Nearly every day an email hits my inbox from someone who hasnโt updated WordPress in years. Not months, years. By now, we all know that ignoring theme, plugin, and WordPress core updates can create severe security issues, compatibility issues, and accrue technical debt. Not to mention website owners miss out on great new features and capabilities of their software when updates are ignored.
When an email like the one described above comes through, this is typically my response:
Dear Sir/Madam [Iโm a very fancy email communicator],
It has come to our attention that your website is currently living in the technological equivalent of the Crustaceous period and needs to be brought back to the modern day. This will require extensive testing, a small bit of sorcery, potential time travel, and a well-appointed checkbook (or any major credit card).
Regards,
Count Sullivan of Site Care
I really donโt enjoy writing these emails and telling people that making their respective sites current is going to be an expensive and time-intensive undertaking. So today Iโd like to address some of the most common missteps I see and how we, together as a community, can keep WordPress up to date and avoid the dangers of outdated WordPress software.
Intentionally Deferred WordPress Upgrades
Iโve seen developers do some very clever things to not only ignore WordPress core upgrades, but to cover their tracks as well.
If the client canโt see the red update notification, theyโll never know thereโs a problem.
Developers everywhere
Itโs the same logic that big tobacco uses to sell cigarettes. โIf they canโt see the nicotine and harmful chemicals, then weโre off the hook! (Until someone dies, of course. But thatโs a bridge weโll cross another day).โ
Some of the most common ways Iโve seen updates hidden are custom plugins that modify user roles, management plugins like ManageWP or InfiniteWP, or Easy Updates Manager. Iโve also seen updates blocked through the wp-config file hundreds of times, with a few other steps taken to hide notices from the dashboard completely.
And Iโll be the first to admit, sometimes hiding the notices is absolutely necessary. Curious clients see that update notification as a BIG RED BUTTON and need to push it. Thatโs facts. Unfortunately, more often than not these blocks are put in place with good intentions, and then end up being ignored indefinitely.
Here are some of the most common scenarios Iโve seen for blocking WordPress plugin, core, and theme updates:
- Theme update hasnโt been tested for compatibility – Weโve all seen theme updates break things. If it hasnโt happened to you already, it will. Updating a theme without disrupting the website may require staging the update in a sandbox and testing for compatibility. And who’s got time for that?
- Updates havenโt been tested with the PHP version on the server – Sometimes we want to test pending updates but because some hosts are slow to upgrade their PHP versions, or alternatively insist on running bleeding edge server software, thereโs yet another variable to test for thatโs going to require more time and effort.
- Managed hosting is taking too much control – Sometimes there are business reasons for not updating software right away. One example is an established change control process. Some corporations literally wonโt allow changes to be made to their websites without going through a somewhat rigorous set of checks and balances. In these scenarios we tell the host to stop processing updates automatically. Hopefully we donโt use that as an excuse to ignore updates altogether.
These are all completely legitimate reasons for deferring updates but they arenโt excuses to ignore them outright. An uncomfortable trend Iโve seen is that while the initial reason to block updates and hide notices is legitimate, itโs treated more like a Get of Jail Free card. If youโve ever told yourself youโll get to the updates โon a day when I have more time,โ donโt fool yourself. Unless keeping plugins and themes up to date is a priority, the time will never come.
If youโre a service provider and your client trusts you to stay on top of these updates, please make them a priority. Or you can pass them off to our team and weโll do the heavy lifting for you. But please donโt leave these important updates unattended.
Absence of License Keys
The absence of license keys is the most prevalent challenge we encounter when trying to get websites up to date.
Developers, agencies, I say this with all the love I have available in my small heart: CLIENTS NEED TO BUY THEIR OWN PLUGINS AND MAINTAIN ACTIVE LICENSES
Without an active license key or account connection (see all Themeforest and CodeCanyon products), all future updates will be blocked.
And I know how it goes. You have the developer license for the theme or plugin that gets installed on the clientโs site. Or you have the latest version from another project youโre working on so you install that to get your work done without asking the client for more money. Itโs no big deal, right? In fact, youโre even doing them a favor!
Well, it isnโt a big deal today. But eventually youโll stop paying for that developer version because the plugin author raises prices, or because you decide you like another forms plugin more, or the budget is tight and you need to find ways to cut costs.
These things happen and itโs totally fine. Really, it is.
But when these decisions are made, licenses expire and updates are suddenly unavailable. Iโm not saying itโs never been done, but Iโve never once seen a developer or agency go back to a client after the fact and say โWeโve been paying for you to use this plugin for the last 4 years and arenโt going to anymore. Please purchase a new license and send us the key.โ
No, I usually get to be the one that tells them Revolution Slider is 4 years out of date and that they not only need to pay the for a plugin, itโs also going to take six hours of developer time to upgrade the plugin and resolve all the resulting compatibility issues.
Do yourselves a favor and discuss license fees at the beginning of every project. Businesses understand the concept. They pay for Adobe, McAfee, and Microsoft Updates every single month. And at a much larger scale than any WordPress plugin fees.
Recommendations for Security Best Practices
It only takes a few days of following updates at WPVulnDB to get a very clear picture of how often security updates are applied to WordPress software. Authors are usually quite good at releasing security updates in a timely fashion when theyโre needed.
Aside: If you use a WordPress plugin or theme with a known security issue and the author doesnโt release patches quickly, find another solution.
Without proactive monitoring and a regular update schedule things can get out of hand very quickly.
WordPress is often compared to Microsoft as โthe operating system of the web.โ It has extremely wide reach which makes it a prime target for exploiting vulnerabilities.
Yoast SEO has over 5 million active installs. If Iโm a hacker and that plugin has a known security flaw, Iโm going to try and build a bot to exploit it as quickly as I can. Even if half of website owners are diligent in keeping their plugins up to date, I still have a user base of 2.5 million I can try and take advantage of. I like those odds.
P.S. I’m not a hacker.
Youโll see lists on the internet for โ300 tips to secure your WordPress websiteโ but ultimately protecting your website comes down to these core principles:
- Use a quality web hosting provider who maintains current web server and PHP versions
- Have a regular update routine for WordPress core, plugins, and themes. Anything less than monthly is too infrequent.
- Use a firewall. We recommend Cloudflare or Sucuri. These firewalls prevent malicious requests from hitting your website.
- Keep active license keys or account connections for all premium WordPress plugins and themes.
- Use strong passwords. WordPressโ default requirements are stronger than theyโve ever been. If you want to really enforce strong passwords check out Force Strong Passwords.
- Disable File Editing – Even if an unauthorized user is able to access your site, theyโll be somewhat limited if they canโt access your site at the file level.
- Use SSL everywhere. With may hosts offering SSL certificates for free or a small fee, there’s no excuse for not using SSL for your website.
Simplify your WordPress experience with SiteCareCare
Take the headache out of managing your WordPress updates by signing up for a SiteCare plan today!