Zen and the Art of Website Maintenance, Part 3: Updates

Congratulations! If you’ve been following this series, then you’ve started a regularly-scheduled backup routine (with validation) and are monitoring your site for security threats. You’re probably feeling more Zen already. But we’re not done yet, grasshopper.

There are only three certainties in life: death, taxes, and software updates. Up-to-date software doesn’t stay that way by itself. It takes awareness and discipline to make sure your web software is kept in tip-top shape.

Why Should I Bother?

“But,” I can hear you say, “my site is working great right now! Why should I bother updating it all the time?” There are a couple of reasons to keep clicking that “Update Now” link:

  • New security risks are discovered. This is the No. 1 reason to make sure you’re updating your core and plugins. (We talked about the concept of a zero day exploit last week.) Fortunately, there are hundreds of volunteers in the WordPress community who are ready to patch and release the new code quickly.
  • “Under the hood” improvements. Sometimes, software is updated to take advantage of new features available in the underlying technology. While generally more true for things like your smart phone apps, this can also apply your web software. For example, a theme might have new front-end code that takes advantage of modern browser capabilities. A complex plugin might work better when its updates are paired with the latest version of PHP (the server-side language upon which WordPress is built). WordPress is backwards-compatible (almost to a fault), but staying more-up-to-date will improve performance all-around.

How Do I Keep Updated?

  • Check the “Updates” section of the admin. You can’t miss it, really. If your site is in need of updates, then this icon, updates icon, will appear in the admin bar along with the number of updates needed. Click on it, and you’ll be able to update your core, plugins, and themes en masse.
  • Always apply WordPress core security patches immediately. You can identify a security update because it will have a third number in its version number (4.7.3, for example). In most cases, WordPress even will apply this update automatically (although there are some cases where it isn’t able to). Also, many web hosts will make sure these updates are applied quickly and automatically as well.
  • Sign up for third-party updates. There are services such as those by ManageWP and iThemes that will email (or otherwise notify you) when you have plugins or other updates available for your site. This is especially helpful if you have multiple WordPress sites that you’re maintaining, each running a different plugin configuration. They’ll even apply the update for you with just a few clicks on a centralized dashboard.

What Happens If My Updates Go Awry?

I can’t promise that it won’t happen. The vast majority of the time, updates go through without a hitch and no one visiting your site is any the wiser. But there have been, on a very few occasions, instances where updates haven’t gone so smoothly. Sometimes it’s because a popular plugin has been taken over by a new, somewhat unscrupulous developer who decided to insert some malicious code. Sometimes, it’s a bug that wasn’t caught in testing, but your set up, unfortunately, has just the right combination of circumstances to manifest the problem. It’s unfortunate and gratefully rare, but not unheard of.

  • Back up early and often. You’ve been keeping backups anyway, right? Make sure you run them just before you apply updates to any plugin or theme, and especially WordPress core itself, so you can roll back quickly if there’s a problem.
  • Keep an eye on the chatter. Monitor Twitter, WordPress news blogs (WP Tavern is a popular one, and WordPress security companies keep their own as well), and keep an eye on the plugin’s support forums. If there’s a problem with a particular release, it’ll be discovered (and publicized) pretty quickly.

Other Things to Keep in Mind

A couple of suggestions on software that harken back to the security we talked about last week:

  • Get your plugins and themes from trusted sources. More often than not, security risks that could compromise your site come from the add-ons you install to enhance its functionality. For that reason, making sure you only install themes and plugins from reputable sources will go a long way in protecting yourself. The WordPress plugin and theme repositories are staffed by dedicated volunteers who pore through the code of submitted themes and plugins, looking for potential risks. You can also download premium (that is, you have to pay for them) plugins and themes from a number of reputable businesses, but be careful; not all premium theme and plugin shops are alike. Some of them are just clearing houses for individual developers, with little or no oversight for code quality and what you end up paying for could be sketchy at best, malicious at worst. Instead, seek some advice and recommendations of a trusted WordPress developer, and they can set you on the path towards high-quality, secure purveyors of themes and plugins that you can trust and who offer regular security updates of their own.
  • Turn off code editing in the admin. WordPress actually allows for site administrators to edit the source code of themes and plugins directly through the admin interface. The reasons for this are archaic and have never been very well explained to me. What we’re left with is that if a bad player somehow does manage to access administrator-level privileges on your website, this feature could cause a whole lot of damage. To turn it off, you want to edit the wp-config.php file on your site and add the line:
    define ( 'DISALLOW_FILE_EDIT', true );
    If you need help, ask a developer or your hosting provider and they might be able to help you.

Keep Going

You’re backing up. Great! You’re monitoring your security. Awesome! You’re even making sure that all your core, themes, and plugins are kept up-to-date. Terrific! You’re done, right? Well, we got one more thing. We’ll conclude our series next week when we look at uptime monitoring—what it is and why you need it.


Need Help?

Not everyone feels comfortable preparing their own taxes and that’s okay. Not everyone wants the headaches of making sure all their WordPress core, plugins, and themes stay up-to-date, and that’s okay too. Taupecat Studios can help. We offer monthly maintenance plans to take the tasks of backups, security monitoring, software updates, and uptime monitoring off of your plate so you can focus on your business. Get in touch and let us know how we can help.