We all know how important it is to keep WordPress websites updated for security reasons.
Recently, in version 5.5, WordPress has given it’s users the ability to automatically update all their website plugins and themes to new versions, as soon as they are available, thereby keeping their sites as up to date as possible and free of potential security issues. Add this to the existing ability to automatically update the WordPress core code and you now have a website that keeps itself fully updated, all the time.
“That’s fantastic! I’ll save so much in time and maintenance costs!” I hear you say….
It sounds great, and while it may be good news for some WordPress website owners, it’s not always the best option, depending on your website’s setup and it’s objectives.
You see, automatic updates are not 100% bullet-proof, and they’re are never likely to be. To determine if they are suitable for you and your website we need to look at the pro’s and con’s of WordPress automatic updates.
Pro’s: An Automatically Secure Website
Automatic updates to keep your website secure all the time. Sounds good doesn’t it? Certainly does!
Before we start popping the bubbly, let’s just hit pause and take a look back at why we need WordPress updates in the first place.
WordPress websites are comprised of collections of code that do different things:
Themes present your website in different ways and change the layout and design,
Plugins give your website extra functionality, such as contact forms, mailing list subscriptions, Google integrations with maps or reviews, SEO or security features or additional design elements, and…
WordPress core is the engine that pulls it all together and makes it run.
The WordPress ecosystem is an open-source project which has attracted a massive community of developers building and supporting themes and plugins with the goal of enhancing the look and functionality of WordPress websites. The developers that author these themes and plugins range from one-man shows, up to large international software powerhouses authoring plugins to integrate into their own proprietary software.
The sheer volume and diversity of themes and plugins available means that the ability to customise WordPress is unrivalled. It is one of the major factors that has made it the world’s most popular website content management system.
This popularity isn’t without it’s drawbacks though… being as popular as it is makes it a target for hackers to break into websites to use them for their own purposes. This is where the diversity of plugins and themes has it’s downfall.
Not every plugin developer has the time, resources or skill to create plugins that are 100% secure, ie. impossible to hack into. Even if they do, every day hackers will find new ways to exploit vulnerablilities in the code of themes and plugins to gain unauthorised access to WordPress websites.
Luckily there is a dedicated sub-section of the WordPress community that devotes themselves to finding these vulnerabilities and working with the theme and plugin authors to fix them before they become problems for the website owners.
The authors fix the vulnerable code and then release the fix in the form of an update which we perform on the theme or plugin through the WordPress system. Just like an operating system update on your laptop or phone.
The WordPress core is also a prime target for hackers, and similarly will have regular security updates required.
If the correct precautions are taken, then the risk of security issues and hacking is really quite small small. The most important action to take is keeping your WordPress website up to date with all the latest updates that fix the latest security issues.
So that’s why we need WordPress updates. There are also other occasions where we may want WordPress updates, such as upgrading a theme or plugin to get new layouts, functionality or compatibility with other plugins.
So the ability to get all your WordPress updates done Automatically is a big advantage. It should save the average website owner a significant amount of time and money usually devoted to manually performing updates.
It should be a game changer right?
Yes, It should be. In theory…. but in practice it’s a very different story.
Now we understand the Pro’s of WordPress automatic updates, lets take a look at the Con’s.
Con’s: The Risks of WordPress Automatic Updates
Risk: Auto updates may change your site in unexpected ways.
In an ideal world, all WordPress plugins and themes will work harmoniously together for ever and ever. Unfortunately that’s just not the case. Sometimes plugins and themes can have compatibilty issues with other each other, leading to undesired loss of functionality.
Theme and plugin developers are simply not able to test their plugins with every other available plugin due to the vast number of WordPress plugins that are actually available. In addition, the level of code quality and general quality control and testing done on any given plugin can vary greatly. This leads to the aforementioned compatibility issues between plugins, themes and WordPress itself.
Consequence: Compatibility issues can cause the intended functionality on your website to stop working either fully or partially. Worst case scenario is your website going offline.
Risk: Multiple updates at the same time can sometimes fail.
WordPress schedules auto updates for twice a day. If you have several plugins or themes scheduled to update at the same time, then there is a chance your web server could become overloaded, leading to failed updates.
Consequence: Your website may get fatal errors and get stuck in maintenance mode, or be taken offline completely.
Risk: Major plugin or theme updates can change the way they work and interact with your website.
This means that while an auto update has not introduced an error as such, plugin or themes may alter the layout of your site, or alter the functionality and in some cases may not work at all.
Consequence: Your website may have unintended changes in its layout or lose functionality.
Risk: Automatic updates make it harder to diagnose issues.
If more than one update happens at any one time, and one of them causes an issue with your website, it is significantly harder to determine what has caused the issue.
Consequence: If your website does experience an issue with auto updates, then it may take significantly more time to find and fix the problem.
Risk: Any of the above issues may occur before you can stop them, or even know about it.
