Sometimes clients will ask me something like “my website is very simple, can’t I just leave it as it is?” or “it seems like every time I log in there are updates – do I really have to run them?”
I just want to take a moment to address questions like these, to dispel some myths and explain the benefits of keeping things updated regularly.
First things first, just to be really clear about what these updates are exactly, there are three different components in a WordPress installation that commonly need to be updated:
- WordPress core – this is the WordPress installation itself, i.e. all the code that makes WordPress work
- WordPress theme – this is more code which can be customised to make your WordPress site look and act a certain way.
- Plugins – these are additional discrete components of code that can be added to your WordPress installation to extend the functionality of your website, for example adding e-commerce capabilities.
The first and biggest reason to keep all the above updated regularly is to keep your site safe and secure from hackers and malicious code injections. A study by web security firm Sucuri found that 74% of infected websites were WordPress sites, hardly surprising given WordPress is by far the most popular content management system and that there are over 55,000 plugins available. Essentially there is a huge attack surface and a multitude of factors to motivate hackers and spammers to infiltrate your site.
Another question I get is “but why would anybody want to hack my little site?” Well, the thing is, even though a human might not be interested in hacking your site, there are bots that are. Yes, that’s right, we do live in a dystopian future and there is a vast army of artificially intelligent robots continuously trying to attack every and any website in existence. These bots are comprised of lines of code rather than circuits and lasers, but they are a very real threat nonetheless.
So, how and why do these devious forces of evil sometimes succeed? Well, a lot of the time it’s because site admins don’t choose a strong enough password, but that’s another matter for another time. Another reason is that plugins, (even really good, reputable ones), can have vulnerabilities. You can think of a vulnerability in a plugin like a hidden back door to your house. As long as nobody knows it’s there, it’s not a problem, but once discovered, it can let these bad actors in. And it’s not just plugins, occasionally vulnerabilities are discovered in themes, and even in WordPress itself (WordPress core).
When vulnerabilities are discovered, the developers will usually rush to write a “patch” that closes up that hidden back door. Depending on your setup, your WordPress install may be able to receive these patches automatically, or, crazy though it may seem, a human may actually need to click a button marked ‘Update’.
WordPress does now support automatic updates for both its core and plugins, however there can be disadvantages to automatic updates. Unfortunately, updating a plugin can cause your site to break, in some cases quite badly, so it’s always good to be around when an update happens, just to check things are still working as they should. You can do this yourself, or you can pay somebody (ourselves included) to do it for you. It’s always a good idea to take a backup of your site before running any major updates, so that you have an ‘undo’ option just in case anything does go wrong.
There can be other more complex, headache-y ramifications when things aren’t working properly too, and they aren’t always visible. Sometimes plugins with minor conflicts may just cause your website to run slowly, and occasionally they can grind to a halt entirely if fatal errors are happening.
I host many websites on behalf of clients, and I always encourage them to update and check things regularly if they aren’t paying me to do it. But when sites aren’t updated regularly, a performance issue can can actually snowball into a bigger, more serious issue for me and my hosting setup too.
Well, This Escalated Quickly
I have a client, let’s call her Alice. She has a WordPress website that I host on a server where it lives alongside a few other sites belonging to other clients. (This is fairly normal and a good way to keep hosting costs down – I also offer dedicated VPS hosting where this doesn’t happen, i.e. the client has a whole virtual server just to themselves).
Alice’s WordPress installation receives automatic security updates, but her plugins are not set to automatically update, and she has had better things to think about than logging into her website for several months. Then, one day, I got an email from her saying her site was not working properly. (You thought this was a hypothetical story – nope, it’s real)! I had a look at my server logs and found that Alice’ site was generating errors continuously due to a conflict between a plugin that hadn’t been updated and WordPress core which had been updated. Basically the plugin developer had released an update to make the plugin compatible with the latest WordPress version, but nobody had updated the plugin on the site. This meant that, although the site generally looked fine, it was behaving very sluggishly and, under the hood, things were not right at all.
Beyond that, the knock-on effect for me was that my server where the site was hosted was actually working a lot harder than it really needed to. Each client’s site on each of my servers has its allotted memory “ring-fenced”, so it can use up to a certain quota and no more. This ensures that a single site can’t hog all the memory, however with the CPU (the real brains of the operation), there’s no such limit. So I had been thinking this server was pretty close to capacity when in fact it was just Alice’s site causing it to struggle. Once I updated everything on her site for her, the server was able to calm down and run at a more reasonable level. You can very clearly see the difference before and after running the updates in the charts below. (Notice the memory was hardly affected due to the quotas).
This was a huge eye-opener for me. A single site not being kept up to date was causing issues not just for Alice, but for me and my server too. My other clients’ sites were not directly suffering (yet) but as you can see above, the server was getting close to its limits, which is less than ideal. Normally I like to run servers with plenty of ‘headroom’, so that if a site gets a sudden spike in traffic it has the capacity to handle it. Of course I do periodically monitor my servers, and had this situation got any worse, I probably would have upgraded the server to add more CPU power, but I’m glad I didn’t because, now Alice’s site is up to date, everything is looking groovy again.
New Features and Improvements
A less critical but also good reason to update things is to take advantage of new features, functions and optimisations that become available. While more features are not necessarily always a good thing or what you want, when things get better faster, more useful, and less annoying, it can save you time, improve your user experience and actually just be a real pleasure.
For example, Elementor, my favourite page builder plugin, recently released an update that adds a host of Flexbox controls. Essentially what this means for me is:
- I now have even better, more flexible layout tools at my disposal
- I can build leaner Elementor layouts that result in faster load times
Once again, it can’t be emphasised enough that, while updating things is definitely a good idea, it’s important that it’s done safely. Here are some suggestions:
- Backup your database and files before updating
- Check your backups
- Clone your site to a staging server where you can run updates without affecting your live site
- Check all aspects of your site thoroughly after updating
- Choose a Care Plan and let us handle all your updates for you!