Keeping Your WordPress Site Updated

WordCamp Ann Arbor 2015

Mark Montague mark@catseye.org
Press "S" to view the speaker notes for the slides. View this presentation at http://umich.edu/~markmont/wp-updating/ Download the presentation files: http://umich.edu/~markmont/wp-updating.zip

Versions of WordPress in use

From October 20, 2015 wordpress.org statistics.

That's horrible

> 59% running out of date versions of WordPress.

Doesn't count sites running 4.3.0 versus 4.3.1.

This is just the WordPress core.

  • Doesn't count sites with outdated plugins.
  • Doesn't count sites with outdated themes.

A typical site

Screenshot of WordPress 4.2.2 site that can be updated to 4.3.1 with 19 plugin and 24 total updates pending

9 updates with security fixes

Why updating matters

If your site is broken into by an attacker via a known security problem...

  • Cost and time to kick the attacker out and remove their content.
  • Risk of breaking the site by doing a large number of updates all at once to keep the attacker from getting back in.
  • Site rank lowered by search engines for compromised sites: fewer leads.
  • Business disruption.

Don't get trapped in

the update pit

Don't get trapped in

the update pit

The update pit

The more updates that are outstanding for a site, the more daunting it will be do actually do the updates.

Many / big updates

   Bigger risk of something breaking.

   Which update broke the site?

Many people find it easier to stay at the bottom of the pit rather than getting dirty trying to climb out.

The update pit

In the long run — ignoring luck — it is quicker, easier, and less risky to do frequent small updates rather than infrequent larger ones.

1 small update
each week

12 updates
every three months

Fewer plugins Less risk

To help minimize the risk of updates, reduce the number of activated plugins.

Fewer plugins

   Fewer things to break

   Less frequent updates

Keep only the plugins that are important — try for 15 or fewer, if possible.

Ironically, although a plugin that hasn't been updated in a long time means less work, it may also be at higher risk of breaking — consider replacing it with a plugin that is actively being maintained.

Test your site

After each update, test your site's functionality.

Does everything still work? If not, back out the most recent update.

Example test plan

  • Main page
  • Custom search
  • Social media notifications for new posts
  • Custom post types
  • Newsletter signup
  • Contact form
  • Custom short codes
  • Enterprise authentication
  • Embedded videos
  • Markdown
  • Special WYSIWYG features

Test your site

Test the updates on your test site before doing them on your live site.

If you don't have a test site, set one up:

"I hope I'm not interrupting
anything important."

Backups

Make regular backups of both your live and test sites, using BackupBuddy or a similar plugin.

Ensure that you back up both your WordPress sites' files as well as their databases.

Periodically test your backups to be sure they are usable. If an update causes problems, you may need to use a backup to downgrade your plugin, theme, or entire site.

If an update breaks something

If you can't fix the problem yourself, report it.

Get your site working again:

  • Restore from backup, or
  • Rename the directory for the plugin or theme, download the older version (under the "Developer" tab on the plugin's wordpress.org web page), and unzip the older version by hand.

If the update was several releases ahead of the older version, try the versions in between to help narrow down exactly when the problem was introduced.

Updating WordPress core

WordPress 3.7 and later versions will automatically do minor updates to themselves (but not to plugins or themes) if

  • Your site is able to do one-click updates via the admin dashboard without entering a username and password.
  • You have not disabled automatic updates by putting either of the following in your wp-config.php file:
    
    define( 'AUTOMATIC_UPDATER_DISABLED', true );
    		      
    
    define( 'WP_AUTO_UPDATE_CORE', false );
    		      

Updating WordPress core

"Minor" updates are those where WordPress goes from version X.Y.Z to X.Y.(Z+1), for example from 4.3 to 4.3.1.

If you want WordPress to do major updates automatically — for example, from 4.2.5 to 4.3 — add the following to wp-config.php


define( 'WP_AUTO_UPDATE_CORE', true );
		    

Auto-update plugins

A number of plugins are available to let you manage WordPress' auto-update features from the admin dashboard, including features that are not configurable through wp-config.php.

  • Set automatic updates to off, minor, major.
  • Enable automatic updates for some or all plugins.
  • Enable automatic updates for some or all themes.

As examples, check out the Easy Updates Manager or Update Control plugins.

Documentation

For more detailed information on updating WordPress, the official WordPress documentation includes two sets of instructions:

  • The regular instructions cover normal update situations, including automatic updates, one-click updates, and manual updates via SFTP or shell access.
  • Extended instructions provide a much more detailed version of the manual update process that accounts for edge cases and special situations.

Updating themes

Updating themes can require some extra work, depending on your site's situation.

Case 1: no modifications

If you are not using a child theme and have not modified any of the files for the theme you are using, simply update the theme in the same way you would update a plugin (either via one-click update, or manually).

Updating themes

Case 2: customized, no child theme

If you modified your theme files without creating a child theme, your modifications will be lost when you update the theme unless you take special steps:

  1. Download a copy of the theme files ( wp-content/themes/THEME-NAME) to your local computer, renaming it to have "-modified" at the end of the theme name.
  2. Download and unzip a copy of the old version of the theme on your local computer.
  3. Use a tool such as diff or WinMerge to compare the two copies and find out exactly what you modified.
  4. Update the theme on your WordPress site to the latest version.
  5. Create a child theme and activate it.
  6. Make the same modifications in your child theme that you originally made to the old version of the theme.

Updating themes

Case 3: Customized child theme

Simply update the parent theme (via one-click or manually) and you won't lose any of your modifications.

However, child themes work by overriding entire files in a parent theme. If you copied a significant portion of the PHP and CSS files in a theme (for example, more than 10% by file size), you may want to re-create the child theme once per year in order to get changes, features, and fixes that the theme author made to these files over time.

A quick recap

  • Updating is less risky than not updating or delaying.
  • Avoid the Update Pit: frequent small updates are better than infrequent big ones.
  • Reduce number of plugins, replace plugins which have stopped being maintained.
  • Have a test site and update there first.
  • Have a test plan and use on all sites.
  • Make a good backup before each individual update so you can undo the update if needed.
  • Use child themes for any theme modifications.

Want to talk? I'll be at the Happiness Bar, or
Mark Montague mark@catseye.org