While WordPress does a good job of notifying website users when updates have happened, and if they have been successful or failed, it is still best practice to check and test your website every time an auto update has occurred.
Auto updates are scheduled twice a day, every 12 hours. So it is possible that unintended issues can be introduced to your website without your knowledge, for example overnight, before you even get to read your WordPress update emails.
The solution is testing of your website as soon as possible after each auto update, to ensure there are no issues introduced to your site and everything is functioning as expected. With the average website having easily 10 or more updates per month, that’s a fair amount of extra time needed for testing. The kicker is that you don’t get email notifications of when the updates are going to happen or how many will happen at once.
Consequence: Auto updates consume a website owners time to test their sites, and to action issues, otherwise they risk issues going undetected.
Website Use Cases and Your Options
There are several different ways to approach WordPress auto updates based upon your skill level in managing the technical side of WordPress and the type of website you own.
Case 1: For technically experienced WordPress owners with time available to test their website / Suitable for all types of websites.
If you are technically able to wrangle WordPress auto updates, and have the time to do so, then we recommend you closely manage your WordPress site’s updates individually and immediately test your site every time an update occurs.
WordPress allows us to select which plugins and themes we switch on auto updates for. Therefore you are able to potentially switch off updates for plugins that have had history of compatibity or quality control issues.
If you switch off some auto-updates, then you won’t automatically get all the latest security updates for that plugin or theme. This means you will also have to also monitor your site with a security plugin such as Wordfence to ensure you dont miss any important security updates for the plugins and themes that have auto-updates switched off.
The Cost: No costs unless additional help is required to address any issues found. Can be time consuming, depending on your level of expertise.
Case 2: For moderately experienced WordPress owners with time available to test their website / Suitable for basic business and blog websites
When a website does not have a complicated setup with a large amount of plugins, or have any plugins that have a history of compatibility or quality control issues, AND you have the time to test your website when you receive update notifications, then you can switch on ALL auto updates.
All you have to do is commit to testing your website when updates occur to ensure no issue arise. A certain level of WordPress technical knowledge may be required to effectively identify issues.
The Cost: No costs unless additional help is required to address any issues found. Will take a certain amount of time each time you are testing your website.
Case 3: Suitable for complex, Ecommerce and mission-critical business websites.
If your website has a complex setup, or your ecommerce site is an income stream that your business relies on, or your site simply must work all the time for your cutsomers and prospects, then this is the case for you.
Due to the risks of auto update issues interrupting your website and it’s mission-critical nature, it is recommended that you switch off ALL WordPress auto updates.
This will require that you put in place regular security monitoring through Wordfence or a similar plugin, to identify potential security updates required.
You will need to be prepared to manually perform and test security updates as they are required, and non critical updates if required on an ad-hoc basis.
Costs: The cost to monitor and perform required maintenance on your website, or the time it takes to do it yourself.
Case 4: For all types of WordPress owners that don’t have the time or skill level to monitor updates and address issues.
This approach takes the onus off the WordPress website owner from being responsible for the security monitoring, updates and testing on their website.
The solution is a WordPress maintenance plan.
At Juice Digital we offer WordPress maintenance plans that take an intuitive approach to updating plugins and themes. Updates are categorised by their importance in terms of the security risk as defined by the Wordfence security plugin – low, medium, high or critical.
In reality, it is the high or critical risk updates that are going to cause issues in your WordPress site 99.9% of the time. So that’s what we focus on monitoring and managing.
There are several levels of plans available, with the entry level plans just performing updates classed as high risk or critical, and higher spec plans performing all updates that become available for your site. Updates that are required are performed manually, and are immediately tested individually.
A maintenance plan is the ideal solution if you dont have the time to deal with the problem yourself. Your site is kept secure, and well updated, and you dont need to lift a finger.
It’s like the convenience of auto-updates, except you have highly experienced WordPress developers negating the risks and managing the whole process for you.
Click here for more information on our WordPress ‘Peace of Mind’ Maintenance Plans.
Case 5: Ignore it and it will go away.
No, it won’t.
If you choose to not do any updates then you run the risk of security issues on your website, such as your site being maliciously accessed or ‘hacked’ – Yes, it does happen…. and the results can have huge negative impacts on your business and reputation.
Read the link below from the Wordfence blog to find out what hackers want to do with your website.
If you choose to do auto-updates but then don’t test the updates, you run the risk of your website losing functionality or going offline altogether.
Either of these scenarios is likely to end in costs to fix your site that are far greater than any time or expense it may have taken to implement any of the other 4 cases above.
Costs: The functionality of your website, potentially your business reputation, and far more time and money than if you addressed it properly in the first place.
So there’s our run down on the Pro’s, Con’s and consequences of WordPress automatic updates. I trust you are now empowered to make an educated decision to simplify the maintenance of your WordPress website.
