Back to blog
WordPress Update Guide: How to Update Safely
WordPress

WordPress Update Guide: How to Update Safely

Bastien AllainMarch 9, 202619 min read
wordpressupdatemaintenancepluginssecurity

Your WordPress site has been showing an update notification for three weeks and you keep clicking "Remind me later" every time? You are not alone. The fear of breaking a production site holds back thousands of site owners every day. Yet ignoring an update is far more dangerous than applying it.

This guide explains how to update WordPress (core, plugins, themes) without compromising your site. We cover the precise update order, a pre-update checklist, a post-update testing protocol, and emergency procedures for when things go wrong. Whether you run a personal blog or a WooCommerce store, the principles are the same.

How to safely update WordPress (7 etapes)
  1. 1

    Create a full backupBack up all files and the database, then verify the backup restores correctly.

  2. 2

    Check PHP version compatibilityConfirm your host runs a PHP version compatible with the new WordPress release.

  3. 3

    Test updates on a staging environmentClone your site to staging and apply all updates there first to catch conflicts.

  4. 4

    Update plugins firstUpdate all plugins one by one on production, checking for errors after each one.

  5. 5

    Update the themeApply the theme update after plugins are confirmed stable.

  6. 6

    Update WordPress core lastRun the core update only after plugins and theme are up to date and working.

  7. 7

    Run post-update verificationTest layout, forms, critical features, and check error logs for any new issues.

In short -- The WordPress update protocol in 4 steps:

  1. Full backup (files + database) and verify that the restore actually works.
  2. Test on a staging environment to catch conflicts before touching production.
  3. Update production in this order: plugins first, theme next, WordPress core last.
  4. Post-update verification: layout, forms, critical features, error logs.

Why WordPress updates are not optional

Postponing a WordPress update is not technical procrastination. It is a risk that grows worse over time. Whether it is a major core release or a simple security patch on a plugin from the official WordPress.org repository, every unapplied update widens your site's attack surface.

Four concrete reasons to keep your updates on schedule:

1. Patching security vulnerabilities (the number-one reason)

Every minor version of the WordPress core, your plugins, and your theme can fix security vulnerabilities. When a patch is released, the flaw it fixes becomes public in the changelogs. Attackers systematically exploit these known flaws on sites that have not applied the patch.

According to the 2024 Sucuri report on hacked sites, 56% of compromised WordPress sites were not up to date at the time of the breach. A minor security update -- often just a few lines of code -- is enough to shut the door on SQL injection, cross-site scripting (XSS), and brute-force attacks.

2. Speeding up your site (performance gains)

Major versions of WordPress regularly include optimizations to the rendering engine, script loading, and cache handling. WordPress 6.4, for example, reduced PHP execution time by 10 to 20% thanks to its optimized autoloader.

On the plugin side, updates fix memory leaks, reduce database queries, and improve compatibility with the latest PHP versions. A site whose extensions are up to date is inherently faster than one running outdated versions. This translates directly into a better Core Web Vitals score and a shorter LCP.

3. Unlocking new features

The WordPress core evolves rapidly. The block editor (Gutenberg) receives improvements with every major release: new blocks, layout patterns, and editing interface enhancements. Plugin updates available from the official WordPress.org repository bring new options, additional integrations, and user-experience improvements.

Ignoring updates means depriving yourself of tools that could improve your productivity -- and your team's -- on a daily basis.

4. Ensuring compatibility (PHP, plugins, themes)

WordPress, PHP, your plugins, and your theme form an interdependent ecosystem. When a PHP version reaches end of life (PHP 8.0 has been unsupported since November 2023), your host migrates to a newer version. If your plugins and theme are not up to date, that PHP migration can trigger fatal errors, a white screen, or a 500 error.

The rule is simple: updating regularly prevents the accumulation of technical debt. The longer you wait, the bigger the jump between one major version and the next, and the higher the risk of a plugin conflict or incompatibility with your PHP version.

