Do you always need to update your WordPress plugins?
July 11, 2022
If you manage a WordPress website you likely understand the feeling of being overwhelmed with plugin update requests when accessing the admin area, even after you just updated them. These plugins seem to require an update so often, so do you really need to log into our website every day to keep your website current?
You’ve probably heard that you must keep your WordPress plugins up-to-date otherwise your website will become vulnerable to hackers. Although there is truth to this, most plugin updates aren’t even security related.
Feature Vs. Security Updates
There are two types of plugin updates; feature and security. If it’s a feature update, I recommend NOT updating the plugin. It already performs exactly the way you want it to work, and updating it can potentially cause compatibility issues with your theme. Like the old saying goes, if it’s not broken, don’t fix it. If the plugin requires a security update, then yes absolutely update the plugin right away and test your site to ensure it is compatible with the update.
So how do we know if the plugin update is security-related?
There are many ways to track which plugins require a security-related update, but these are our two favourite ways at Simplistics:
WordFence
Wordfence is a plugin that acts as a software firewall and can be added to any WordPress website for free. If a plugin requires a security update, WordFence will send you an email and alert you to update the plugin. WordFence will also help patch any plugin vulnerabilities, so this plugin is highly recommended for every WordPress website.
WPScan
WPScan is an open source tool that allows you to scan your website for security vulnerabilities, including plugins that require a security update and information on the vulnerability. There are multiple websites that offer free WPScan capabilities, like https://wpsec.com.
Is it safe to update a plugin, even if it’s security-related?
It is never recommended to update any plugins directly on your website. Any sort of update can break your site and make it operate in unintentional ways. The safest way to update your plugin is in a staging environment first. A staging environment is essentially a clone of your real website, but it’s private and only accessible to you. Most WordPress hosting providers offer a staging environment, so you can first update your plugins there. Once you’ve confirmed the updates were successful and did not break your website on the staging environment, you can then safely update the plugins on your real website.