How to update your WordPress core files securely in 4 steps

by | Feb 25, 2018 | Websites, Build & Maintain, WordPress | 0 comments

As someone who regularly fixes problems on WordPress websites, I get to see the admin area of lots of WordPress websites.

I’ve seen so many websites that are not kept up to date – I’m talking the WordPress core, plugins & theme.

Some problems ARE directly related to the software being out of date.

You may or may not be aware that you need to keep your WordPress core files up to date – all of the time. In this article I will show you how to update WordPress and I will answer the most common questions related to this task.

The 4 steps to update WordPress core files (If you are in a rush and don’t want to read the entire document)

Step 1: Make a backup of your website

Step 2: Update your plugins + theme

Step 3: Update WordPress core

Step 4: Test

That’s the four steps, but, I don’t like to oversimplify. Making it sound ‘too easy’  only ends up in you feeling stupid when you come across something you don’t understand.

That’s why I have added lots of Q and As around the subject of updating WordPress.

If there are any other questions I’d be happy to add them to this blog post!


What are WordPress core files?

These are the files that contain the code that make your WordPress website run. They are not the plugins you add once your WordPress site is up and running. Nope, they are just the core files that everyone has. They control the admin area so you can change your website to give it any look and functionality you like.

Why does the WordPress core need to be updated?

The WordPress development team work very hard behind the scenes to fix bugs in the code and to keep your WordPress site secure. New releases contain bug fixes, new functionality and security updates to keep your site as secure and bug-free as possible.

This is probably a good place to say there are major and minor updates. Major releases happen when new functionality is added to WordPress, minor updates happen when bug fixes and security patches are added. You can read more about versioning here

“But why do I have to update WordPress myself?” you may be wondering….

Because WordPress is open source and free. It’s your responsibility to make sure it is always updated. Other website providers such as Wix will charge you and part of their fee covers the updating process of their own software.

WordPress sometimes gets a bad name as being easy to hack but the truth is people forget to update their site or they don’t know how to do it. Sites running on old versions of WordPress leave themselves open to hackers. Why? Because hackers love finding weaknesses in systems. They will try to find vulnerabilities in WordPress before the developers do. When they do, they create an automated script that targets WordPress sites, they look for that particular vulnerability and when they find it, bam.. they can hack into your site.

All this is avoided by just keeping your site updated and using strong passwords.

How do I know if my WordPress website needs updating?

Hopefully, you now see the importance of keeping your site updated. It is equally important to know WHEN you need to update! Go to your Dashboard and at the top, on the left-hand side you will see ‘UPDATES’. Next to updates you will see a number in a coloured bubble. This is the number of updates that are needed. Most of these will be plugin updates but if you click on the updates tab, you will see a list telling you exactly what needs to be updated. If WordPress needs to be updated you will see a message at the top of the list.

How do I know if my wordpress website needs updating

How often does WordPress need to be updated?

Updates are frequent. If you don’t log in to your website for a few months I guarantee that when you do you will have missed a few essential updates. Take a look at this list of updates, you will see there are usually a few updates each month.

What if I don’t have time to manually check for WordPress updates?

Manually checking for updates can take precious time that I’m sure you don’t have. You can install a security plugin like WordFence or iThemes security. They will inform you via email whenever something needs updating. You don’t need to always go to your dashboard. Just wait for the security email, then go to your dashboard and check out what needs updating. Easy.

Should I update my WordPress site manually or automatically?

Ok, now you know your site needs to be updated, what do you do next? Keeping your site updated can still feel like a big task but believe me the more times you do it, the easier it will become. Let me explain how you can keep your site updated and I’ll also cover some VERY important information you need to be aware of before you update. But first let me explain, the different ways you can update your WordPress website. You can update manually or automatically.

What is a manual WordPress website update?

A manual WordPress update is where you have to click on a button in your admin area that says UPDATE NOW. See that figure above that tells you your WordPress core files needs to be updated? Well, right there is a big blue button that says “UPDATE NOW”. A manual update just means you manually click on that button.  When you click on this button your site will automatically be put in maintenance mode while the update is going on. It usually takes less than minute to complete and you will see a message when it is complete. However, don’t be fooled into thinking it’s as simple as that. There are certain things that need to be done BEFORE and AFTER an update. Please see the sections at the end of this post “What to do BEFORE a WordPress update” and “What to do AFTER a WordPress update”.

What is an automatic WordPress website update?

An automatic WordPress update is where there is no pressing of buttons, no checking for updates, WordPress just updates itself, whenever there is an update. While this may sound like a dream scenario there is one big problem associated with automatic updates. That problem is there is no checking for incompatibility issues after an update. The worst case scenario – which is more common than you may think, is where your WordPress website has updated while you were cosy sleeping in your bed, but unknown to you, it caused half of your website to disappear because a plugin was suddenly incompatible with the new version of WordPress. You need to think carefully if automatic updating is for you.

Are automatic WordPress updates suitable for me?

