When it comes to keeping plugins, theme, and WordPress core itself up-to-date, there are two common approaches…
Some will say that you should update as often as possible to keep your website secure.
Others argue that WordPress can be fragile, and updating too quickly is likely to break things.
When I posed this question to the group, we saw passionate arguments from both sides of the aisle.
But they can’t both be right, can they? And who should we trust?
To help answer this question, I enlisted the help of 3 WordPress security experts and 3 WordPress maintenance experts to settle the debate once and for all (hopefully ???? ????).
The Setup
In an effort to make this fully transparent, here’s exactly what I asked each of our experts:
When it comes to WordPress core, plugin, and theme updates, do you recommend updating quickly (for security purposes) or being cautious about updates (since they can break things)?
Tell us about your recommended approach and why you believe that’s the right way to go.
And…
Pick a Side…
I imagine that most people’s answers will have some sort of “it depends” to it — but if you *had to* pick a side… Would you act conservatively (and update less frequently) or aggressively (and update more frequently)?
Let’s see what each of them had to say…
Our Experts Weigh In
I did my best to select people from the WordPress community with vast experience in either WordPress security or WordPress maintenance. I asked them to share a little bit about themselves so you can judge their credentials on your own…
Experts are listed in the order they responded:
Thomas J. Raef
Security Expert from We Watch Your Website
About Thomas: I’ve been removing malware from websites since 2007. That’s over 5.5 million sites. One thing I’ve always focused on is root cause analysis – how are websites infected. I offer my experience and expertise to those willing to listen.
When it comes to WordPress core, plugin, and theme updates, do you recommend updating quickly (for security purposes) or being cautious about updates (since they can break things)?
I focus on the safety side of security over the potentially broken site. I typically set updates to auto-update, core, themes and plugins. My belief is I’d rather have a broken site temporarily than an infected site – which damages reputation online.
☑️ Pick A Side: Aggressive
Akshat Choudhary
Security Expert from WP Remote
About Akshat: Founder of BlogVault, MalCare and WP Remote. Engineer who should be doing a lot more marketing.
When it comes to WordPress core, plugin, and theme updates, do you recommend updating quickly (for security purposes) or being cautious about updates (since they can break things)?
Every agency owner will say that they update security patches immediately, and the rest in a structured well tested manner. But in reality, we do not see this in our data. Vast majority of sites have vulnerable plugins having updates open for days.
This is for good reason. We are yet to see any agency charge sufficiently to update everything manually soon after a vulnerability is announced. The economics just don’t make sense. Especially when over 300 vulnerabilities are announced in a month.
We prefer the process where one sets daily automatic updates for vast majority of their simpler sites or sites which are easy to rollback from a backup. They have some sort of tests like Visual Regression tests, run daily to validate if the sites are running fine. And in the worst case scenario just restore from a backup.
This is practical and cost effective. For the odd site which is problematic or the odd plugin which is known to break things, go with a manual and more measured approach. Rely on the firewall to keep sites safe until then.
In the rarest of situations, when a Severity 9+ vulnerability is discovered, update first and think later.
☑️ Pick A Side: Aggressive
Tom DeBello
MAINTENANCE Expert from WP ALigned
About Tom: Tom is the Co-founder of WP Aligned and has been part of the web industry for over 25 years. He has a cat with a mustache.
When it comes to WordPress core, plugin, and theme updates, do you recommend updating quickly (for security purposes) or being cautious about updates (since they can break things)?
We update across the board weekly, but the speed at which a particular update is implemented within that week really depends on the update itself. Sometimes, we roll non-security related updates into the next week if necessary.
That said, security updates of any kind are performed ASAP.
Core updates can wait a day or so until it’s confirmed that there are no known issues with the update. Theme updates are generally safe to run right away, especially themes with a proven track record of being free of site-breaking bugs, such as GeneratePress. Plugins, on the other hand, are a mixed bag. We test many plugins in staging environments to check for any unusual behavior after an update. Most of them turn out fine, but plugins with third-party extensions can be problematic at times.
We monitor the sites we manage every day, giving us a good idea of which sites are prone to issues based on their installed components. However, even the best plans cannot anticipate all the unusual edge cases. Having plenty of backups, conducting tests in staging environments, and being familiar with potential pitfalls associated with a specific update all help mitigate most problems.
