An interesting thing happened this month that I can’t recall ever seeing before. WordPress released a new version of its software, and then the very next day, released another update. Version 4.9.3 fixed 34 vulnerabilities in the software. Version 4.9.4 fixed the WordPress automatic update feature that broke for many sites after 4.9.3 was installed. I thought about all the nonprofits I’ve ever met who fail to update WordPress regularly and decided to write this post.
About automatic updates
Updating your WordPress website is a crucial task for the prevention of site hacking, but even so I frequently meet nonprofit staff in my classes and clinics who tell me they don’t update WordPress. There are plugins that will manage automatic updates, like Easy Updates Manager, if you don’t log into your site often enough to notice that updates are needed.
As an aside, you’ll generally find developers in two camps when talking about automatic WordPress updates: those in favor and those who think auto-updates are the devil. I’m in the former camp, but only when a reliable plugin is used, a backup system is already in place, you have access to your site files via FTP and email notifications about updates are activated. Updates can indeed break your WordPress site, whether they be WordPress core, plugin or theme updates, but not updating out of fear (or lack of knowledge) is more dangerous than the chance an update will mess up your site.
If you do use a plugin for automatic updates, be sure to configure the email notification feature so that you receive an email when an update has occurred and whether or not it was successful. Then take a few seconds to pop onto your site and make sure things are still working properly.
About manual updates
If you prefer not to do automatic updates, you can at least configure the Wordfence security plugin to notify you via email when an update is needed. (If you don’t have Wordfence or a similar plugin installed, you need to take care of that first!) When you receive an email that an update is available, be sure to install them within a day or two – the longer you wait, the greater the risk of hacking.
There are three steps I suggest when attempting manual updates:
- backup your site first,
- make sure you have FTP access to your site,
- perform updates.
Manual updates are relatively easy to do. As mentioned, be sure to backup your site first. If you lack a backup mechanism, there are several good plugins out there for doing backups. Depending on your backup needs and budget, I like BackupBuddy ($80/year/site) and UpdraftPlus (free version is quite good, premium is $70-145 based on # of sites).
To gain FTP access, you need a tool for accessing the site and some login information. Some website hosting companies have a File Manager feature on their control panel that you can use, which generally only require you to log into the hosting account. If you use Dreamhost or any other host without that ability, you’ll need an FTP client tool such as CoreFTP or Filezilla (both are free to download and use). You’ll also need to contact support at your hosting company and ask them to help you with the information needed to FTP into your site.
Once you’ve backed up and know you have FTP access, run your updates. Log into WordPress and from the left menu, simply click Dashboard and then Updates from that sub-menu. If your website requires an update, it will show up on that screen. If multiple types of updates are needed, I like to run WordPress core first, then do plugins or themes. I also like to update one plugin at a time, even though you can technically update multiple plugins at once. It’s been my experience that the greatest chance of an update stalling comes from trying to do too many at once. Updates can stall for other reasons – slow web server response or low memory issues – but I have found it best to take updates one at a time, leaving the browser window open and not touching anything else until the update has completed. You don’t want to add to the load on your site’s resources by clicking around on your site while updates are happening.
If an update stalls (i.e. doesn’t completely finish), you may end up seeing this instead of your home page:

If you see this after an update failure, don’t panic! This is why FTP access to your site is so important to have in advance of doing your updates. To make this message go away, you’ll want to use FTP to access your site files and look for a file called .maintenance in the root of your website directory. If you cannot see it, be sure to set your FTP tool to show hidden files. Once located, delete it. Your website will return and you can give updating another go.
The bottom line
Regardless of how you choose to manage WordPress updates, please be sure to make them happen! Don’t make it easier for hackers to do their thing.

