WordPress Updates

WordPress Updates

WordPress updates. Where do these come from? What are they? Why do they exist? Do you need them? What do they do?

WordPress updates

There can be a lot of updates that become available for WordPress. It can be very tempting to not to apply updates in your WordPress installation, especially if you’re a bit nervous about things going wrong.

Instead of being worried about what can go wrong if you apply WordPress updates, you’d probably be better off worrying what can go wrong if you don’t apply your WordPress updates. I’ll try and explain why this is the case.

Where do all these WordPress updates come from?

When you make a site with WordPress, the very first thing you do is install WordPress itself. This comes form https://wordpress.org/ who are the party that make WordPress core.

After installing WordPress, you might then install a WordPress theme. Although the place where you get both WordPress and the WordPress themes from look very similar, the themes aren’t made by the same parties that make WordPress core.

You’ll probably install a plugin as well. You’ll probably install more than one plugin. Again, even though the place you get the plugins from looks the same as where you get the themes, and WordPress itself, the plugins aren’t made by the same party that make WordPress or the WordPress themes. Each plugin is often made by different party.

WordPress is an open platform, which means that anyone can make themes or plugins, and then put them in the places mentioned above, so that you can install and use them. WordPress is like one big team effort of website making, with lots of different parties contributing to this.

Let’s say you have a WordPress installation running one theme and six plugins. That could mean that there are eight parties that have contributed to the code and files that make up your WordPress installation. That also means that this WordPress installation has eight parties making updates available for your WordPress.

It’s this amount of parties being involved that result, in part, to there being a lot of WordPress updates.

What are these updates?

The WordPress updates that become available are a way of the parties keeping the code of your plugins, themes and WordPress core up to date. They’re essentially code changes that can serve a number or purposes.

For the moment, consider that some effort goes in to people coding these updates, testing them, then making them available. They’re doing this to serve a purpose, rather than doing this for the sake of it, or for the sheer joy of writing code.

These updates, and the effort involved in making them, testing them and publishing them all serve a purpose. In reality there’s more than one purpose these plugins serve.

Why do these WordPress updates exist, and what do they do?

There are three reasons why WordPress updates are made available:

  1. To add features or functionality to plugins, themes and WordPress core.
  2. To fix bugs.
  3. To patch against vulnerabilities that are discovered.
  4. To keep the PHP that makes up your WordPress compliant with recent versions of the PHP interpreter.

Adding features or functionality

How things work changes over time. Often, a party that’s made a plugin, theme or even WordPress itself will think of an improvement that can be made, or a better way of doing things. These improvements or better ways of doing things are the functionality or features that I’m referring to.

If we take the blocks editor that’s now built in to WordPress as an example, there was a time when this didn’t exist.

When the block editor became available, this didn’t just automagically appear in everyone’s WordPress, they had to update their WordPress to obtain the blocks editor.

The blocks editor is an example of a feature that was gained by applying WordPress updates.

Although I’ve used the blocks feature as an example, all of the plugin, theme, and WordPress developers are all improving things, and adding features and functionality all of the time.

Reason 1 for applying WordPress updates:

You’l gain the benefits of improved features and functionality by applying updates.

Fixing bugs:

If a feature or a function in a theme or plugin doesnt work properly, or as expected, an update is often released to fix this.

Although most plugins and themes will go through a testing cycle to check everything works prior to release, things can be missed. This doesn’t just apply to WordPress, plugins and themese, but to most software. Often an update is required to make a plugin or theme function as it was originally intended.

Reason 2 for applying WordPress updates:

Updates are used to fix aspects of plugins, themes or WordPress core that doesn’t originally function as intended.

Patching against vulnerabilities:

When a theme or a plugin is made available, it’s not completely checked for all security problems (I’m paraphrasing). This means that new vulnerabilities are discovered over time.

Vulnerabilities that are discovered are disclosed on vulnerability database websites such as https://www.cvedetails.com/ and https://wpscan.com/ .

Although disclosing these vulnerabilities may sound a bit like telling hackers how to hack people, this disclosure takes place to allow plugin and theme developers to update their code to remove the vulnerability. The vulnerability disclosure also allows people using the affected plugin or theme to decide if they’re going to keep using the vulnerable component. The updating of code to remove vulnerabilities is called “patching”. You patch against vulnerabilities to stop hackers being able to hack your website. You obtain these patches by applying updates.

