How to Update WordPress in a Secure Manner (Manually & Automatically)

Keeping your WordPress installation up to date is mandatory if you would like to preserve your website bug-free and also secured with the most recent security fixes and updates from the WordPress team.

In this tutorial you will find the following information:


Prior to Updating – Create a Backup #

Usually, WordPress updates are speedy and easy to make. Making a lot of small updates frequently minimizes both the risks associated with running an older version of WordPress and the possible risks of breaking your website or losing data during updating.

However, according to statistics, only 39% of users are running the latest version, and from the rest, 0.18% are using versions below 3.7. That specific WordPress version is an important milestone as it marks the introduction of the Automatic Background Updates and safe updating mechanisms that came with it. It is generally considered more reliable to update from version 3.7 to the latest version than to do updates from a version before it. Still, we would suggest that you build a habit of creating backups, even when doing minor updates to be on the safe side.

If you are running an ancient version of WordPress like version 0.7 or version 2, for example, you can update directly to the latest version with the below-mentioned guide. However, we advise you to update to the next major version until you get to 3.7 and then use the 1-click dashboard update to complete the entire process. That way, especially if you have a lot of data on your website, you will be able to monitor the updating process in detail. You can check between each update if every feature on your website works as intended.

  • Backup Files
    To perform a backup, you will have to save both your files and database. Your data can be easily protected, especially if your website is smaller. For sites below 1GB, you can navigate to cPanel → File Manager.

    Here you need to find the location of your WordPress installation. Usually, that is the public_html, but if your installation is in a subfolder, you can take the entire folder and compress it. Note that you must have enough free space on your hosting plan to do this. We recommend leaving at least 1GB free after generating your backup.

    Note that you must have “hidden files enabled” so you can also archive your .htaccess file which is very important for your website correct operation.

    View Hidden Files via the File Manager Settings

    For sites bigger than 1GB, we strongly advise that you use an FTP client, connect to your hosting account, and download all of your files. We have extensive tutorials on how to operate with the popular FTP clients, which should help you if you are not familiar with setting up and using one.

    Backing up your files will ensure all of your plugins and their configurations, as well as custom theme edits, are safe from possible corruption/overwriting.

  • Database
    The second part of the backup process involves your Database. Your pages, posts, and links are stored in the database or have a value representation there. The database is linked with a lot of functionality and different files on your website, which makes it a vital part of its existence. For more details on how to export your database with the help of phpMyAdmin, check our “Backing up your website manually” tutorial.
  • Validation of File Copies
    A step which many users skip but is important considers the validation of the saved data.

    Have you ever moved a photo in your computer and then deleted it only to find that its copy was not created or it is not accessible for a viewing?

    Now imagine this on a scale of thousands of files containing your entire digital personality or business and livelihood. The last thing you have to do is to deactivate your plugins. Some plugins change the way WordPress works to a different extension of the code involved. Due to this, updating while having your plugins active can mess up with their configuration and with the files associated with them.


Why Update WordPress? #

As we have already established, updating should not be taken as a chore which you must do every few months. Instead, think of it as something you should look forward to. The benefits are tremendous, and it only cost a small fraction of your time. Below we have provided some additional statistics which should sway you to team Update if you haven’t joined already:

  • Security Improvements
    61% of hacked websites were breached due to older WordPress versions compared to 8% being hacked due to weak passwords. From 4000 vulnerabilities, 31.5% are in core, 14.5% themes, and 54% in plugins.
  • Bug Fixes and Stability Patches
    WordPress introduces new features and tweaks regularly, but sometimes with the useful additions also come bugs. That is an inevitable part of the process, but the WordPress team is quick to squash any bugs from the last release in the new one. Just from version 5.0-5.2.3, hundreds of bugs have been fixed. Performance has also been improved whenever possible, especially with the utilization of newer PHP versions – something which we have already discussed in our PHP 7.3 blog post.
  • New Features
    The number of features and their ease of use are one of the main factors in choosing a platform for a website. Over the years, we have seen a lot of useful features. Many of which started as separate plugins before being integrated into the Core. We also observe a lot of plugins being extended or merged with others thanks to leveraging new ways the platform lets us use its “frame” to build on.
  • Better Compatibility with Themes, Plugins and Other Tools
    Plugins and Themes especially paid ones, tend to advance in properties as the WordPress Core advances. That is due to the above-mentioned new code, added in the Core that allows authors to make their products better. The platform also pushes PHP version updates which increase performance as already mentioned in our PHP 7 post. Due to this, people using older versions of WordPress will miss out on all the new and cool features and possibly risk the stability and security of their website. As using an older Core version also require some themes and plugins to be used in their outdated forms, when you don’t update the platform, you are immensely increasing the security risk.

