waiting too long to update and then making huge changes all at once.
Today I’m going to walk you through an easy way to update your plugins as safely as possible, though the same technique can be used for updating themes (there are some other caveats with themes that I’ll address in a future post). As for updating core, I recommend updating all of your plugins first, making sure everything works, and then proceeding with the core update.
In an ideal world, you’d have a staging site set up that is an exact copy of your “live” site — so you can run updates there, test to be sure everything works fine, and then copy over the changes to the live site. In reality, most of us don’t have that set up. That’s okay: As long as you follow the steps below, even if something goes wrong you’ll be able to recover. (This method actually works well for staging sites, too.)
Wait a couple of days before updating…
New software always has the potential for new bugs, so we prefer to let the enthusiastic early adopters find those bugs before our clients do. That also gives the plugin author some time to fix the bugs and release a followup update to correct them.
…Unless it’s a security update.
In that case, you should ignore the advice above, and proceed to updating immediately. How can you tell? Look at the changelog for a plugin, and see if it lists something like “Fixed security vulnerability.”
It’s always a good idea to review the changelog before updating so you have an idea of what changes to expect on your site. To see the changelog, click the “View version details” in the list of plugins.
The excellent WPScan Vulnerability Database also keeps tracks of security issues. (We subscribe to their realtime updates, so we can take immediate action when a vulnerability is announced publicly.)
Then, make a backup.
I cannot stress this enough: MAKE A BACKUP!
If you’re using the UpdraftPlus plugin — which is one of the three backup services we set up for our clients — it has a handy popup window that gives you the option to backup just before you run an update.
Update just one plugin at a time.
After you’ve got a backup, update just one plugin.
In your dashboard, go to, and find the update notice for any plugins. Click on “update now.” Let the update complete, and then check the plugin’s functionality to be sure it’s all good. Then update the next plugin, check it, and repeat for the rest of the updates.
Otherwise, if you update a whole bunch of plugins at once, and something goes wrong, it will be much more difficult to find the root of the issue. I know it’s a little more tedious to have to wait for each plugin to update and then test it, but it’s a lot less stressful than having your site go down and having to spend hours trying to figure out where things went wrong.
If something goes wrong…
Even if you follow the above steps, updates still encounter issues every once in awhile. Here are some troubleshooting steps you can take if an update doesn’t work.
If you don’t want to deal with any of this stuff…
…let us take care of updates for you! Our “Inner Peace” and Zen Master WordPress support plans include, among many other services, regular updates — and if updates glitch or break anything, we’ll fix it. In fact, we usually have things patched up before anyone (including you) knows anything even went wrong. Learn more about our WordPress support plans here.