The Ultimate Guide to Updating WordPress and Multisite

The WordPress core software is updated regularly and with each new release come new features and security fixes that are designed to ensure your site is as secure as possible and performing at its best.

Automatically opting into these updates means they are applied to your site or network as soon as they’re released, which is especially important in terms of security.

It’s critical that your site is running the latest patches otherwise you could be leaving your personal information open for hackers to find and steal along with your users’ information, too. The WordPress core development team does a great job of patching up security holes, but if you don’t update your site, your site isn’t protected.

Along with security concerns, you don’t want to miss out on all the latest features that are included in the latest version of WordPress. Updating to the most recent release ensures you and your users have access to the most user-friendly and stable version available.

In this post, we’ll cover the following:

• Why It’s So Important to Update WordPress
  • Bugs and Security Fixes
  • How Updating WordPress Protects You
  • Risks of Updating WordPress
• Why WordPress Updates Are Critical for Your Site’s Security
• Back Up Before it Blows Up
  • Verifying Your Backup

Fortunately, there are many ways to update WordPress and in this post we’ll look at seven different ways you can keep your site up-to-date and how to do this automatically and with popular auto-updaters such as Softaculous, as well as how to update manually via FTP or SSH, even if you have a much older version installed.

1. Automatic WordPress Updates
2. One-Click Update
3. Auto Update with Automate
4. Manually Updating WordPress
5. Manually Updating via FTP
6. Manually Updating via SSH
7. Updating from Much Older Versions
8. Auto-Upgrading with Softaculous

Choose the method you want to use to update your site and scroll down to that section to get started.

Why It’s So Important to Update WordPress

1. Bugs and Security Fixes

The WordPress project has a security team that is made up of about 25 experts, including lead developers and security researchers. About half are employees of Automattic, the company behind WordPress.com, and many work in the web security field.

WordPress users are encouraged to report security flaws for the security team to address or for the core development team to resolve. With each new release of WordPress, users are also encouraged to test beta releases and report any bugs.

When the changes roll out, everyone using WordPress can update their site to the latest version. It often means there are many performance enhancements and new features to check out, but there are often also important bug and security fixes.

New performance improvements and features can help make using WordPress faster, easier and more efficient while bug and security updates improve the overall safety of your, site which is often seen as the most important aspects of why you need to keep your site updated.

WordPress itself is secure to use for your site, but hackers still find ways to exploit it to gain access.

This is largely due to the fact that WordPress is the most popular CMS to date with 64.2% of all CMS sites using WordPress and it’s used to power over 43% of the entire web according to W3Techs’ WordPress usage statistics. [June 2022]

The sheer popularity of WordPress alone is enough to draw in hackers since there’s no shortage of sites to try and infiltrate. When you factor in that WordPress has all its code and usage instructions publicly available.

While this is great for regular users to help make WordPress accessible to everyone, it’s even more enticing to hackers since it’s easier for them to figure out how best to pass through all the security measures in place.

Fortunately, any security issues that have come up in the past have been quickly fixed and there hasn’t been even one instance where a security issue has been left outstanding for longer periods of time. These fixes are added as updates and can be applied to all WordPress sites.

2. How Updating WordPress Protects You

If WordPress is so secure already, then why bother updating? The reason is that WordPress is secure until the next vulnerability arises. Since hackers are consistently around to find these vulnerabilities and exploit them, there’s also a consistent need for fixes to these problems.

If you don’t update your WordPress site, you don’t have access to these fixes that have been applied. This means your WordPress site would still contain the same vulnerabilities that hackers have used to exploit other sites with the same version installed. Once a hacker finds your site and knows you’re using the same version, they can quickly ruin your site.

If you’re thinking that you’re safe for now since your site is small with little traffic, that’s not the case since hackers automate their attacks.

They can search for and try to attack hundreds and thousands of sites every hour. If one site can’t be attacked, another one is tried within a second or less.

They can search for and try to attack hundreds and thousands of sites every hour. If one site can’t be attacked, another one is tried within a second or less.