It’s for this reason that configuring an updates manager is covered in this “How to secure your WordPress” post.

Reason 3 for applying WordPress updates:

WordPress updates patch against vulnerabilities, to prevent hackers from being able to hack your website. You need to apply updates to prevent your site from becoming vulnerable to attack or compromise.

Keeping site code up to date inline with the PHP interpreter.

The PHP interpreter is the PHP that’s installed on the web hosting server. It’s this that turns the PHP code that makes up your website in to the website that you see in a browser and the things that your website does. The PHP intepreter is used to run the PHP code that makes up your website (rather than the code being compiled, then run, which is how some other programming languages work).

There are different versions of the PHP interpreter, and this is updated over time (again to provide additional functionality). This means there are different versions of the PHP interpretter, and that there will be more versions made available in the future. As more versions of PHP become available, older versions of PHP are retired.

You can see the currently supported versions of PHP here, and the older unsupported versions of PHP here.

These different versions of PHP function in slightly different ways, and if your site is running old PHP code, it won’t always run on recent versions of PHP.

Over time, hosting companies stop using older versions of PHP, and if the code of a site is specific to a version of PHP that’s not available on the server, it’s highly likely the site won’t work any more.

A real life example of this was the mysql extension. This extension was removed in PHP 7.0. This extension is used to have PHP connect to and use a database, so it’s quite fundamental in the context of WordPress or any other PHP based, database backed website.

Any websites using the mysql extension failed when PHP older than 7.0 was removed from the server. The fix was to update, but how can you click the update button in WordPress, if your WordPress isn’t working? You can’t. Well, you can, but it involves writing PHP code, and manually editing files.

Systems administrators are always updating web servers. The underlying PHP version will be updated and change at some point. For your site to continue to function, you need to make sure it’s not using code specific to a version of PHP that will be removed when the server is updated.

Regularly applying WordPress updates usually means that your site will almost always be compatible with a version of PHP thats available in your hosting. Regularly applying your WordPress updates ensures that the PHP your site runs stays up to date inline with the server side PHP interpreter.

Reason 4 for applying WordPress updates:

You need to ensure that your site isn’t running code that will cease to function when older versions of PHP are removed from the web server.

Do you need to apply WordPress updates?

This is covered above. You’d need WordPress updates to gain improved features and additional functionality. You may need to apply updtaes so that all aspects of your site fucntionas they should. You need updates to maintain a reasonable level of security. You also need updates to make sure you site functions as and when older versions of PHP are removed from the server. The second two are crucial.

Functions and features aside, not updating is a bit like saying “Hey, I’ll live with these vulnerabilities that hackers can use to exploit my site” or “you know what? I only need this site for a year. When PHP 8.2 gets removed and my site breaks WHO CARES?!?!”. It’s not really a sensible approach now, is it?

When it comes to the security side of things, a lot of people think along the lines of “why would a hacker be itnerested oin my site” or “there are millions of sites on the internet, they won’t notice if mine isn’t updated”. Whilst I can understand these trains of thought, this isn’t generally how or why hackers operate.

Hackers aren’t usually insterested in an individual website, they’re more interested in the services that the underlying server provides (CPU power for bitcoin mining, or an SMTP server for spamming, for example). Hackers tend to write tools that scan for vulnerabilities then make use of them. They aren’t sitting at a computer typing to hack websites one at a time. Why would they? It’s much more efficient and productive for them to write a program that crawls websites testing for vulenrabilities and making use of them should they be found. Just like how the google bot will eventually dsicover a website organically, a hacker’s bot could quite easily discover a vulnerable website, then exploit it.

You might be reading this thinking “OK, I get it, I’ll apply the WordPress updates!”…. but there are some trains of thought that make people reticent to apply updates.

Why do some people avoid applying WordPress updates?

People usually fear WordPress updates because they don’t want to change anything for fear of breaking their site.

Well, the underlying server is always changing and being updated, so you need to apply WordPress updates to keep your site aligned with the server on which it’s hosted. Your site is going to break at some point if you don’t apply updates.

Updates don’t often break things. Updates are usually tested before being released. I’ll admit that one or two updates can slip through the net and cause sites to break, but this is generally few and far between.

