How can I easily verify a core or plugin update has not broken anything?

I’m looking for ways to make updating WordPress less frightening for me. I created around 30 company websites based in WP in my career and I feel somewhat responsible for them in regards to security. Even if clients don’t pay me for maintenance – clicking the “update” button every few months shouldn’t be a big deal, right?

I’m always resistant to upgrading for a couple of reasons

Read More
  1. if something breaks on the website during updating clients are
    often not willing to pay for the time it takes to fix all the
    plugins. “It did work, why did you have to change it?!” Only option then is a roll-back and locking down the site.

  2. if something breaks the website and I don’t notice it I’m screwed. Explaining
    why a contact form would not work for several weeks after updating is something I
    don’t want to do again.

  3. updates for company websites are often
    not really mandatory. Most security issues happen around user
    submitted content, ajax and xml-rpc APIs – things I don’t have to
    bother with when creating static pages that only get a few hundred
    visits per month. These websites tend to lie idle which of course
    increases the risk of updating. I have no problem updating a website
    that is only 2 months old – but I feel resistant to updating a 2
    year old website running pre-3.0 or even pre-2.7.

This makes it a game where I have nothing to win and can only loose.

What are your ways of handling this? Any suggestions are highly appreciated and benefit to more secure WP installations out there? 🙂

(for clarity: I’m mainly talking about small company websites or private blogs here where automated tests are not a realistic option)

Related posts

3 comments

  1. In your specific case, I don’t think the answer is a technical one (see my comment on the question for more details).

    For everyone else, the answer to “How can I easily verify a core or plugin update has not broken anything?” is automated testing. That’s the whole purpose of automated testing, because it’s unreasonable to think you can test everything in a non-automated fashion.

    Here’s a great getting started guide on automated testing with WordPress: http://make.wordpress.org/core/handbook/automated-testing/

    If you’re not willing to go down that road, at the absolute least, my suggestion would be to have your clients list the 3 most important things about their site, and include in the contract that you will test those 3 things with every update. It doesn’t guarantee that something won’t break, but at least you’re resting easy knowing that what matters most to them (by their own admission), like contact forms, didn’t break.

  2. I understand the worry but there is no realistic way to predict what changes will be made in Core in the future or what will break because of it, and there is no reasonable way for the site to check itself for errors unless you are willing and able to run some kind of comprehensive test suite on the site at update. I doubt that is practical on a productions site and is probably even more dangerous than gambling on the update.

    The best you can do is :

    • use Core functions everywhere possible,
    • avoid deprecated functions,
    • avoid the tendency to write your own queries and other such things
      with a higher than normal chance of breaking with an update,
    • certainly avoid hacking the core,
    • and let the client know that you are done when the site goes live,
      unless they want to pay for maintenance.
    • If they do want a maintenance copy, test the update on a development
      server before pushing it live. That is what I do with sites that I
      maintain.

    I would also suggest that frequent updates are less dangerous than waiting for several releases and then trying to update. I have rarely had trouble with incremental updates but the WordPress.oorg forums are full of threads about trouble caused when someone tried to leapfrog over several releases.

  3. Business parts aside, consider hosting your client websites on managed hosting services such as WPEngine where the hosting company will take care of upgrades and watch out for malware.

    As a bonus companies like that will give you one-click staging site generation from live site for you to make plugin updates and see what happens.

    The price is well worth it because the client will pay higher price to hire someone to fix their website infected with viruses…

Comments are closed.