With hackers attacking that many sites, it’s only a matter of time before your site comes up on their list so it’s important to do whatever you can to prevent a successful attack.

What’s at stake is not just your site’s content, but your personal information as well as all your users’ personal information used on your site. Hackers could gain access to your name, email address and even your entire site. If you run an eCommerce site, there’s even more personal data potentially at risk.

There are many ways to protect yourself and ensure your site stays safe and it starts with ensuring your version of WordPress is not falling behind. Ultimately, updating WordPress updates your site’s security.

3. Risks of Updating WordPress

There’s a downside to keeping your site updated, though, and it’s that some of the plugins and themes you’re using may not be updated with the latest changes. This means an update could be incompatible with your plugins and themes and could stop them from working properly.

This means some parts or your entire site could break. This is why it’s important to test out an update before you apply it to your live, public facing site. When you test the update, you can see if something brakes, then notify the plugin or theme developer so they can update it for you or you could find an alternative and possibly fix the issue yourself in some circumstances.

For more information on how to test out an update, check this post: Quick and Reliable Bug Testing with Cloner for WordPress Multisite. You can also find out more about the importance of updating and see a list of helpful plugins here: Why You Should Have the Latest Version of WordPress.

Why WordPress Updates Are Critical for Your Site’s Security

Okay, so I’d like to show you something.

Under the “Advanced” stats for each plugin in the WordPress repository, you’ll find information regarding which version of the plugin its users are on.

The Hummingbird Page Speed Optimization plugin currently has 60.7% of its users running the latest version.

The Smush Image Compression and Optimization plugin has 26% using the latest version.

The Defender Security, Monitoring, and Hack Protection plugin has 33% using the latest version. Eek!

There is a reason why this note exists before anyone tries to revert back to an older version of a plugin:

It’s because plugins and themes are not known for being inherently secure. The WordPress security team can vet these tools as they come in, but it’s never going to be a 100% foolproof strategy. In fact, Wordfence reports that 55.9% of website infections are caused by plugin vulnerabilities.

This is why all WordPress users should be super diligent about keeping everything–the core, plugins, and themes–up to date. There should be barely any lag time between when the latest issue was released and when you implement it on your site. It doesn’t take much work at all, just a simple click of a button, to initiate the update.

But it’s not just up to you to keep a site up to date. What happens when you hand a completed project to a client and that’s the end of your relationship? You can’t reasonably expect them to monitor their site for updates every day and to make each of them on the spot.

• This is why many hosting companies enforce core auto-updates.
• This is why there are a plethora of companies that offer WordPress support and maintenance services.
• This is also why there are plugins like Automate that will automate core, theme, and plugin updates for users.

Basically, there are plenty of folks out there who want to encourage smart update practices, whether that’s through doing the work themselves or by automating the process. Because, let’s face it, a hacked website opens the door to problems for everyone: website visitors, customers of your company, and even other websites that share space on a server or that exist within a Multisite network.

Back Up Before it Blows Up

Since updating WordPress could break your site depending on whether your plugins and themes are compatible with the latest version, it’s important to create a full backup of your site before you update.

This protects you in case the update does cause problems. You could restore the backup and have your site back up and running as if nothing happened so you can try again.

If you do find your site breaks, you can find out why by restoring everything, then disabling plugins and themes one-by-one followed by updating WordPress.

Once nothing is broken, it’s likely that the last component you disabled is the culprit. You can then find alternatives that are compatible or you can contact the author to let them know about the issue so it can be addressed.

For details on how to create full backups of your site, check out the posts below:

• How to Backup Your WordPress Website (and Multisite) Using Snapshot
• Backup Plugins Aren’t About Backing up, They’re About Restoring
• 4 Top WordPress Multisite Backup Solutions Tested and Reviewed

Verifying Your Backup

It’s also important to verify that your backup works instead of just assuming everything worked.

To test out your backups, you can create a local install of WordPress and apply the backup to see if everything works before applying it to your live site.