☑️ Pick A Side: Aggressive
Calvin Alkan
Security Expert from Snicco
About Calvin: Randomly hitting buttons at Snicco where we strive to change WordPress Security. Zero bugs so far…
When it comes to WordPress core, plugin, and theme updates, do you recommend updating quickly (for security purposes) or being cautious about updates (since they can break things)?
The issue with an aggressive update strategy is code quality.
Few WordPress products maintain code quality that instills confidence in pressing the update button, let alone enabling automatic updates, on critical production sites.
Automatic updates mean we might be putting untested code on the website, and that’s not something you do if the site crosses a certain threshold of criticality to a business.
An excellent way to get a feeling for this is by comparing the cost of a bug/issue in production with your billable hours for implementing and performing a testing protocol for updates.
A form that doesn’t work for a week until someone (hopefully you) notices might not be a big deal for a small brochure website. So, automatic updates might be okay.
If, on the other side, you’re managing a seven-figure WooCommerce Store, you should think twice about doing this.
In practice, a good middle ground is automatically updating plugins with known vulnerabilities.
☑️ Pick A Side: Aggressive
Jeffery Patch
Maintenance Expert from MaintainPress
About Jeffery: I’m a goofy dad with a lifelong love of technology. I’ve been working professionally with WordPress for 15 years and operate two white-label companies serving freelancers and digital agency owners; MaintainPress & SEOHive
When it comes to WordPress core, plugin, and theme updates, do you recommend updating quickly (for security purposes) or being cautious about updates (since they can break things)?
We have a fairly evenly split of clients that have websites WE built, our agency partners built, or were inherited and likely built by someone’s nephew. The first two types of sites we can generally consider safe as we know their stack well, stay up-to-date on the changelogs, have active licenses, know they are well-supported by the original developers, etc.
So for those sites, we are somewhat aggressive in our approach and will push all minor updates through twice weekly. Of course, this is combined with a fresh backup and visual regression testing so if there ever is an issue, we can confidently roll things back to where they were.
For those sites that might be using older themes or plugins that aren’t maintained as frequently, we take a slightly more cautious approach, will review each plugin or theme to get an idea of what has changed and the issues it may pose, and may wait a few days, or possibly even a week or two to take the updates live.
Another issue with inherited sites that we often see is the overuse of add-on plugins. While Elementor isn’t the only tool that has an abundance of third-party plugins, it does seem to be the one that has the most conflicts between their updates and the multitude of plugins that add various functionality. The latter often less updates less frequently, and basically fall out of compatibility with the core tool they are piggybacking off of. We will often wait several weeks after Elementor updates to ensure these additional plugins have time to catch up.
Of course, security issues are a much different conversation. When a plugin or theme has an exposed security vulnerability, we act on it right away. Hopefully the plugin/theme developers are already on it and have released an update, which we will push live as soon as it is available. If there is not an update available yet, we will assess the situation and determine what the best solution is.
All of this goes to say that we are major proponents of keeping all premium themes and licenses licensed so you can benefit from the ongoing support, whether that’s from the developers updating the software, or their support teams should you ever need it.
☑️ Pick A Side: Aggressive
Kimberly Lipari
Maintenance Expert from Valet Web Services
About Kimberly: I’m the owner of a WordPress Agency that has been in business for over 10 years. I’m a massive fan of the WordPress Community and its members, as well as a volunteer and speaker. When I’m not doing WP things, I’m immersed in being a mom and finding new audiobooks.
When it comes to WordPress core, plugin, and theme updates, do you recommend updating quickly (for security purposes) or being cautious about updates (since they can break things)?
I believe you can use either approach successfully if you’re a responsible website manager. Staying educated and selective on your stack of tools is the key. Using well-developed and maintained plugins and themes can help you find a balance by lowering the anxiety of potential breakages as well as vulnerabilities. In my experience, the best approach is relative, dictated by the infrastructure of the website itself.
☑️ Pick A Side: Aggressive
The Answer is Clear (as mud)
As much as we’d probably like to have a binary answer — the truth is the answer fits in a spectrum.
While each of our experts considered different scenarios in their answers, when pressed on the issue, they unanimously agreed that they’d rather update aggressively than conservatively.
After reading our expert’s responses, I think the better question is “What is your risk tolerance?”. Even then, the answer to that question will vary from site to site.