WordPress updates are not optional. Every pending update represents either a security patch, a bug fix, or a compatibility improvement. Ignoring them creates compounding risk.
But clicking "Update All" without a process creates a different kind of risk entirely.
Most update-related breakage we see across our 200+ managed WordPress sites is preventable. The sites that break are almost always the ones where someone clicked Update All without a plan, or deferred updates for months and then tried to catch up all at once.
If you want to know how to update WordPress safely, here is the step-by-step process we follow. It works the same for one site or dozens.
The Safe WordPress Update Process (Quick Reference)
- Verify a full backup exists and confirm both files and the database completed successfully. A corrupt or partial backup is not a safety net.
- Review changelogs for breaking changes, database migrations, or new PHP requirements before applying any update.
- Check plugin and theme compatibility with the target WordPress version using the Site Health tool and plugin pages.
- Update WordPress core first, because plugins and themes are tested against the latest core version.
- Update plugins one at a time, checking the site after each. This isolates problems immediately if something breaks.
- Update your theme last, since it sits on top of everything else in the dependency chain.
- Run through a post-update verification checklist covering homepage, admin, forms, checkout, and browser console errors.
- Log what you updated, when, and any issues encountered so you have a reference if problems surface later.
The rest of this article walks through each step in detail.
Before You Touch Anything: The WordPress Update Checklist
Skipping this step is where most problems start. Before you update anything, work through this short list.
| Check | Action | Why It Matters |
|---|---|---|
| Full backup | Verify files and database backup exist | Your only safety net if something goes wrong |
| Backup integrity | Confirm file size is reasonable (not 50KB for a 2GB site) | A corrupt backup is not a backup |
| Changelog review | Read what changed, look for "breaking change" or "database migration" | Identifies high-risk updates before you apply them |
| PHP compatibility | Check Tools, Site Health, Info, Server | Core updates occasionally bump PHP requirements |
| Caching disabled | Deactivate caching plugins temporarily | Prevents serving stale cached pages during update |
Verify Your Backup
A backup you have not verified is not a backup. Check three things:
- The backup completed recently. Ideally, within the last 24 hours. If your last backup is two weeks old, take a fresh one now.
- It includes everything. You need both the database and all files (wp-content, uploads, plugins, themes). A database-only backup will not let you fully restore your site.
- It is stored somewhere other than your hosting server. If the server fails, a backup stored on the same server fails with it. Use offsite storage or a service like UpdraftPlus or BlogVault that stores backups remotely.
Check the file size. A 50KB backup for a site that should be 2GB means something failed silently.
Read the Changelog
Before updating, check what is actually changing. For WordPress core updates, the changelog is available at wordpress.org/news and in your dashboard. For plugins, click "View version details" on the Updates page.
Pay attention to:
- New PHP version requirements
- Deprecated features or functions
- Database changes (more on why this matters in the recovery section below)
- Breaking changes or major version jumps
Check Compatibility
Use the WordPress Site Health tool (Tools > Site Health > Info > Server) to confirm your PHP version. Then check the "Tested up to" version on each plugin's WordPress.org page.
If a plugin has not been tested with your current WordPress version, flag it before you proceed.
Do Not Hit Update All
This is the single most common update mistake we see.
Someone logs in to make a quick content edit. They notice the pending update counter. They click Update All. Then they call us.
"Update All is like crossing a road blind. You might make it, but you probably won't."
The problem is not that updates are dangerous. Most updates go smoothly. The problem is that when you update everything simultaneously and something breaks, you have no idea which update caused the issue.
Was it the theme? A specific plugin? The core update? You cannot tell. And that turns a five-minute fix into an hours-long debugging session.
If you have allowed updates to build up over weeks or months, the risk compounds. You are not just applying one or two changes. You are applying dozens of changes across plugins that may now be incompatible with each other, your theme, or the core version you just jumped to.
The way to update WordPress without breaking your site is straightforward: update one thing at a time and check the site after each update. It takes longer. It is worth it.
WordPress Update Steps: The Right Order
The order matters because each layer depends on the one below it.
1. PHP (If Upgrading)
PHP is the foundation on which everything runs. If your host is upgrading PHP or you are doing it yourself, handle this separately from all other updates. PHP upgrades can break plugins and themes that use deprecated functions.
We never upgrade the server that sites are on. Instead, we set up a new server with the newer PHP version and bring sites over one by one, testing each before switching.
If your host sends a notice that a PHP upgrade is coming, get your site tested beforehand. We have received many calls over the years after a PHP upgrade went through, and a site became unresponsive. By then, the hosting company says the upgrade is done, and they cannot roll it back. It is a bad situation to be in.
2. WordPress Core
Update the core before plugins and themes. Plugin and theme developers test their code against the latest WordPress version. Updating the core first means your environment matches what those developers expect.
For major version updates (like version 5 to 6), run the core update on its own. Do not mix it with plugin or theme updates. If something goes wrong, you need to know it was the core and nothing else.
3. Plugins (One at a Time)
If you want to know how to update WordPress plugins safely, the answer is simple: update them individually and check the site after each one. This is where most breakage happens, and updating one at a time makes the source of any problem immediately obvious.
Not all plugins carry the same risk. Simple plugins like Classic Editor or Akismet are almost always safe to update immediately.