Keep in mind that you need to update the database information in your wp-config.php file to reflect the details of the new database you created locally. You also need to be sure the domain name for your local install is the same as your live site or you need to also update this information in your wp-config.php file in order for your backup to work. It’s also important to make these changes before you try to restore the backup.

You can also check out some of our posts about creating local installs of WordPress if you’re not sure how to make one or need a reminder:

• How to Develop WordPress Locally with MAMP,
• How to Install XAMPP and WordPress Locally on PC/Windows
• How to Set Up WordPress Locally in 5 Minutes with DesktopServer.

For details on how to go from local to live, see The Quick and Easy Guide to Migrating a Local WordPress Installation to a Live Site.

1. Automatic WordPress Update

Since version 3.7, minor security updates are fully automated. Your WordPress core is setup to update without having to take any action. This is incredibly handy since this means you can rest easy knowing your site is safe from the latest vulnerabilities since they’re patched up right away.

To turn this feature on or off, you need to edit your wp-config.php file. To turn on the automatic security updates, add this code above the “happy blogging” line:

To disable the updates, you would add this line instead, replacing the one above if it has been already added in:

If you’re not using the latest version of WordPress, it’s best to update your site before adding one of these lines.

2. One-Click Update

Major core updates are changes to the main WordPress software where the version rolls over from multiple numbers to just two such as 4.4 and 4.5, for example. When these major updates are made available to everyone, you should see a message letting you know and you can update your site with one click in your admin or super admin dashboard.

Click the Please update now link or the update button in the admin bar at the top of the page. Keep in mind that during the updating process, your site is placed into maintenance mode which means that your site becomes temporarily unavailable and a message is displayed to let your visitors know. Once the update is complete, your visitors can access your full site again.

After clicking the update button or link in the dashboard, you’re directed to the updates page where it’s suggested you create a full backup of your site as was covered earlier. If you have your backup ready, you can go ahead and update your site by clicking the Update Now button.

For single installations, the update should be completed in a few minutes or less and you should be redirected to your admin dashboard with information displayed about the latest version. If you are the super admin of a Multisite network, there’s one additional step before your update is complete.

Once you have clicked the Update Now button and you’re redirected, click the Upgrade Network button that’s displayed in the message at the top of the page.

At this point in the process, your main site has been updated, but all the sites in your network have not switched over to the latest version. On the Upgrade Network page, you can push your entire network to get up to date with one click. This doesn’t just prompt all your network’s sites to update. Instead, the update is applied to all sites right away.

Click the Upgrade Network button to instantly update your entire network. This process is quick but can take several minutes for larger networks.

If your browser doesn’t automatically redirect you to the next page, you can click the Next Sites button that appears when the upgrade is complete.

When the upgrade has successfully completed, you should see a page with the message “All done!” Once you see it, you have finished and your network is now at the latest version.

If you have installed WordPress in a different language, the update process is the same, except the WordPress Updates page looks slightly different.

You have the option to click two different Update Now buttons. The first one that appears, when clicked, updates your site in the language you already have installed. If you choose the second Update Now button, your site or network upgrades to the default and newest version of WordPress in US English.

If you want to keep your site in the language it’s in currently, click the first Update Now button in blue and complete the rest of the process as you normally would.

Sometimes, an update goes wrong and doesn’t complete which results in your site being stuck in maintenance mode. If this happens to you, there’s a quick fix to get your site back up so you can try updating again. Login to your site via FTP or access your site’s files in cPanel. In the root of your WordPress files, you should see one called

Login to your site via FTP or access your site’s files in cPanel. In the root of your WordPress files, you should see one called .maintenance and you can go ahead and delete it. You can now try to update your site or network again.

3. Auto Update with Automate

Think about this: you log into WordPress, you have your perfectly minimal WordPress dashboard, and then you see it. That red marker telling you there’s an update waiting. Or you see a note at the top of the page that says there’s a new version of WordPress ready for updating.