The pre-update checklist (the "pre-flight")

Updating WordPress without preparation is like jumping out of a plane without checking your parachute. Five steps to follow before every update.

Step 1: Full, verified backup (files + database)

Before any intervention, back up your entire site: files (wp-content, themes, plugins, uploads) and database (MySQL/MariaDB). Use a plugin such as UpdraftPlus, BackWPup, or your host's built-in backup system.

The critical point most guides overlook: verify that your backup actually works. Downloading a 200 MB .zip file is useless if the restore fails. Test the restore on a staging environment or, at the very least, verify that the archive is not corrupted and the database is complete.

Step 2: Check your PHP version compatibility

Before a major core update, check the PHP version your host is running. Consult the official WordPress requirements page to find the recommended PHP version. You can check your current PHP version under Dashboard > Tools > Site Health > Info > Server.

If your site is still running on an end-of-life PHP version, contact your host to schedule the PHP migration before the WordPress update. Updating the core without a compatible PHP version can trigger fatal errors, a white screen (WSOD), or a 500 error.

Step 3: Clone to a staging environment for testing

Few people do this, and it is a shame. A staging environment is a copy of your site where you apply updates before pushing them to production.

Most managed WordPress hosts (Kinsta, WP Engine, Cloudways, o2switch) offer one-click staging. If yours does not, the WP Staging plugin lets you create a local clone. Apply all your updates on staging, verify nothing is broken, then replicate the same updates on the production site.

For an e-commerce site running WooCommerce or a multilingual site, staging is not optional -- it is mandatory. A payment extension (Stripe, PayPal) or translation plugin (WPML, Polylang) that malfunctions after an update can block orders or break the URLs of your translated pages.

Step 4: Read the changelogs (release notes) for major updates

Before clicking "Update now," review the changelogs (release notes) for plugins, the theme, and the WordPress core. Changelogs are accessible directly from the admin interface via the "View version details" link on the updates page.

Look for the following:

  • "Breaking changes" -- modifications that may break compatibility with your current configuration
  • "Deprecated functions" -- functions that will be removed in a future version and that your theme or plugins may still use
  • "Requires PHP X.X" -- a change in the minimum required PHP version

Step 5: Schedule the intervention during a low-traffic period

Never run your updates during peak traffic. Check your analytics (Google Analytics, Matomo) to identify your low-traffic windows. As a general rule, updates are performed:

  • Weekdays: early morning or late evening
  • Weekends: for B2B sites with little Saturday/Sunday traffic
  • Never: during a marketing campaign, a product launch, or a sale (for e-commerce sites)

The strategic update order: the key to avoiding conflicts

In what order should you update WordPress, plugins, and the theme? This question comes up all the time, and the answer is straightforward.

Sequence 1: Update plugins first

Always start with plugin updates. Update them one at a time (not in bulk) and check that the site works after each update. If a plugin conflict occurs, you immediately know which one is responsible.

Recommended order for plugins:

  1. Security plugins (Wordfence, SecuPress, Solid Security) -- security patches are the top priority
  2. Caching plugins (WP Rocket, LiteSpeed Cache, W3 Total Cache) -- flush the cache after the update
  3. Functional plugins (WooCommerce, Contact Form 7, Yoast SEO, Rank Math) -- test critical features after each update
  4. Secondary plugins (design plugins, widgets, social-media integrations)

Watch out for premium plugins (Elementor Pro, ACF Pro, Gravity Forms): these extensions do not update through the official WordPress.org repository. They require a valid license key and update through their own system. Make sure your license is active before launching the update.

Sequence 2: Update the active theme next

Once all plugins are up to date and working, update your WordPress theme. If you are using a child theme, only the parent theme needs to be updated. Your customizations in the child theme are preserved.