What requires updates in WordPress? #

  • Core
    The WordPress Core files are all files which form WordPress as a platform – the basis on which you build your content and website. Some of the Core files which you are likely to work with at some point of your online journey are functions.phpadmin.php.htaccess, and wp-config.php. These files control access to your website, link structure, database and files interactions, your settings, the admin dashboard functionality, features usable on your website, and many more. Unlike plugins and themes, you cannot remove core files as they are an integral part of your WordPress Installation.
  • Plugins
    With plugin updates, it is recommended not to use the automatic update all plugins button. The reason for that is that plugins may interfere with one another, especially when they are complementary and you have downloaded two or more to do similar tasks. You should check the changelog for each plugin and see from and to which versions you are updating.

    Overview of Available Updates for WordPress Plugins

    Then go through all of the changes and look for discrepancies. If you see that something fundamentally changed, you should backup and then update. By updating the plugins one by one, you can easily detect when and why the issue arose compared to if you update ten at once. Narrowing down plugin compatibility issues after a bulk update can be a nightmare. For more information on this, you can check our “How to Prevent and Troubleshoot Faulty Plugins in WordPress” blog post.

  • Themes
    Updating themes frequently will at some point also re-write files that you may have changed to better present your website online. An excellent way to modify the default theme is by using a child theme. Child themes are widely used to test theme features for future implementation on a website. They are an identical copy on which you can work without messing with the original files – a development environment, so to speak. In our “How to Create a Child Theme” tutorial, you can read more about Parent and Child themes.

How to Update The WordPress Core #

There are a few ways to update your WordPress installation, which range in complexity and are useful in different situations.

How to Update WordPress via the Admin Dashboard (1-Click) #

WordPress 3.7 introduced an easy-to-use updater, which will take you directly to the current version with a single click. This updating process is safer, and it is possible to one-click update from 3.7 to any later version.

Update WordPress from 3.7 to latest version

If you just manually update from version 0.7 to version 5.2 and something breaks, you will have a hard time finding which iteration of WordPress introduced the conflict which is responsible for this behavior. But as version 3.7 is a lot similar to newer versions than 0.7 it is possible to get that one-click update.

If you still think updating is hard, just click on the “Please update now” link to initiate the update procedure.

Initiate the 1-click Update Process in WordPress

You will be reminded to backup your files and database, so if you’ve already done that you can click on Update Now to continue.

Confirm Automatic Update Procedure in WordPress

After a few seconds, you will see the welcome screen of WordPress inviting you to check the newest features for your website.

WordPress completing an Automatic Update to Latest Version

Currently, you can update past 281 releases since version 3.7 with a single click.

How to Update WordPress via Softaculous #

As many of our customers use Softaculous to install WordPress and create their websites, it might not come as a surprise that Softaculous also provides updates similar to the 1-click dashboard update. To initiate an update that way, navigate to your cPanel → Softaculous. If there is an available update for your website, you will see a reminder for it in your dashboard. Click on it, and you will be directed to all of your Softaculous App Installations.

Initiate a WordPress Update via Softaculous

Click on the blue arrows update button to get into the update interface for that particular installation.

WordPress Version Update Choices in Softaculous

In this window, you will be able to select the exact version to which you want to update. Note that latest versions are not always available on the day of release in Softaculous. Here you will also be able to create a Backup to which you can revert.

Note that in some cases, you might have to force the update as Softaculous will provide you with the following message.

Forcefully Update WordPress in Softaculous

Check the Forcefully Upgrade box and click Update again.

How to Update WordPress Manually Via FTP #

To help you with updating, the folks over at WordPress have provided an extensive release archive which contains 36 branches, 363 releases, and 505 beta/RC releases. That means that by manually updating your website, you have better control over the process compared to 1-click and automatic updates.

Step 1 – Download The Latest Version of WordPress #

You can download the version to which you want to upgrade via the link mentioned above. Click on the .zip link if you’re going to upload the files via FTP later.