How annoying!

And you know what happens when people in the digital age find something annoying? They start to develop notification blindness. It’s like those update notifications are just a nuisance begging to be X’ed out or ignored.

Plus, think about it from your clients’ standpoint. They log into WordPress, excited about writing a new blog post today. But then they see some weird red flag that they don’t understand and are completely intimidated by. It’s like seeing a flashing warning on your car’s dashboard. You determine whether it needs immediate action or if it can maybe wait. Clients as well as other users are going to process these the same way (which isn’t good).

But you need to make these updates. That’s why a WordPress plugin that automates the process in a smart and informed way–but still gives you options on what you want to automatically update–is crucial. Soooo…

Here’s Automate!

With this auto-update tool (that comes with each WPMU DEV membership), you’ll never have to worry about auto-updates again. You’ll have full control over what parts of your site get auto-updated, you can schedule backups ahead of time, and, oh yeah, the interface is much friendlier than those horrid notifications within WordPress.

4. Manually Updating WordPress

In cases where the automatic or one-click updates aren’t working even after you try deleting the .maintenance file (or you’re not a WPMU DEV member), you can still update your site or network manually. You can choose to manually update your site or network through FTP or SSH. For details on how to use FTP for WordPress, check out one of our other posts How to Use FTP Properly with WordPress.

Before you can begin with either option, you need to deactivate all your plugins.

Start by going to Plugins > Installed Plugins in your admin or super admin dashboard and deactivating all your plugins.

You can disable them all at once by clicking the checkbox next to Plugin at the top of the list, then selecting the Deactivate or Network Deactivate option under the Bulk Actions drop down box.

Finally, click Apply. A message should appear toward the top of your page to let you know you have successfully deactivated your plugins. Now you can scroll down to the FTP or SSH sections below to update your site with the method you choose since you only need to pick one.

5. Manually Updating via FTP

To manually update WordPress via FTP, download and extract the latest version onto your computer. You can click the download button on the download page of the WordPress.org site to get a copy.

Now, login to your site with your favorite FTP client such as FileZilla and delete the following files:

• Files starting in wp-, except for the wp-config.php file
• readme.html
• xmlrpc.php
• license.txt
• wp-admin folder
• wp-includes folder

If you haven’t made any custom changes to the .htaccess file, you can delete this one as well, but keep it if you made even minor changes.

All your other files and folders should stay intact. Now, stay in your FTP client and access the folder on your computer with the extracted WordPress files. Copy the files to your site that match the ones you deleted, except for the wp-config.php file. Make sure to copy them to the same location where they used to be.

Also, be sure to copy the wp-content/themes/default folder to update or add the latest default theme. Keep in mind that if you previously made custom changes to the default theme that comes with WordPress, they are erased when you add this folder. It’s best to create a child theme and add those changes again after updating.

It’s a good idea to check the wp-config-sample.php file that came with the WordPress version you downloaded and compare it to your wp-config.php to see if there are any additional updates. If there are, you can download your current wp-config.php file in your FTP client, edit the file on your computer to include the changes, then upload it back to your site.

In theory, you could just copy the new files to your site and select the overwrite option, but this isn’t always fool-proof depending on your client so it’s best to make sure the appropriate files and folders are deleted before copying over the new versions. If you’re comfortable with your FTP client and you’re okay with it, you can just overwrite the files on the list.

Once all your new files are copied, run the install script by going to www.your-site.com/wp-admin for single installs and www.your-site.com/wp-admin/network for Multisite. You may need to log in again.

For Multisite, you need to finish by upgrading your network as previously mentioned. If you need to update your database, a message should be displayed in your dashboard with the link to upgrade that you can click to finish the upgrade process.

Double check your permalink structure and change it if necessary by going to Settings > Permalinks in your admin dashboard for single installs.

Also, reactivate your plugins by going to Plugins > Installed Plugins in your admin or super admin dashboard.