After updating the theme, check:

  • The homepage and main pages display correctly
  • The navigation menu
  • The footer
  • Content pages (posts, static pages)
  • Forms

Sequence 3: Update the WordPress core last

The WordPress core is updated last. Why? Because plugin and theme developers generally release their compatibility updates before a new major WordPress version ships. By updating your extensions and theme first, you ensure everything is already compatible with the core version you are about to install.

WordPress distinguishes two types of core updates:

  • Minor versions (e.g., 6.7.1 to 6.7.2): security and bug fixes. These install automatically in the background by default. Conflict risk: very low.
  • Major versions (e.g., 6.7 to 6.8): new features, architecture changes. These require manual action (unless you have enabled automatic major updates). Conflict risk: moderate to high, which is why staging matters.

The rationale: why is this order technically safer?

The WordPress ecosystem works in layers: the core is the foundation, and plugins and the theme are the upper layers. If you update the core first and a plugin is not compatible with the new version, you get a conflict without knowing whether the problem comes from the core, the plugin, or an interaction between the two.

By updating the upper layers first (plugins, theme), you isolate each variable. If a problem occurs, you know it was the last element you updated that caused it. This is the method used by WordPress maintenance professionals.

How to update WordPress: 3 methods explained

The automatic method via the dashboard (the simplest)

This is the recommended method for 90% of users. Go to Dashboard > Updates. WordPress displays all available updates: core, plugins, themes, and translations.

For plugins and themes, click "Update" next to each item. For the core, click the "Update now" button.

Configuring automatic updates:

WordPress lets you enable automatic updates for each plugin individually. On the Plugins > Installed Plugins page, a "Automatic updates" column lets you enable or disable auto-updates for each plugin.

For the core, minor versions update automatically by default. For major versions, you can enable auto-updates via the "Enable automatic updates for all new versions of WordPress" link on the updates page.

Warning for complex sites: If you manage an e-commerce site (WooCommerce), an LMS (LearnDash, Tutor LMS), or any site with critical functionality, disable automatic major updates. The risk of silently breaking a vital feature is too high. Prefer controlled manual updates preceded by a staging test.

The manual method via FTP (for complex cases)

When the dashboard is inaccessible (white screen, 500 error, database connection error), a manual update via FTP is your plan B.

Procedure for the WordPress core:

  1. Download the latest version of WordPress from wordpress.org/download
  2. Connect to your server via an FTP client (FileZilla, Cyberduck)
  3. Delete the /wp-admin/ and /wp-includes/ directories on the server
  4. Never delete or overwrite the /wp-content/ directory (your content, plugins, and themes), the wp-config.php file (your database credentials), or the .htaccess file. Ignore the wp-config-sample.php from the .zip.
  5. Upload the new /wp-admin/ and /wp-includes/ directories along with all individual root-level files (wp-login.php, wp-cron.php, index.php, etc.)
  6. Navigate to your-site.com/wp-admin/ -- WordPress will automatically run the database update if needed

For a plugin: download the new version from wordpress.org, delete the plugin's folder in /wp-content/plugins/, and upload the new folder.

The pro method via WP-CLI (the fastest)

WP-CLI is the official command-line tool for WordPress. It lets you manage updates in seconds without going through the web interface. Developers and sysadmins managing multiple sites swear by it.

Essential commands:

Check for available updates:

wp core check-update
wp plugin list --update=available
wp theme list --update=available

Back up the database before any intervention:

wp db export ~/backups/backup-$(date +%Y%m%d).sql

Update plugins one by one (recommended method in production):

wp plugin update woocommerce
wp plugin update wordfence
wp plugin update contact-form-7

Update the core:

wp core update
wp core update-db

The wp plugin update --all command exists but is not recommended in production: if a plugin causes a conflict, you will not know which one is to blame. Reserve it for staging environments.

WP-CLI is particularly powerful for multi-site management. Combined with a Bash script, you can update dozens of sites with a single command. Tools like ManageWP (cloud-based, free for basic features), MainWP (self-hosted, open source, full control over your data), and WP Umbrella (modern interface, automated reports, starting at $1.99/month per site) provide a graphical interface for the same functionality, with centralized dashboards.

