WordPress updates are necessary. They patch security holes, fix bugs, and add features. They also occasionally break things. The bloggers who never have update problems aren’t lucky — they update in the right order with the right precautions.

Short answer: Back up first. Update plugins one at a time. Test after each. Update WordPress core after plugins. Update themes last. If using staging, test there first. Don’t ignore minor updates; they’re often security patches. Don’t auto-update major versions without testing.
A WordPress dashboard showing available updates for core, plugins, and themes

The three types of WordPress updates

1. WordPress core

The WordPress software itself. Two kinds:

  • Minor releases (5.5.1 → 5.5.2). Usually security and bug fixes. Auto-install by default. Low risk.
  • Major releases (5.5 → 5.6, or 6.x → 7.x). New features. Higher risk of compatibility issues.

2. Plugins

Each plugin updates independently. Some daily, some quarterly. Frequency varies by plugin.

3. Themes

Updated less often than plugins. When updated, can affect site design and structure.

The update order

If multiple things need updating, the right order:

  1. Plugins first. Most plugins lag behind new WordPress versions. Update them so they’re compatible with whatever core version you’re about to install.
  2. WordPress core next.
  3. Themes last. Themes often depend on plugins and core; update them once those are current.

This order minimizes compatibility problems.

Before any update

1. Take a backup

Always. Even for minor updates. If it breaks, you have a recovery path.

UpdraftPlus, your host’s backup, or BlogVault — any of them, just take one.

2. Check your update notes

WordPress’s “What’s New” notes and plugin changelogs often mention breaking changes. Worth a quick skim.

3. Use staging if you can

Test the update on staging before pushing to live. Catches most issues before they affect real visitors.

Most managed WordPress hosts include staging (Kinsta, WP Engine, SiteGround, Cloudways).

Updating plugins

One at a time

WordPress lets you update all plugins at once. Don’t.

Update one. Visit your homepage and a post to verify everything still works. Move on to the next plugin.

If 8 plugins update at once and the site breaks, you don’t know which one broke it. Sequential updates make troubleshooting easy.

For minor plugin updates

Same plugin, minor version (1.2.3 → 1.2.4). Usually safe. Update without extensive testing.

For major plugin updates

1.x → 2.x. Higher risk. Check the changelog for breaking changes. Test on staging if possible.

If you can’t update one plugin

Sometimes a plugin update is incompatible with your setup. Options:

  • Wait. The plugin developer may release a fix.
  • Find an alternative plugin.
  • Pin to the current version manually (advanced).

Don’t ignore for months. Outdated plugins are security risks.

Updating WordPress core

WordPress core updates appear in your dashboard.

Minor releases

Auto-install by default since WordPress 3.7. Low risk. Mostly security patches.

If you’ve disabled auto-updates, enable them for minor releases. The security benefit outweighs the small risk.

Major releases

WordPress will not auto-install major releases unless you’ve explicitly enabled it.

Recommended workflow:

  1. Wait 1–2 weeks after release. Lets the community find and fix common issues.
  2. Update plugins to versions compatible with the new core.
  3. Test on staging.
  4. Update core on live.
  5. Verify site works.
WordPress staging environment showing a major core update being tested before live deploy

Updating themes

Themes update less frequently. When they do:

If you use a child theme

The parent theme update is safe. Your customizations live in the child theme and survive.

If you don’t use a child theme but customized the parent theme

Updating overwrites your customizations. Solutions:

  1. Don’t update.
  2. Update and re-apply customizations (tedious).
  3. Migrate to a child theme first, then update.

If you ever touch theme files, set up a child theme first.

Auto-updates

WordPress 5.5+ supports per-plugin auto-updates. You can enable on individual plugins from the Plugins screen.

Auto-update yes for

  • WordPress core minor releases (default).
  • Reliable, well-maintained plugins with strong reputations.
  • Security-focused plugins where prompt updates matter.

Auto-update no for

  • WordPress core major releases (test first).
  • Theme updates (test first).
  • Plugins central to your site (caching, page builder, e-commerce).
  • Less-maintained plugins where updates have broken things before.

The “broken site after update” recovery

If something breaks after an update:

If you can still access the admin

  1. Deactivate the plugin that was just updated.
  2. If problem persists, check the recently-updated theme.
  3. If still broken, restore from backup.

If you can’t access the admin

  1. Connect via SFTP or your host’s file manager.
  2. Navigate to /wp-content/plugins/.
  3. Rename the problem plugin’s folder (add “-disabled” to the name). This auto-deactivates it.
  4. Try logging in again.
  5. If still broken, restore from backup.

White screen of death

A specific failure where every page is blank.

  1. Enable WP_DEBUG in wp-config.php to see the actual error.
  2. Often a PHP fatal error from a plugin conflict.
  3. Deactivate the most recently updated plugin via SFTP.

The “I updated and nothing works” major-update issue

Major WordPress core updates occasionally have compatibility issues with older themes or plugins.

If a major core update breaks things:

  1. Restore from backup (puts you back on the old core version).
  2. Identify what broke (often an old plugin).
  3. Update or replace the problem plugin.
  4. Retry the core update.

How often to check for updates

Weekly is enough for most blogs:

  • Log into the admin once a week.
  • Check the Updates page.
  • Apply available updates (in the right order).
  • Verify the site works.

5–10 minutes per week. Compounds into a site that stays current.

The “I never update” risk

Sites that haven’t been updated in 6+ months are sitting on known security vulnerabilities. Auto-attackers find them. Eventually one succeeds.

Updates aren’t optional. They’re maintenance. Build the weekly habit.

For sites with custom code

If you have custom plugin code, custom theme code, or custom integrations:

  • Test more aggressively. Custom code can break in subtle ways across updates.
  • Always use staging for major updates.
  • Read the update notes carefully for breaking changes.
  • Keep version control of your custom code.

PHP version updates

Not WordPress itself, but related: your host’s PHP version. WordPress recommends PHP 8.0+ as of recent versions.

If your host runs older PHP (7.4 or below):

  • Performance is significantly worse.
  • Some plugins won’t work.
  • Security patches eventually stop.

Most managed hosts let you update PHP from their control panel. Do so. Test on staging first if you have it.

The honest summary

Update WordPress, plugins, and themes regularly — weekly check is enough. Always back up first. Update plugins one at a time, then core, then themes. Test on staging for major updates. Auto-update minor releases; manually approve major ones. Use a child theme if you customize the parent. Recovery path: deactivate via SFTP if admin is locked, restore from backup if all else fails. The “I don’t have time to update” attitude is how WordPress sites get hacked.