Click the checkbox next to the Plugin title at the top of the list or select each checkbox individually for each of the plugins you want to activate, then choose the Activate or Network Activate option under the Bulk Actions drop down box.

Next, click the Apply button. It’s a good idea to check the plugins you’re using to make sure they’re compatible with the latest version of WordPress. If you notice there are updates available to make your plugins compatible, be sure to update them first before activating them. Your site is a lot less likely to brake by updating your plugins first.

The final step requires you to edit your wp-config.php file. You need to generate new security keys by going to the WordPress Security Key Generator page and copying the whole selection that’s generated.

Download your wp-config.php file and delete the section that looks like the following selection and replace it with the new security keys you just copied from the generator page.

 

Of course, don’t use the keys above since it’s made publicly available which means anyone could use it to hack into your site. Make sure to use the generator for your security keys instead.

Save the file and upload it to your site, replacing the old version. You need to log in again to access your dashboard and your site should now be fully updated. You can review the changes that came with the new update by visiting your dashboard’s main page.

6. Manually Updating via SSH

Once you have backed up your site and deactivated all your plugins as previously mentioned, you can log in to your site via your SSH client. For example, you could use the Terminal program that comes with Mac OS X or you could download PuTTY for Windows for free.

The commands outlined below work for Linux servers and PuTTY. If they don’t work for you, then you may need to look up the appropriate commands for your particular server type or SSH client.

Once you have logged into your site, begin by downloading and extracting the latest version of WordPress to a folder called wordpress with Wget. If you don’t have Wget installed on your server, you can check out an Introduction to GNU Wget.

 

Unpack the download with this command:

By default, the download will uncompress into a folder called /wordpress/. If you already have a folder with that name or you want it located in a folder with a different name, you can create a new folder with the command mkdir folder-name and replace folder-name with that actual name you want to use.

Then, before unpacking the download, go to that folder with cd folder-name/ and don’t forget to replace folder-name with the actual name of the folder you created. Uncompress the download and the WordPress files are then stored in /folder-name/wordpress/, but don’t forget folder-name is going to be the different name you chose.

Next, create a directory so you can move your wp-config.php file there since you need to keep it intact and you’re going to be running a command in a moment to delete any file that starts with wp-.

If your WordPress site isn’t at root level, you can navigate to it with the command below:

Be sure to replace wordpress/ with the actual folder name and path from your root directory. If you want to go back to the root if that’s where your site is located and you’re not there already, you can enter cd ~.

When you’re at the location where your WordPress files are stored, you can create a new directory with the following command:

You can choose to replace backup with whatever folder name you would like to use to store your wp-config.php file or you can leave it as is if you’re okay with that name. Now, move your wp-config.php file to this folder with this command:

Once that’s done, you can safely delete all the files that start with wp- in the root of your WordPress files and your wp-config.php won’t be affected. You can delete the necessary files with the command below:

There’s just one more important detail you need to be aware of before entering this last command:

If you made custom changes to your .htaccess file, then don’t include it in the command, even if you only made minor changes.

If you did make changes and you delete the file, your site could break so if you’re not sure, double check before continuing. Now that this is out of the way, delete the wp-admin and wp-includes folder:

Next, move all the new files you extracted to the location where your site is located. If you uncompressed the download to the default folder and your site is at root level, you can move the files with similar commands as the one below.

First, move into the directory with the latest WordPress files:

You can also replace wordpress with the actual path to the files. Once you’re in the correct folder, you can copy the files you need:

Replace file-name.php with one of the real names of the files you need to copy over to your site. Don’t forget to replace path-to-your-site with the real path where your site is located.

Here are all the files that need to be copied:

• readme.html
• xmlrpc.php
• license.txt
• wp-admin folder
• wp-includes folder

You also need to copy all the files starting with wp- and you can do this with a similar command to the one below, not forgetting to update the file path:

Now, copy the entire wp-admin and wp-includes folder to your site, starting with the wp-admin folder:

Once all the files have been moved, run the same command, but replace wp-admin with wp-includes. In both cases, don’t forget to replace path-to-your-site with the correct path.

