WordPress4 min read

Stop treating updates like a chore

AV
Alex Vasquez

Somewhere along the way, “update the website” landed in the same mental bucket as “clean the gutters” — a chore, vaguely virtuous, easy to postpone, consequences someday. That framing is wrong, and it’s expensive.

Updates aren’t housekeeping. They’re the immune system of your website. Most successful WordPress attacks don’t involve a genius hacker — they involve a bot scanning the internet for sites running a plugin version with a publicly documented hole. The patch existed. It just wasn’t applied. The “chore” you postponed was the lock on the front door.

Why postponing feels rational (and isn’t)

Here’s the trap: the one time you did run updates, something broke. So your brain filed updates under “risky,” and skipping them under “safe.” It’s exactly backwards — but it’s based on a real experience, so it sticks.

What actually happened: you ran six months of updates in one click. Twenty things changed at once on a live site with no backup rehearsal and no staging copy. Of course it broke — and of course it was impossible to tell which change broke it. The lesson was never “updates are dangerous.” The lesson was “updating like that is dangerous.”

The math of small batches

Compare two sites over a year. Site A updates weekly: each batch touches two or three plugins, takes minutes to test, and if something looks off, the culprit is obvious and the rollback is tiny. Site B updates “when we get around to it”: each batch touches twenty-five things, testing is impossible, and any failure is an archaeology project.

Same software. Same updates. Wildly different risk — because risk lives in batch size, not in updating itself. Small and often beats big and brave, every single time. It’s the same reason sites that “keep breaking” almost always turn out to be sites that update in panicked bursts.

What a grown-up update routine looks like

  • A schedule, not a mood. Weekly, same day, rain or shine. Routine is the whole technology.
  • Backup first, every time. A backup you’ve actually test-restored — an untested backup is a hope, not a plan.
  • Staging for the big ones. Major version bumps, WooCommerce releases, and anything touching checkout get rehearsed on a copy of the site first.
  • Eyes on the result. After updating, someone checks the pages that pay the bills — home, checkout, forms — not just “the site loads.”
  • A changelog. One line per batch. When something’s weird on Thursday, you know exactly what changed Tuesday.

Run that loop for a month and updates stop being an event. Run it for a year and they stop being a thought. The orange badge never climbs past single digits, security holes close within days of disclosure, and version-to-version changes stay small enough that nothing ever breaks dramatically again.

The part nobody mentions: watching

An update routine without monitoring is a letter without an address. Sometimes a perfectly good update still misbehaves — a plugin conflict surfaces two days later, a cron job silently stops. The difference between a non-event and a crisis is whether anyone’s actually watching for the misbehavior — uptime, error logs, security scans — or whether the discovery is delegated to your customers.

The clock you’re racing (whether you know it or not)

One more reason cadence beats bravery: when a plugin vulnerability is disclosed, a countdown starts. Within hours, automated scanners begin sweeping the internet for sites still running the holey version — not targeting you specifically, just harvesting everyone who hasn’t patched. The window between “patch available” and “actively exploited” keeps shrinking; for popular plugins it’s now routinely measured in days, sometimes hours.

A weekly update rhythm means you’re patched within days of any disclosure as a side effect of ordinary routine — no vigilance required, no security newsletter to monitor, no heroics. A quarterly batch means you spend most of every year inside someone’s scanning window. Same effort over twelve months; completely different exposure. The schedule, not the diligence, is what closes the door.

Or: never think about this again

Everything above is doable in-house if someone genuinely owns it. The honest question is whether that someone exists — or whether it’s you, at 9pm, doing a job you never applied for.

This exact loop — scheduled updates, tested backups, staging, monitoring, changelog — is the core of our care plans, done weekly by people who do it for a living, at a flat monthly rate. Your site quietly gets the immune system it was always supposed to have, and you get the orange badge out of your life. If that sounds better than bravery, let’s talk.

Keep reading

All articles
WordPress

Why your WordPress site keeps breaking — and how to make it stop

Sites don’t break randomly — they break for the same five reasons, in the same order.…

Jun 7, 2026
WordPress

WordPress or Shopify for your store? An honest take

We build on both, so we have no horse in this race. The honest version of…

Apr 30, 2026
WordPress

Block themes, one year in

A year of shipping client sites on block themes: what genuinely got better, what still bites,…

Apr 2, 2026
The newsletter

Stop firefighting, one email at a time.

Plain-English notes on keeping your platform fast, stable, and out of your way. No fluff, ~2x a month — join 2,500+ founders.