Post-update testing protocol: what to check

The update is done, but the work is not over. Better to verify things yourself than to discover a critical bug when a customer reports it.

Front-end visual check

Open your site in a browser using private/incognito mode (to avoid browser cache issues) and check:

  • The homepage: layout, images, sliders, animations
  • Main pages: about, services, contact
  • Blog posts: layout, featured images, content blocks
  • The navigation menu: all links work, responsive (mobile) display is correct
  • The footer: links, newsletter form, legal information

If the display looks wrong, flush all cache levels in this order: plugin cache (WP Rocket, LiteSpeed), then server cache (Varnish, Nginx), then CDN cache (Cloudflare, Sucuri), and finally browser cache (Ctrl+Shift+R or Cmd+Shift+R).

Back-end functional check

Log into the admin interface and verify:

  • The block editor (Gutenberg): create a draft, add a block, save
  • The settings pages: Reading, Writing, Discussion
  • The plugins page: all extensions are active with no error messages
  • Custom menus: Appearance > Menus or Site Editor
  • The Site Health page (Tools > Site Health): no critical errors

Testing critical functionality

For professional and e-commerce sites, this is where it counts:

  • Contact forms: send a test message and verify receipt
  • Checkout process (WooCommerce): simulate a complete order (add to cart, checkout, test payment in sandbox mode)
  • User registration/login: test the account creation form and login
  • Internal search: verify that the site's search engine works
  • Redirects: verify that 301 redirects are still active

Error monitoring

For advanced users, two information sources to know:

  • PHP error logs (error.log): accessible via your host's control panel or by enabling debug mode in wp-config.php:
define('WP_DEBUG', true);
define('WP_DEBUG_LOG', true);
define('WP_DEBUG_DISPLAY', false);

The log file is located at /wp-content/debug.log. Important: disable debug mode once your checks are complete. Leaving WP_DEBUG active in production exposes sensitive information (file paths, SQL queries) and degrades performance.

  • The browser console (accessible via the F12 key > Console tab): JavaScript errors appear here. A plugin conflict often manifests as JS errors in the console.

Special cases: adapting your update strategy

Updating a WooCommerce e-commerce site: double the precautions

E-commerce sites running WooCommerce are the most sensitive. A poorly managed update can block the sales funnel or break payment gateways.

Additional rules for WooCommerce:

  • Always update WooCommerce on staging first. Test the complete purchase flow: add to cart, cart page, checkout page, payment (in sandbox/test mode), order confirmation, confirmation email.
  • Check the compatibility of WooCommerce extensions (Stripe, PayPal, Mollie, WooCommerce Subscriptions) with the new version. Payment gateways may have a compatibility update delay of several days after a WooCommerce release.
  • Back up the database separately. WooCommerce tables (orders, products, customers) are critical. An incremental backup before each WooCommerce update is standard practice for professional sites.
  • Never update WooCommerce during a sales period (seasonal sales, Black Friday, Christmas). Schedule your updates during off-peak times.

Efficiently managing maintenance across multiple sites

If you manage 5, 10, or 50 WordPress sites, updating each one manually quickly becomes unmanageable. Three tools stand out:

  • ManageWP: cloud dashboard, one-click updates for all your sites, automatic backups, uptime monitoring. Free for basic features.
  • MainWP: self-hosted solution (WordPress plugin), full control over your data, modular extensions. Free and open source.
  • WP Umbrella: modern interface, automated maintenance reports for your clients, security monitoring. Starting at $1.99/month per site.

All three let you run plugin, theme, and core updates across all your sites from a single dashboard and generate maintenance reports for your clients if you offer a WordPress maintenance service.