To answer this question we need to assess the risk of incompatibilities. I have been building WordPress websites for over 9 years and incompatibilities are something I see far too often. There are two main factors that put you at risk of incompatibilities.

  1. You are using many plugins on your site. In fact, you thought the more the merrier! You love plugins and all the whistles and bells they allowed you to add to your website.
  2. Many of your plugins are from ‘I don’t care where/who so long as it’s free’.

Let me explain. If you are using tons of plugins, you have more chances of things going wrong. Limiting your plugins means limiting your risk. Too many plugins slow down your site and overcomplicate your build so limiting your plugin use improves speed, reduces your overwhelm and simplifies your job as a webmaster. (By the way, if you are managing your own website then you are a webmaster).

If you are not thinking carefully about where your plugins are coming from there is a big risk that the developer will not keep them updated. This means that there is a big risk of incompatibility issues with each new release of WordPress.

It’s always best to use plugins from a reputable source and to avoid free plugins from a developer with no reputation.

TIP: To find the best plugins, always check the ratings and always check when the plugin was last updated. It needs to be tested with the recent WordPress installation too. 

How do I disable automatic WordPress updates?

By adding this line of code to your wp-config.php file (always take a backup of your file before modifying it).

define( 'WP_AUTO_UPDATE_CORE', false );

How do I enable automatic WordPress updates?

By adding this line of code to your wp-config.php file (always take a backup of your file before modifying it).

define( 'WP_AUTO_UPDATE_CORE', true );

How do I manage WordPress updates without touching any code?

Updating code IN a file is not everyone’s bag, so there is a neat little plugin you can use

What should I do before a WordPress update? [**ESSENTIAL READING**]

STEP 1: Before you update, whether automatic or manual, you need to back up everything.

Not only that, you need to have a restore procedure in place should anything go wrong.

Some web hosting companies provide backups but depending on the package you are paying for they may not be suitable. They might not backup before an automatic update for instance. Or you might have to pay for a restore.

If you are on a tight budget, I recommend the Free version of Updraft. You will need to be doing manual updates for this to work for you because the free version doesn’t take a backup before updating.

If you have a bit of budget and don’t want to do manual updates, then go for the paid version which also takes a back up just before updating.

There are other plugins but this is the one I use for my clients who are on a low budget and are happy with manual updates.

STEP 2: Update all your plugins so they are all compatible with the latest release of WordPress.

You may have to check them one at a time to check for compatibility.

If a plugin needs to be updated there will be a message along side it to say if it is compatible with the latest version of WordPress.

Plugin compatibility with latest release

If you update the plugin without it being compatible you run the risk of incompatibilities.

Some plugins won’t even have released an update. For these plugins you can always check the source of where your plugin came from. Ask the developer if you have to.

For plugins that come from the free WordPress repository, you click on the ‘View Details’ link (in the plugin settings page) and you will see the details of the plugin. You can see below this plugin is not yet compatible with version 5.6 which has just been released. It is only compatible with version 5.5.3.

Plugin not compatible yet

So, it will be your call if you want to update WordPress with non-compatible plugins.

If you don’t want to risk it, it’s ok to wait a week or so, hopefully updated plugins will be released and they will be marked compatible.

How do I update WordPress?

Step 3: Go to WordPress -> Dashboard and click on the UPDATE NOW button. 

Update WordPress update now button

The site will temporarily be put into maintenance mode while the update takes place.

It shouldn’t take long for the update to complete. You will see a success message when it’s all done and you will be shown what the latest changes are in the update you have just installed.

What should I do after a WordPress update?  [**ESSENTIAL READING**]

Step 4: You should verify everything is working.

Check each of your main pages (home / about / contact etc) and check your blogs load as expected. Then check each functionality e.g. do you have a social sharing plugin? Then check you can still share your content. Work through each plugin so you can verify it works as expected. This may take you some time depending on how much functionality you have on your website.  If you find a problem then you will need to disable your plugin. Contact the developer to find out when it will be updated. If it’s not going to be rectified quickly then you may have to consider an alternative plugin.


WordPress core updates shouldn’t have to feel complicated. The more you do it the easier it will feel.

Always take a back up before you start.

Make sure your plugins are compatible.

If you have too many plugins and it feels overwhelming you can always ask me for help. I maintain WordPress websites and manage the updates for my clients. You can read more about my WordPress management & maintenance service here.

Whatever happens, please, please update WordPress regularly, it will save you a lot of problems in the long run.

Over to you

Do you have any questions regarding the updating of your WordPress core files? Leave a comment below!





Submit a Comment

Your email address will not be published. Required fields are marked *

About Karen Weider

I have been building strategic, marketing websites since 2011. I have supported many business as they get online and grow their business and I firmly believe that planning is crucial to online success.

I help women who are action takers and want to build their own website and I support established who are looking for a long term website strategic & technical partner.

I love working with change makers who are following their heart and have been called to share their message and make a huge impact in the world.

Join my free Facebook group

For business women who want tips and challenges to help plan a visible, valuable website.

Join here >>

Share This