WordPress updates come three times per year. Depending on the theme developer, theme updates may occur several times per year. And if you have a dozen or more plugins, you’ll likely see plugin updates as a few times per month or more. All of these updates are great, but they create a significant burden on site owners and developers if you want to keep your site up to date all of the time. WordPress actually makes it relatively easy to push the update button and have everything update automatically behind the scenes. However, doing that willy-nilly every time there is an update inevitably leads to changes in how a sites looks, sometimes disastrous ones. That requires time spent fixing pages so they look good again – time that you may not have set aside so you are then faced with leaving a site broken to some degree, or ignoring other tasks so you can focus on fixing the site.
Many updates are minor bug fixes or features that may never affect you. On the other hand, some are critical security fixes that you should apply immediately.
This all begs the question, how often should you update your site?
Clearly, updating it EVERY time a WordPress admin badge alerts you that an update is available is probably overkill. After all, why run the risk of breaking your site for a plugin update that may not offer anything you care about? On the other hand, that badge icon is like an unread message in your email box, isn’t it? It’s irritating and I just want to run the update to make it go away.
Somewhere between never updating WordPress and updating it every time the update badge shows up, there is probably a happy medium. We are developing a strategy or update schedule that enables us to stay up to date on a consistent basis without constantly interfering with day-to-day work. Our initial thought is to schedule updates three times a year, following major WordPress updates and resist updating between releases except in cases where critical security fixes for a plugin, theme or WordPress core are released.
That seems like a reasonable approach, but a couple of issues arise immediately. One, how can you easily tell if available updates are critical? And, two, how can you eliminate those nagging badges if you would like you (and your clients) to not be bothered by them all of the time?
In terms of figuring out what updates are important, you can certainly read through the release notes for each plugin that you have installed, but that’s tedious, all the more so if you maintain a lot of sites. The Plugin Vulnerabilities plugin is a good idea and easy to use, but it relies on an update database that is not very up to date. On the other hand, WPScan takes a little more know-how to install and run (it’s written in Ruby), but it utilizes the very well maintained WPScan Vulnerability Database. The database itself offers a free email alert service so you could just subscribe to that and keep an eye out for any mentions of plugins that you use. WordPress Scanner is written in PHP instead of Ruby and uses the same database as WPScan.
If you have setup your own predefined schedule for running updates and are monitoring for any critical security updates between your scheduled updates, then you will likely want to disable automatic updates and may also want to disable the WordPress update nags, including the badges that show up in the WordPress Dashboard as well as the emails that get sent out. Easy Updates Manager does a great job of both.
If you are looking to take control of your WordPress update schedule, hopefully these thoughts and tools will aid you in doing so. How often do you update your sites? What issues do you run into with regard to updates?