The number one security issue with WordPress is third party plugins and themes, and the number one problem with those WordPress plugins and themes is site owners (like your clients) who don’t keep them up to date. New versions of WordPress plugins may very well include security patches, and the more versions that are skipped, the more likely your client’s site will have security vulnerabilities.
Does your client’s WordPress Dashboard have something like this in the top?
If so, then it’s time to take control of those plugins and keep your client’s site up to date.
First Things First: Backups
Backups should always be a part of your plugin management system. Frequent backups make it so you can simply do a restore to get the site back in shape after a hack. They also provide a way to recover when plugin updates fail and bring down the site. Making backups is ridiculously easy these days, and there’s no reason to not do it. There are a wide variety of plugins available with price points starting at free! Here are several that I’ve used and trust:
All of them allow for one-click backups, and unless your client’s site is very large, it takes only minutes to make a backup.
Another option is backups provided by your hosting provider. Some offer backups for free and some charge a fee. This can be a good option because your host will often store these backups off-site for further protection and will lend a hand if you need it.
This process of regular backups may seem annoying for a while, but the first time you’re able to restore your client’s site after something terrible happens you’ll be glad it’s a part of the process.
How To Update Your WordPress Plugins
Once you have regular backups then updating can happen whenever it’s convenient for you.
If you’re regularly in the admin area of your client’s site then you’ll see the little notices that appear when there are updates. If you have a single plugin that needs updating then you can simply click the “update now” link in the plugin box.
This will update the plugin in the background and all you’ll see is a little spinning arrow for a few seconds.
If you need to update more than one then it can be easily done by checking the checkbox at the left end of each plugin, choosing “Update” from the drop down list at the top, and then clicking “Apply”.
This will go to a new page and give you a list of plugins that were updated. That’s all there is to do for manual updates!
Not all of us login to our website admin areas every day. Some don’t even login every week, or even every month. This is when it’s time to make the site work for you. A plugin called WP Updates Notifier will check the site as often as you tell it to for updates and, if it finds any, it will email you.
Updates Notifier will alert you to updates for plugins, themes, and even WordPress itself. If you’re someone who doesn’t access the admin area of your client’s site all that often, this plugin is a must.
Updating Multiple Sites At Once
I have a blog. My wife has a blog. Each of my kids has a blog. Guess who updates all of them? There’s no way I want to login to 4 sites to update plugins all the time. Fortunately there are some excellent services out there to help with that. I use WP Remote for my own sites. The free model allows me to see all the updates needed for all my sites in one place, and click just a few buttons to update all of them. The paid model also includes backups.
ManageWP is another excellent service that provides more features. It’s a little more expensive, but it includes features like the ability to install and remove plugins on multiple sites at once.
Don’t want to think about it?
Some agencies or developers simply don’t want to deal with any of this, no matter how easy it is. There are just better and more profitable things to do than update WordPress plugins. For people like that there are plenty of services who are happy to help. They make sure backups happen, plugins and themes are updated, and can easily restore your client’s site in case of emergency. Here are some options for you:
All of the above services are reputable, but each has different policies, rules, and prices. Check each one before deciding.
It’s possible to have your client’s site simply update its plugins automatically. It’s not very difficult, and there’s excellent documentation on the WordPress Codex. Whenever there’s a new version of a plugin or theme it simply gets installed.
While this may sound very convenient, I don’t recommend it. If something went wrong you wouldn’t know until you checked your client’s site again. Even then you wouldn’t know WHICH plugin or theme caused the problem.
The Myth Of Too Many Plugins
There’s a common belief that too many WordPress plugins will slow your client’s site down. The truth is that a well-written plugin won’t slow it down more than a couple hundred milliseconds. This means you could have hundreds of well-written plugins and barely notice.
On the other hand, a single poorly written plugin can bring your client’s site to its knees. Any time you install a new plugin pay attention to your client’s site performance. It’s much easier to notice when you’ve recently made a change.
Removing Unused Plugins
There’s also a common misperception that if a plugin is deactivated, it can’t be exploited. For this reason deactivated plugins often get ignored and not updated. Nothing could be further from the truth. Plugins have standard locations on sites and the bad guys know where that is. If you have an old version of a plugin with a known exploit, it’ll get abused, even if the plugin is deactivated.
The easiest way to deal with this is to simply delete any plugins you’re not using any longer.
WordPress Plugins are an Important Part of Site Security
Owning a WordPress site comes with responsibility and your clients rely on you to help them with that responsibility. If your client’s site is compromised and used to send spam then that site is part of a larger, global problem. That said, as we’ve shown, keeping your client’s site up to date isn’t very hard. With a few plugins or help from a service, it can be even easier.
If you’re still unconvinced of the importance and ease of updating your client’s plugins, it might be worth your while to look into Managed WordPress Hosting. Specifically optimized for WordPress, many plans also offer to help with automatic core and plugin updates to keep your clients’ sites secure.
Want WordPress without the hassle? Check out WordPress Without Limits, a managed WordPress solution, with one-click staging, one-click backup restoration, automatic updates, automatic backups, and free SSL.