Nearly every day an email hits my inbox from someone who hasn\u2019t updated WordPress in years. Not months, years. By now, we all know that ignoring theme, plugin, and WordPress core updates can create severe security issues, compatibility issues, and accrue technical debt. Not to mention website owners miss out on great new features and capabilities of their software when updates are ignored. When an email like the one described above comes through, this is typically my response: Dear Sir\/Madam ,It has come to our attention that your website is currently living in the technological equivalent of the Crustaceous period and needs to be brought back to the modern day. This will require extensive testing, a small bit of sorcery, potential time travel, and a well-appointed checkbook (or any major credit card).Regards,Count Sullivan of Site Care I really don\u2019t enjoy writing these emails and telling people that making their respective sites current is going to be an expensive and time-intensive undertaking. So today I\u2019d like to address some of the most common missteps I see and how we, together as a community, can keep WordPress up to date and avoid the dangers of outdated WordPress software. Intentionally Deferred WordPress Upgrades I\u2019ve seen developers do some very clever things to not only ignore WordPress core upgrades, but to cover their tracks as well. If the client can\u2019t see the red update notification, they\u2019ll never know there\u2019s a problem. Developers everywhere It\u2019s the same logic that big tobacco uses to sell cigarettes. \u201cIf they can\u2019t see the nicotine and harmful chemicals, then we\u2019re off the hook! (Until someone dies, of course. But that\u2019s a bridge we\u2019ll cross another day).\u201d Some of the most common ways I\u2019ve seen updates hidden are custom plugins that modify user roles, management plugins like ManageWP or InfiniteWP, or Easy Updates Manager. I\u2019ve also seen updates blocked through the wp-config file hundreds of times, with a few other steps taken to hide notices from the dashboard completely. And I\u2019ll be the first to admit, sometimes hiding the notices is absolutely necessary. Curious clients see that update notification as a BIG RED BUTTON and need to push it. That\u2019s facts. Unfortunately, more often than not these blocks are put in place with good intentions, and then end up being ignored indefinitely. Here are some of the most common scenarios I\u2019ve seen for blocking WordPress plugin, core, and theme updates: Theme update hasn\u2019t been tested for compatibility - We\u2019ve all seen theme updates break things. If it hasn\u2019t happened to you already, it will. Updating a theme without disrupting the website may require staging the update in a sandbox and testing for compatibility. And who's got time for that? Updates haven\u2019t been tested with the PHP version on the server - Sometimes we want to test pending updates but because some hosts are slow to upgrade their PHP versions, or alternatively insist on running bleeding edge server software, there\u2019s yet another variable to test for that\u2019s going to require more time and effort. Managed hosting is taking too much control - Sometimes there are business reasons for not updating software right away. One example is an established change control process. Some corporations literally won\u2019t allow changes to be made to their websites without going through a somewhat rigorous set of checks and balances. In these scenarios we tell the host to stop processing updates automatically. Hopefully we don\u2019t use that as an excuse to ignore updates altogether. These are all completely legitimate reasons for deferring updates but they aren\u2019t excuses to ignore them outright. An uncomfortable trend I\u2019ve seen is that while the initial reason to block updates and hide notices is legitimate, it\u2019s treated more like a Get of Jail Free card. If you\u2019ve ever told yourself you\u2019ll get to the updates \u201con a day when I have more time,\u201d don\u2019t fool yourself. Unless keeping plugins and themes up to date is a priority, the time will never come. If you\u2019re a service provider and your client trusts you to stay on top of these updates, please make them a priority. Or you can pass them off to our team and we\u2019ll do the heavy lifting for you. But please don\u2019t leave these important updates unattended. Absence of License Keys The absence of license keys is the most prevalent challenge we encounter when trying to get websites up to date. Developers, agencies, I say this with all the love I have available in my small heart: CLIENTS NEED TO BUY THEIR OWN PLUGINS AND MAINTAIN ACTIVE LICENSES Without an active license key or account connection (see all Themeforest and CodeCanyon products), all future updates will be blocked. And I know how it goes. You have the developer license for the theme or plugin that gets installed on the client\u2019s site. Or you have the latest version from another project you\u2019re working on so you install that to get your work done without asking the client for more money. It\u2019s no big deal, right? In fact, you\u2019re even doing them a favor! Well, it isn\u2019t a big deal today. But eventually you\u2019ll stop paying for that developer version because the plugin author raises prices, or because you decide you like another forms plugin more, or the budget is tight and you need to find ways to cut costs. These things happen and it\u2019s totally fine. Really, it is. But when these decisions are made, licenses expire and updates are suddenly unavailable. I\u2019m not saying it\u2019s never been done, but I\u2019ve never once seen a developer or agency go back to a client after the fact and say \u201cWe\u2019ve been paying for you to use this plugin for the last 4 years and aren\u2019t going to anymore. Please purchase a new license and send us the key.\u201d No, I usually get to be the one that tells them Revolution Slider is 4 years out of date and that they not only need to pay the for a plugin, it\u2019s also going to take six hours of developer time to upgrade the plugin and resolve all the resulting compatibility issues. Do yourselves a favor and discuss license fees at the beginning of every project. Businesses understand the concept. They pay for Adobe, McAfee, and Microsoft Updates every single month. And at a much larger scale than any WordPress plugin fees. Recommendations for Security Best Practices It only takes a few days of following updates at WPVulnDB to get a very clear picture of how often security updates are applied to WordPress software. Authors are usually quite good at releasing security updates in a timely fashion when they\u2019re needed. Aside: If you use a WordPress plugin or theme with a known security issue and the author doesn\u2019t release patches quickly, find another solution. Without proactive monitoring and a regular update schedule things can get out of hand very quickly. WordPress is often compared to Microsoft as \u201cthe operating system of the web.\u201d It has extremely wide reach which makes it a prime target for exploiting vulnerabilities. Yoast SEO has over 5 million active installs. If I\u2019m a hacker and that plugin has a known security flaw, I\u2019m going to try and build a bot to exploit it as quickly as I can. Even if half of website owners are diligent in keeping their plugins up to date, I still have a user base of 2.5 million I can try and take advantage of. I like those odds. P.S. I'm not a hacker. You\u2019ll see lists on the internet for \u201c300 tips to secure your WordPress website\u201d but ultimately protecting your website comes down to these core principles: Use a quality web hosting provider who maintains current web server and PHP versions Have a regular update routine for WordPress core, plugins, and themes. Anything less than monthly is too infrequent. Use a firewall. We recommend Cloudflare or Sucuri. These firewalls prevent malicious requests from hitting your website. Keep active license keys or account connections for all premium WordPress plugins and themes. Use strong passwords. WordPress\u2019 default requirements are stronger than they\u2019ve ever been. If you want to really enforce strong passwords check out Force Strong Passwords. Disable File Editing - Even if an unauthorized user is able to access your site, they\u2019ll be somewhat limited if they can\u2019t access your site at the file level. Use SSL everywhere. With may hosts offering SSL certificates for free or a small fee, there's no excuse for not using SSL for your website. Simplify your WordPress experience with WP Site Care Take the headache out of managing your WordPress updates by signing up for a WP Site Care plan today!