How Often Should You Update Your WordPress Website?

Updating a WordPress website is a multi-faceted task. Content isn’t the only update necessary to keep your site running; security updates are equally important.

How and when you update your site matters, so here’s a look at several WordPress updates, why the updates are necessary, and how often you should perform them.

Content updates

WordPress content should be updated frequently, but the specifics should be based on your needs and visitor expectations. For example, existing content should be updated when you find an error, want to expand on or clarify your ideas, or when you’re using LSI to gain ranking in the search engines.

New content should be published regularly, but not so frequently that you can’t maintain your pace long-term. Avoid setting your visitors up to receive new content each week and then fizzling out at the end of four months.

Even when you’ve got enough content to publish weekly, you may want to cut back to twice a month until you’re certain you can maintain a faster pace.

Consider that people’s inboxes are flooded with marketing messages and many will unsubscribe from a list when just one email loses their interest. If you send out an email with mediocre content just to stay on schedule, you’ll lose subscribers. When you lose subscribers, you lose website visitors.

When updating your WordPress website with fresh content, follow these guidelines put together by QuickSprout to ensure your content meets search engine requirements for quality. For example, the guide notes that blogs ranging from 4-6k words typically do better in the search engines. The idea that longer content performs better is backed by research published by SerpIQ and other research companies.

The best way to create longer content is to look for ways to include more information that other sites have left out.

Basic security updates including plugins and themes

Security updates to your WordPress website should be performed on a rigorous schedule. There are a multitude of maintenance tasks you should perform weekly, monthly, and sometimes yearly.

Here’s a good basic security update routine to develop:

On a weekly basis:

  • Check automatically suggested updates. When you log into WordPress, you’ll be prompted to update plugins, your theme, and the WordPress core if new updates are available. Make sure to follow these automated update prompts to keep your site secure. Plugins and themes that aren’t updated end up being backdoors for hackers to exploit your site.

On a monthly basis:

  • Optimize your database. Did you know that each time you make an edit to a page or post, WordPress saves a revision history in the database? If you update content often, even just to add punctuation, your database grows each time you hit save. An unnecessarily large database will slow down your website and make it difficult for users to interact. A database full of unnecessary revisions will counteract your efforts to optimize performance.
  • Fix all 404 errors. 404 errors are created by renaming page and post URLs that have already been indexed by search engines or bookmarked by visitors. WordPress makes it easy to change your URLs, but doesn’t automatically forward people to the new URL. A redirect plugin will help you manage these changes as you make them. If you haven’t begun managing your 404 errors yet, check your logs to identify the 404 errors you can fix. For example, sometimes users create 404 errors by typing in the wrong address. You can’t change those errors. However, you’ll recognize the 404 errors that came from a URL change. Once you’ve fixed existing errors, stay on top of them and create redirects immediately after changing any URL.
  • Review logs. If anyone has been trying to gain access to your site via brute force, you’ll usually be able to tell from the security logs on your server. If you see anything suspicious, change all user passwords immediately.

On a yearly basis:

  • Research your plugins thoroughly. When was the last time the developer released an update? Has the plugin been abandoned? Research your plugins by browsing developer forums to see if there are any newly discovered security holes. If there’s a more recently developed plugin that is currently supported by the developer, make the switch. An abandoned plugin is an invitation to get hacked.

Updating authentication keys (salts)

 Authentication keys, also known as salt keys, should be changed at least once every few months. There’s no need to change them more frequently, with one exception, which will be discussed below.

Why changing your authentication salts matters

A 128-bit WordPress authentication cookie (AUTH_COOKIE) is used to maintain your login sessions. Unless you change your authentication keys (salts) or password, this cookie will keep you logged in until it expires. That’s great for you, but if a hacker gets ahold of your authentication cookie, they can gain access to your site without needing your password. Until you change your password or salts, a hacker could have access to your site for years.

Nearly every component in your authentication cookie is predictable to hackers. Using brute force to get this information is effortless and can be accomplished in a couple of weeks. Changing your salts will force all sessions to log out, and the cookie will become invalid. You can change salts manually or with a plugin called “Salt Shaker.”

Update your salts immediately if you used a one-click install app

If you’ve installed WordPress with a one-click application, you might not have any salts defined. That’s bad news. In the past, one-click installation programs (like Fantastico) used the same salts for each new WordPress installation, which is equally bad news. Today, many one-click installation programs omit salts completely, leaving your WordPress website even more vulnerable.

Changing passwords and usernames

Passwords don’t need to be changed as often as you think. The trick is to create strong passwords so you can change them less frequently. Changing your password once every three to four months is more than sufficient. However, if you suspect or are given notice of a data breach, you should change all passwords immediately.

If your administrator username is ‘admin,’ you should change it immediately. That makes it easier for hackers to get in. Since WordPress allows you to create a ‘nice name,’ consider making your administrator username as complex as a password. For example, ‘H8-e3$_47a’ looks like a password, but it would also make a strong admin username. Of course, don’t use the example in this article – create your own.

Server updates that affect your WordPress site

Depending on your web host, you may be required to manually update the version of PHP used by your account just to get started. A web host that sets the default PHP version too low is often the reason many WordPress users can’t get certain plugins to work. Unfortunately, this cause goes undiscovered by most users. You may also need to select an updated version of SQL (the language that runs your WordPress database). It’s not fair to the customer, but some hosting companies don’t set the proper defaults.

A reliable web host will perform all necessary server updates automatically and start you off with the right default settings. They’ll also provide backup and restore points, firewalls, load balancing, and disaster recovery services. At Skylands, we provide all this and more.

If your WordPress site isn’t working the way it should, or if you’re ready to make the switch to a more secure environment, contact Skylands today to find out how we can help.