Download Updated WordPress Version in a zip Format

If you are going to use SSH, you can download the file directly into your hosting account, thus skipping step 3 by utilizing the following command:

wget https://wordpress.org/wordpress-5.2.3.tar.gz

In this case, version 5.2.3 will be downloaded as a tar.gz file which you can then decompress by using:

tar -xzvf wordpress-5.2.3.tar.gz

This action will extract the contents of the package to a folder called “wordpress”.

Note that SSH access is also available via your cPanel’s Terminal feature. If you want to use a client, you can always utilize PuTTy, MTPutty, or another client of your choice. For more information on that client, visit our “How to use PuTTy” tutorial.

Step 2 – Access Your WordPress Root Directory #

What you have to do with the files, is transfer them in the root directory of your WordPress. If your website is accessed just via just your domain, then your root folder will be public_html.

Navigate to Root WordPress Directory

However, if you have installed the platform in a subfolder, you will have to navigate to that specific folder.

Working with FTP

The process of uploading files is considered a basic FTP client action. If you are not sure how to utilize an FTP client for transferring files, you should check our FTP client guide.

Step 3 – Prepare your existing installation for the update #

While overwriting errors are rare, you can avoid them completely by first preparing your current WordPress directory and removing some of the files. Let us split the files in your installation in two groups.

Delete these Files and Folders:

  • wp-* (except for those in the other group), readme.htmlwp.phpxmlrpc.php, and license.txt files;
  • wp-admin folder;
  • wp-includes folder;
  • wp-content/plugins/widgets folder;
  • wp-includes/languages/ folder – If you are using a language file, move it to wp-content/languages/ and then delete wp-includes/languages/

DO NOT DELETE these folders and files:

  • wp-config.php file;
  • wp-content folder – You will have to overwrite some files here when uploading the update.
  • .htaccess file;
  • Custom Content and Plugins – If you have any images or other custom content or Plugins inside the wp-content folder, do NOT delete them.

Step 4 – Upload New Versions #

The wp-content folder holds your WordPress Themes and Plugins. These should remain. Upload everything else first, then upload only those WordPress files that are new or changed to your new wp-content folder. Overwrite any old versions of default plugins with the new ones.

The WordPress default theme has changed, so you will want to upload the wp-content/themes/default folder. If you have custom changes to the default theme, those changes will need to be reviewed and installed after the upgrade.

How To Update WordPress via WP-CLI #

WP-CLI is useful for managing your WordPress websites from the command line. That is useful if you manage a lot of websites for you or your clients making WP-CLI the preferred tool for developers.

WP-CLI Version

Our FastCloud hosting plans utilize the latest version of WP-CLI

Firstly, you will have to access your hosting account via SSH. Then you will have to navigate to the root directory of your website:

cd /home/user/public_html/yourwebsite

Be sure to replace the user and yourwebsite with your actual data, then run this command to check if there is an available update for WordPress:

wp core check-update

The output from that command will indicate the available update:

Check for Core WordPress Updates via WP-CLI

| version | update_type | package_url
| 5.2.3 | major | https://downloads.wordpress.org/release/wordpress-5.2.3.zip

If you are already using the latest version, you will see this message – “Success: WordPress is at the latest version.”

To update to the latest version use:

wp core update

The following output confirms the update was successful:

Update WordPress using WP-CLI

Updating to version 5.2.3 (en_US)...
Downloading update from https://downloads.wordpress.org/release/wordpress-5.2.3-no-content.zip...
Unpacking the update...
Cleaning up files...
No files found that need cleaning up.
Success: WordPress updated successfully.

If you are experiencing issues such as WP-CLI reporting that your website is up to date when it is actually not, you can force the update to a certain version using:

wp core update --version=5.2.3 --force

Just change 5.2.3 with the version to which you want to update your website.

You can also update only to a minor version of a specific release branch. For example, the following command will update your WordPress to version 4.9.10, which is the last release before branch 5.0:

wp core update --version=4.9 ../latest.zip

Lastly, if you only wish to update to a minor version, use:

wp core update --minor

This command will update 5.2.2 to 5.2.3 instead of 5.3.

How To Update WordPress Automatically #

When automatic updating was introduced to WordPress, there were a lot of debates on how beneficial it will be and how it compared to manual updating in terms of pros and cons.