If you would prefer to copy the files over while replacing the original ones so you can avoid deleting files to save time, you could include -f in front of a file name or -Rf in front of folder names.

As previously mentioned in the last section, you can also move the wp-content/themes/default folder to update or add the latest default theme, though, if you made any custom changes to the default theme previously, they’re erased when you do this unless you created a child theme.

Next, go to the folder where you moved your wp-config.php file. You can use cd ~ to go back to the root of your site, then you can get to the folder from there. If you used the same folder name as the one in the example above, you could enter cd ~/backup/. If you named your backup folder differently, replace backup with the correct name.

To move the wp-config.php file back to your site, you can enter a similar command to the one below:

Don’t forget to replace path-to-your-site with the actual path that leads to your site. It’s also a good idea to check if the latest version of this file has changed. You can do this by going to the folder with the uncompressed files and using the vi wp-config-sample.php command to view the file. To save and exit, enter /wq.

Then, go back to the folder where your site is located and enter the similar command vi wp-config.php to make any necessary edits. When you’re done, save it and exit.

Now you can open a browser window and go to www.your-site.com/wp-admin for single installs or www.your-site.com/wp-admin/network for Multisite. Complete the update, change the permalink structure and reactivate your plugins by following the prompts covered in the last section.

Before you can sit back and relax, you need to update your security keys. Get a set of fresh keys from the WordPress security key generator page and copy them in entirety. In your SSH client, enter the vi wp-config.php command to view and edit the file.

Delete the section that looks similar to the lines below and replace them with the new ones you just copied.

Please don’t use the keys in this example because it would make it a lot easier for hackers to infiltrate your site. Once you have entered in the new keys you received from the generator, save and exit.

Log in to your site and review the changes that have come with the latest update you have now successfully completed.

7. Updating from Much Older Versions

If you need to update from older versions of WordPress, the process is the same, except you also need to delete the following files if they exist:

• wp.php
• If you have a languages folder in the wp-includes folder, don’t delete it. Instead, move it to the wp-content folder.
• cache folder – Located in the wp-content folder, you should only see this if you’re upgrading from version 2.0 so don’t worry if you don’t see it.
• widgets folder – You may not have this folder, but if you do, it’s located under wp-content/plugins/.

8. Auto-Upgrading with Softaculous

There are many auto-installers out there that can install WordPress for you as well as automatically update your site when new WordPress versions become available. One of the most popular of these auto-installers is Softaculous.

You can change your update settings by going to the WordPress page in Softaculous and clicking the edit button in the shape of a pencil next to your domain name listed under Current Installations.

Among the settings, you should see an option listed as Auto Upgrade. You can click the checkbox next to it so that your site can be automatically updated when the newest version becomes available. You won’t need to click a thing in order for your site to update itself when this option is enabled.

Click the Save Installation Details at the bottom of the page to save your changes. If you’re installing a new site or network with Softaculous, you can find this setting under the Advanced Options section. Clicking on that heading reveals the option you need. For more details, check out our post A Guide to the Best Ways to Install WordPress.

There are also many other auto-installers that include auto-upgrading options. If your hosting company had a different one, you can ask them if auto-updating is possible and if it is, you can also ask them for specific instructions to apply automatic upgrades to your site or network.

Keeping WordPress Updated

Now that you have your WordPress site or network updated, it’s important to keep it that way. When new updates become available, be sure to follow the steps outlined here again so you can ensure your site has the latest security upgrades and features.

If you’re interested in more ways you can help keep your site up-to-date with the latest security tools and tips, check out these posts:

• Give Hackers the Smack-Down with Defender,
• WordPress Security: Tried and True Tips to Secure WordPress
• 12 Ways to Secure Your WordPress Site You’ve Probably Overlooked

Were you able to successfully update? What's your favorite way to update WordPress? Have you ever run into troubles updating before and have found out how to fix it? Share your experience in the comments below.

Tags:

• updates
• WordPress Security