Intentionally Deferred WordPress Upgrades

I’ve seen developers do some very clever things to not only ignore WordPress core upgrades, but to cover their tracks as well. 

If the client can’t see the red update notification, they’ll never know there’s a problem.

It’s the same logic that big tobacco uses to sell cigarettes. “If they can’t see the nicotine and harmful chemicals, then we’re off the hook! (Until someone dies, of course. But that’s a bridge we’ll cross another day).”

Some of the most common ways I’ve seen updates hidden are custom plugins that modify user roles, management plugins like ManageWP or InfiniteWP, or Easy Updates Manager. I’ve also seen updates blocked through the wp-config file hundreds of times, with a few other steps taken to hide notices from the dashboard completely.

And I’ll be the first to admit, sometimes hiding the notices is absolutely necessary. Curious clients see that update notification as a BIG RED BUTTON and need to push it. That’s facts. Unfortunately, more often than not these blocks are put in place with good intentions, and then end up being ignored indefinitely.

Here are some of the most common scenarios I’ve seen for blocking WordPress plugin, core, and theme updates:

• Theme update hasn’t been tested for compatibility – We’ve all seen theme updates break things. If it hasn’t happened to you already, it will. Updating a theme without disrupting the website may require staging the update in a sandbox and testing for compatibility. And who’s got time for that?
• Updates haven’t been tested with the PHP version on the server – Sometimes we want to test pending updates but because some hosts are slow to upgrade their PHP versions, or alternatively insist on running bleeding edge server software, there’s yet another variable to test for that’s going to require more time and effort.
• Managed hosting is taking too much control – Sometimes there are business reasons for not updating software right away. One example is an established change control process.  Some corporations literally won’t allow changes to be made to their websites without going through a somewhat rigorous set of checks and balances. In these scenarios we tell the host to stop processing updates automatically. Hopefully we don’t use that as an excuse to ignore updates altogether.

These are all completely legitimate reasons for deferring updates but they aren’t excuses to ignore them outright. An uncomfortable trend I’ve seen is that while the initial reason to block updates and hide notices is legitimate, it’s treated more like a Get of Jail Free card. If you’ve ever told yourself you’ll get to the updates “on a day when I have more time,” don’t fool yourself. Unless keeping plugins and themes up to date is a priority, the time will never come.

If you’re a service provider and your client trusts you to stay on top of these updates, please make them a priority. Or you can pass them off to our team and we’ll do the heavy lifting for you. But please don’t leave these important updates unattended.

Absence of License Keys

The absence of license keys is the most prevalent challenge we encounter when trying to get websites up to date.

Developers, agencies, I say this with all the love I have available in my small heart: CLIENTS NEED TO BUY THEIR OWN PLUGINS AND MAINTAIN ACTIVE LICENSES

Without an active license key or account connection (see all Themeforest and CodeCanyon products),  all future updates will be blocked.

And I know how it goes. You have the developer license for the theme or plugin that gets installed on the client’s site. Or you have the latest version from another project you’re working on so you install that to get your work done without asking the client for more money. It’s no big deal, right? In fact, you’re even doing them a favor!

Well, it isn’t a big deal today. But eventually you’ll stop paying for that developer version because the plugin author raises prices, or because you decide you like another forms plugin more, or the budget is tight and you need to find ways to cut costs.

These things happen and it’s totally fine. Really, it is.

But when these decisions are made, licenses expire and updates are suddenly unavailable. I’m not saying it’s never been done, but I’ve never once seen a developer or agency go back to a client after the fact and say “We’ve been paying for you to use this plugin for the last 4 years and aren’t going to anymore. Please purchase a new license and send us the key.”

No, I usually get to be the one that tells them Revolution Slider is 4 years out of date and that they not only need to pay the $39 for a plugin, it’s also going to take six hours of developer time to upgrade the plugin and resolve all the resulting compatibility issues.

Do yourselves a favor and discuss license fees at the beginning of every project. Businesses understand the concept. They pay for Adobe, McAfee, and Microsoft Updates every single month. And at a much larger scale than any WordPress plugin fees.

Recommendations for Security Best Practices

It only takes a few days of following updates at WPVulnDB to get a very clear picture of how often security updates are applied to WordPress software. Authors are usually quite good at releasing security updates in a timely fashion when they’re needed.

Aside: If you use a WordPress plugin or theme with a known security issue and the author doesn’t release patches quickly, find another solution.

Without proactive monitoring and a regular update schedule things can get out of hand very quickly.

WordPress is often compared to Microsoft as “the operating system of the web.” It has extremely wide reach which makes it a prime target for exploiting vulnerabilities.

Yoast SEO has over 5 million active installs. If I’m a hacker and that plugin has a known security flaw, I’m going to try and build a bot to exploit it as quickly as I can. Even if half of website owners are diligent in keeping their plugins up to date, I still have a user base of 2.5 million I can try and take advantage of.  I like those odds.

P.S. I’m not a hacker.

You’ll see lists on the internet for “300 tips to secure your WordPress website” but ultimately protecting your website comes down to these core principles:

1. Use a quality web hosting provider who maintains current web server and PHP versions
2. Have a regular update routine for WordPress core, plugins, and themes. Anything less than monthly is too infrequent.
3. Use a firewall. We recommend Cloudflare or Sucuri. These firewalls prevent malicious requests from hitting your website.
4. Keep active license keys or account connections for all premium WordPress plugins and themes.
5. Use strong passwords. WordPress’ default requirements are stronger than they’ve ever been. If you want to really enforce strong passwords check out Force Strong Passwords.
6. Disable File Editing – Even if an unauthorized user is able to access your site, they’ll be somewhat limited if they can’t access your site at the file level.
7. Use SSL everywhere. With may hosts offering SSL certificates for free or a small fee, there’s no excuse for not using SSL for your website.