Developers that release updates don’t do this with the intent of breaking a site. In fact they’re releasing updates so that your site doesn’t break (when PHP versions change) or doesn’t get hacked or part of your site that didn’t work gets fixed. These developers want you to be using their plugins and themes, and they want you to do so reliably. The updates are released to improve this reliability, not make it worse.

It’s generally a better idea to update, and either fix update related problems, or remove the plugin or theme that broke your site when updating. Temporarily using a previous version of a plugin might be a solution inthe short term, but it’s a good idea to ultimately update this when a good update (one that doesn’t break the site) becomes available.

Still not convinced?

What would you rather? A risk of hack and/or complete site failure, or a once in a blue moon bad update breaking your site once (or maybe this not happening at all).

To provide a bit of context with regard to how frequently updates break websites, I configure all the WordPress sites I’ve ever made to automatically update as and when WordPress updates become available, and I’ve not yet had an “an updated broke my site” scenario. I’ve been making WordPress sites since 2016. I also work as a Systems Administrator for a web hosting company. I’ve been in this position for 10 years now, and I’ve see two bad updates break websites in that time. It’s not very common.

What if you can’t apply WordPress updates?

Make it so you can.

If you use a paid plugin or theme to create your website, you’ll have to pay for this in an ongoing manner to obtain WordPress updates.

If you don’t want to pay in an ongoing manner, it’s best to not use that paid plugin or theme as opposed to not updating.

It really is a case of either not using the paid plugin or theme, or paying for it, and getting the updates.

Some people will think along the lines of “I’ll update everything apart from the thing I need to pay for”. This often causes mismatches in the version of the PHP interpreter a site needs to function. You end up with the updated parts running PHP code that’s specific to newer versions of PHP, and the component that’s not being updated running PHP code that’s specific to an older version. What version of PHP do you use?

In the type of situation mentioned above, a site tends to fail. The part that’s not being updated causes the site to fail on newer versions of PHP, and everything else causes the site to fail on older versions of PHP. Invariably the fix is to remove the older part that’s not been updated… but you could have done that in the first place and not had the headache and downtime.

Avoid the headache and downtime and ensure you can apply WordPress updates, either by paying for paid for plugins and themes in an ongoing manner, or by not using any paid for components in the first place.

A word about hacking.

Hacking can be really difficult to address once it’s taken place. You never know what’s been done to your WordPress. If you have a read of this post about how hackers create hidden admin users on your blog you’ll get an idea of what you can be up against when trying to clean up a hack.

Once a hacked has gained access to your WordPress it’s very hard to find everything that they’ve done and undo it. Some people resort to completely remaking their website, as it can be less effort than cleaning and securing a site after it’s been hacked.

It’s generally better to prevent hacking taking place in the first place, and part of that is patching against newly discovered vulnerabilities in your WordPress by…. applying your WordPress updates!

Automating WordPress updates.

Imagine the scenario: You’re on holiday in a romantic location with your other half. You go out for a moonlit dinner on the beach. Your partner leans in for a smooch, and just as they do, a small voice in the back of your mind says, “you haven’t updated your WordPress, and the Solid Security Vulnerability Report comes out tonight”.

It’s a bit of a mood killer isn’t it? Nobody wants that. If there’s one reason (amongst many) you should automate your WordPress updates it’s this: So you can enjoy your holiday.

So here’s how you automate your WordPress updates:

Install the “easy updates manger” plugin:

easy updates manager

After installing and activating easy updates manager you’ll see the word “updates” appear in the admin bar at the top of your wp-admin area, click on this:

updates

You’ll then see some update related options, simply click on “Enable All Updates” and “Auto Update Everything”:

auto update everything. yes EVERYTHING

And that’s it, you’re done. Enjoy your holiday.

In summary…
  • Updates are made available to add new features and functionality, patch against vulnerabilities, and update code to make it compliant with recent versions of PHP.
  • Updating is required to maintain a reasonable level of security, and not get hacked.
  • Updating is required to keep your site functional as and when older versions of PHP are retired.
  • Not updating causes more problems than it solves.
  • If one component of your WordPress can’t be updated, remove it, or address this situation so that updates can be applied.
  • Being hacked isn’t a fun situation to sort out. Don’t get hacked.
  • Automating updates allows you to get on with other things.. like enjoying your holiday.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top