Plugin types that require extra attention

Certain types of plugins cause more problems than others during updates:

  • Page builders (Elementor, Divi, WPBakery): major updates can change the rendering of existing pages. Always check the display of your key pages after an update.
  • Caching plugins (WP Rocket, LiteSpeed Cache, W3 Total Cache): flush and regenerate the cache after every plugin update, but also after every update of another plugin or the core.
  • Security plugins (Wordfence, SecuPress): firewall rule updates can block legitimate functionality. Check your rules after the update.
  • Multilingual plugins (WPML, Polylang, TranslatePress): updates can affect permalinks and translations. Check the URLs of all language versions.
  • Premium plugins not on the repository: Elementor Pro, ACF Pro, Gravity Forms, and other premium plugins update through their own licensing system. If your license has expired, the update will not trigger and you will remain on a potentially vulnerable version.

What to do if an update breaks your site

Even with every precaution, problems can happen. Here is how to respond, from simplest to most drastic.

Quickly identify the culprit

If the problem appears immediately after an update, the culprit is almost always the last element you updated. If you followed the recommended order (plugins one by one, then theme, then core), identification is immediate.

If you updated everything in bulk (which we advise against), you need to isolate the problem:

  1. Deactivate all plugins via FTP by renaming the /wp-content/plugins/ folder to /wp-content/plugins_disabled/
  2. If the site returns to normal, reactivate plugins one by one from the admin panel until you find the one causing the issue
  3. Switch themes temporarily to a default theme (Twenty Twenty-Four) to check whether the problem comes from the theme

Restore your backup: the ultimate safety net

If the problem is too complex to diagnose quickly, restore your backup. This is why step 1 of the pre-update checklist is non-negotiable.

With UpdraftPlus, the restore takes just a few clicks from the WordPress interface. If the interface is inaccessible, restore manually via phpMyAdmin (database) and FTP (files).

Use WP Rollback to revert to a previous version

The WP Rollback plugin lets you revert to any previous version of a plugin or theme hosted on the official WordPress.org repository. It is a middle-ground solution between diagnosing the issue and doing a full restore.

WP Rollback does not work with premium plugins (Elementor Pro, ACF Pro, etc.) that are not distributed through the official repository. For those plugins, contact the developer's support team or restore your backup.

When to contact a professional

If the problem persists despite your troubleshooting attempts, it is time to call in a WordPress security and maintenance expert. Contact a professional in the following cases:

  • Persistent white screen after restoring a backup
  • Database errors (500 error or "Error establishing a database connection")
  • Hacked site detected after an update (redirects to malicious sites, spam content injection)
  • Data loss (WooCommerce orders, users, content)

A professional WordPress maintenance service has the tools and experience to diagnose this quickly, with a guaranteed response time (SLA). Contact us if you are stuck.

FAQ: WordPress updates

What is the correct order for updating WordPress, plugins, and themes?

The recommended order is: plugins first (one at a time), theme next, WordPress core last. This sequence lets you isolate each variable if a problem occurs. Plugin and theme developers generally release their compatibility updates before a new major core version ships. By updating the upper layers first, you ensure everything is compatible before touching the foundation.

How do I update a WordPress plugin without risking breaking my site?

Before any plugin update, perform a full backup (files + database). Ideally, test the update on a staging environment. Update plugins one at a time (never in bulk) and check that the site works after each update. Read the plugin's changelog to spot "breaking changes." If the plugin is critical (WooCommerce, page builder), exercise extra caution.

What precautions should I take before updating WooCommerce?

WooCommerce is the most update-sensitive plugin because it handles financial transactions. Always test on staging first. Check the compatibility of your payment gateways (Stripe, PayPal) with the new version. Back up the database separately. Test the complete purchase flow after the update. Never update during a sales period (seasonal sales, Black Friday).

Is it possible to revert to an older version of a plugin after an update?

Yes, the WP Rollback plugin lets you revert to any previous version of a plugin or theme hosted on the official WordPress.org repository. For premium plugins (Elementor Pro, ACF Pro), this option is not available: you will need to contact the developer's support team or restore a previous backup. This is why the pre-update backup is essential.

Related posts