With Automatic Background Updates #

Since WordPress is 3.7 and higher, the CMS can check for minor updates every 12 hours and update itself automatically. That can be used to save you a lot of time if you are managing multiple WordPress installations. Also useful in case you don’t want to miss the smaller but still essential security updates which come with minor versions.

As with most features on the platform, this too can be altered. For example, if you also want to have automatic updates for major version changes, you can do that via the wp-config.php by adding:

define('WP_AUTO_UPDATE_CORE', true);

The automatic updates are enabled by default unless you have made the installation via Softaculous without checking the box. But if you want to disable them, you still can do that by adding:


While not recommended, some users may find this option attractive, due to the planned and uninterrupted workflow which manual updating provides.

With a Plugin #

Of course, not every website owner feels comfortable editing the core files of the application he uses. That is why there are several plugins that can help you control your update settings. One of the most popular ones is the Easy Updates Manager, and the name fits pretty well.

Configure the WordPress Update Process with a Plugin

With it, you can make changes to core, plugin, and theme update behavior. You can disable all updates or enable automatic background updates with single clicks and no file code editing.


Troubleshooting #

Persistent “Another update is currently in process” – You might see this error if you are working on a team project in which there are more than one administrator role users configured in WordPress. If two or more administrators try to initiate updates (can be core, plugin, or theme) at the same time, only one of the update process will start. The other admins will receive this error message. That is a defense mechanism that locks the database when an update is initiated. That is done to protect it from a possible conflict in case another update tries to modify the same records at the same time.

While this is a great way to protect the database from faulty tables as the lock is configured to remove itself once the update has finished or 15 minutes have passed, sometimes the message will persist.

In this case, you will need two remove the lock yourself, and there are two ways you can do that.

The first and more accessible way is by using the Fix Another Update In Progress plugin. Install and activate it, click on the newly created button in your dashboard’s settings section and then hit the “Fix WordPress Update Lock“.

Utilizing phpMyAdmin and running a query in your database. We have a great tutorial on “How to use phpMyAdmin” which you should check out if you have no prior experience with this database administration tool.

Select your WordPress database in phpMyAdmin and click on the wp_options table. Note that if you have multiple installations, this table will likely have two more characters after wp so it may look like this – wpfg_options.

Now find the option name core_updater.lock and click on the Delete button next to it. Now go back to your dashboard and hit refresh to get the error removed from it.

Note that if you cannot find the core_updater.lock option or if after removing it the issue persists, you should repair the wp_options table. Such repairs can be done via a plugin or directly from within phpMyAdmin by selecting the table and choosing Repair Table from the “With selected” drop-down menu at the bottom of the page.

Scrambled Content and UI – If the content of your blog is not in order after an update, you will likely have to deactivate all of your plugins and re-enable them one by one. By using this technique, you will find the plugin which is messing with your website’s layout. Update the plugin if possible or find an alternative one, and don’t forget to report the issue to the authors of the plugin, especially if it is a well-maintained one.

WordPress Multisite Network Update Freeze – If you are trying to update a Multisite installation to version 5.x.x the process might get stuck (usually at “Preparing to install the latest version”) indefinitely. That can happen when a default theme is not installed alongside the active theme as WordPress needs a theme it can switch to in case things go south when updating. Simply install a backup theme so WordPress can proceed with the update.

Stuck in Maintenance Mode – When you initiate an update, WordPress will automatically put your website in maintenance mode to prevent users from viewing uncompleted content. Usually, as updates require seconds, this happens very fast, and your visitors don’t even notice it. However, the process can be interrupted, which will not only jeopardize your update but also leave your website in a permanent maintenance mode.

The easiest way to escape this sticky situation is by accessing your installation files and finding the .maintenance file, which is usually created when starting maintenance and removed when it’s over. A full guide on removing maintenance mode in the situations where it becomes a problem can be found in our “How to Fix WordPress Stuck in Maintenance Mode” article.

WordPress, at its core, is an intricate system with almost a million lines of code. Having such complexity means that many functions interact with each other, and at some point, obsolete parts are removed or substituted with other more advanced ones. Updating the platform guarantees that the risk factor of someone trying to abuse old or less efficient code is at its minimum and also provides you and your visitors with the newest functions to use on your website.

If you encounter something which we haven’t covered in this expansive tutorial, make sure to contact us with your recommendations. That way, we keep this page as the go-to place for anyone looking for information on Updating WordPress.

Leave a Reply