December 28th, 2020

My WordPress updates policy

If you have a website that is hosted by Oikos or that I help to look after then I have had a change of policy and process around updates.

What are updates and why are they important?

Most websites that I look after for people run on a software program called WordPress. And in most cases WordPress has been given additional capabilities by using plug-ins and themes, which are like extra little programs that extent or enhance it.

You can think of WordPress as being like the operating system on your mobile phone (iOS or Android), and the plugins are like the apps that you install.

All of this is software.

And software changes. Sometimes software changes to add new features and make it better. Sometimes software changes fix "bugs" or errors in the program. And sometimes a bug or error is security-related. This means that a problem in the code allowed your program or device to be hacked into. So the "security fix" is a change that will stop that hacking being possible.

Having your website hacked into is bad, of course. So keeping your software up to date is important. We talk about "versions" of code/programs/apps, and when software is updated we say that a new "version" is released, and so you really want to be on the latest version in most cases, as this is the safest and best version of the software (there are sometimes reasons to not be on the latest version).

How updates used to work

Software changes can, very occasionally, break things.

So, yes: not updating your website is bad. But updating it is sometimes bad too. So there is a trade off to be made. There are risks to evaluate with both approaches.

And historically I have taken the cautious view that properly bad security issues are rare and so I'd rather not risk breaking your website to be on the latest and greatest versions of everything.

So, if I look after your website, or host it, updates were manually and periodically performed by me on your behalf in some way. I have a couple of systems and processes for doing this and making it at least semi-automatic.

How updates work now

In short, I'm gradually getting round to setting as many of the websites I look after to run fully automatic updates for as many things as possible. This means that you should get the latest version of WordPress and most/all of your plugins and themes within 12 hours of any updated version being released.

You may also start to get emails informing you of updates that have happened.

Why make this change?

There are a few reasons for this change:

  1. I've re-evaluated the risks and have decided that a) clients are more likely to be hurt by not being on the latest versions of software and b) the pain clients are likely to feel as a result of being hacked are greater than the pain of something breaking because of a software update.
  2. WordPress has added the ability to auto-update everything. WordPress itself has had automatic "minor" version updates for a long time now. And plugins and themes have had the option to be automatically updated for a while, but the ability to turn this on and off easily has been added recently.
  3. I've been observing WordPress sites that already have some auto-updating and the rate of failure is very low. I think I've had one or two problems in a few years of seeing this done.
  4. It removes both a burden and a workload from me, at virtually no cost to you or me.

If you want to read more, the makers of the WordFence security plugin say in a blog post about auto-updates:

Overall, our philosophy is that providing automated updates is a good thing for a subset of WordPress sites. Blogs and informational or promotional sites which can often go unattended for months or years are at higher risk of being hacked via outdated plugins or themes. For these sites, the risk of being hacked outweighs the risk of an automatic update gone awry.

And my good friend and security consulant Tim Nash has done a lot to convince me (though he would berate me for being so slow to implementing this change) with his article about automatic updates which says:

Automatic Updates are safe and better than you doing them ... I don’t mind what does the automatic updates, WordPress, Jenkins, a cron with some WP-CLI commands as long as it’s not you. Accept it, we suck, let the computers take over.

What does this mean for you?

Is this thing on yet?

First of all, if you are on 34SP.com hosting, which I have recommended to many, then you already have most things auto-updating, so nothing changes.

If you're not on 34SP.com hosting then I am going round and turning on auto-updates for most clients in most situations.

In cases where I believe the impact of this is negligible and where I normally run updates for you anyway, I am just doing this without asking or notifying you.

In cases where I believe there is a higher risk of updates breaking your website I'm either asking clients if this is what they want to do, or I'm not enabling auto-updates for ALL plugins. e.g. if you have an eCommerce plugin, auto-updating this may not be a good idea as there can be large, breaking changes. But I'll set other plugins to auto-update.

Email notifications

You may start to receive email notifications about updates. Yes, these are intentional and from your website. You can probably ignore them. And, as always, never click on links in emails unless you're sure of where they have come from.

Test your site occasionally

Updates could still break or change things. So if you have a website, it's worth checking it over from time to time. Does the contact form work? Do notification emails go to the right places? Is anything broken with the layout/display.

Visiting your own website to test it occasionally is a good habit to have anyway - you may notice things that are out of date or that need changing.

I have your security at heart

That's all on updates. Oikos has the security and safety of your website at heart and these changes are intended to have the double benefit of reducing manual effort AND increasing security and safety.

Let me know if you have any questions or concerns.