Page builders, e-commerce plugins like WooCommerce, and membership systems pose far greater risk because they control key parts of your site's functionality. A bug in a page builder could produce a white screen. A bug in WooCommerce could halt all sales.
"The simple framework is: if a plugin heavily determines the user experience or the user interface, be more cautious. Wait 24 to 48 hours on major releases."
For high-risk plugins, we recommend waiting 24 to 48 hours after a major release unless the update is clearly a security patch. Let the broader community find the issues first.
Plugin Risk Classification
| Risk Level | Examples | Characteristics | Recommended Approach |
|---|---|---|---|
| Low | Classic Editor, Akismet, WP Mail SMTP | Simple, narrow function | Update immediately |
| Medium | Gravity Forms, Contact Form 7, Ninja Forms | Well-maintained, mature | Update on regular schedule |
| High | Page builders (Elementor, Divi), WooCommerce | Controls major UI or revenue | Wait 24-48 hours on major releases |
| Database-Altering | Membership, e-commerce, event RSVP | Modifies database during update | Full backup plus staging test required |
4. Theme
Update the theme last. If you are using a child theme (which you should be), the parent theme update will not overwrite your customizations. But check the site for layout changes, as the parent update may introduce new styles that interact with your child theme.
If you have edited the parent theme directly, those changes will be overwritten when you update. This is exactly why child themes exist.
The Staging Decision: When to Test First
Not every update needs staging, but knowing when to use one is part of learning how to update WordPress safely. Here is a simple framework.
Use a staging site when:
- Your site handles e-commerce, memberships, or donations
- You have 10 or more active plugins
- The update involves a major version jump (core or a key plugin)
- You are upgrading PHP
- Your site has custom code or a heavily customized theme
Updating directly is reasonable when:
- It is a minor or security release (6.8.1 to 6.8.2)
- Your site is a straightforward brochure site with minimal plugins
- You have a verified, recent backup you can restore from quickly
- The update is to a well-maintained, widely-used plugin with a clean changelog
Most managed WordPress hosts offer one-click staging. If yours does, there is no reason not to use it for anything beyond routine security patches. For a deeper look at the staging workflow itself, see our guide on testing WordPress updates on staging.
Post-Update Verification: What to Check
After updating, do not just assume everything is fine. Run through these checks:
| Category | What to Check | How |
|---|---|---|
| Critical | Homepage loads (desktop and mobile) | Visit site in browser and phone |
| Critical | Admin dashboard accessible | Log in, check for errors |
| Functional | Forms submit successfully | Submit a test entry, verify email notification |
| Functional | E-commerce checkout works (if applicable) | Run a test transaction |
| Performance | No JavaScript errors | Open browser console (F12) |
| Cleanup | Re-enable caching | Activate caching plugin, clear all caches |
Every time:
- Homepage loads correctly on desktop and mobile
- Admin dashboard is accessible
- Navigation and menus work
- Key pages render correctly (About, Services, Contact)
If your site has forms:
- Submit a test form and confirm the notification email arrives
If your site has e-commerce or donations:
- Run a test transaction through checkout
If your site has membership or login functionality:
- Log in as a test user and verify access restrictions
Performance check:
- Open your browser's developer console (F12) and check for new JavaScript errors
- Confirm images and media load correctly
If you disabled caching before updating, re-enable it now and clear all caches (plugin cache, server cache, CDN if applicable).
What to Do When an Update Breaks Your Site
Even when you follow every step to update WordPress safely, things occasionally break. Here is how we handle it when a client calls.
Assess What Changed
The first thing we do is ask exactly what was updated. Then we log in to the file system and check the file modification dates.
You can usually tell which plugins were updated and whether the theme or core changed. This narrows the problem immediately.
If you clicked Update All, this assessment is much harder, which is exactly why we advise against it.
Standard Plugin Rollback
For most plugins, forms, security tools, SEO plugins, and similar, recovery is straightforward:
- Roll back the plugin files from your backup
- Replace the updated plugin folder with the previous version
- Check if the site comes back to life
If it does, you have identified the problem and can decide whether to wait for a fix, contact the plugin developer, or find an alternative.
The Database Problem: High-Risk Recoveries
The bigger problems come from plugins that alter the database during an update. Membership plugins, e-commerce systems, and event management tools do not just change files. They modify your database structure, add tables, or migrate data.
"If a database-altering plugin was updated, rolling back the files alone won't fix it. The database is now out of sync with the files. This is when you really need professional support."
When that happens, you may need a full backup restore, which means losing any content changes made since the backup was taken.
This is the highest-risk recovery scenario, and it illustrates why backing up immediately before updating is non-negotiable. It is also why these types of plugins warrant the most caution during updates, ideally tested on staging first.
When to Restore from Backup
If troubleshooting is taking more than 15 to 30 minutes on a live production site, restore from backup. It is faster and less risky than debugging under pressure. Fix the issue on a staging copy, then re-attempt the update once you understand what went wrong.
For more detailed recovery procedures, see our guide on what to do when a WordPress update breaks your site.
Keep a Simple Update Log
This takes two minutes and saves hours of debugging later. After each update session, log:
- Date of the update
- What was updated (plugin name, old version, new version)
- Any issues encountered and how they were resolved
When something breaks three days after an update, this log is the first place you look. Without it, you are guessing.
Over time, your log also reveals patterns: which plugins consistently cause issues, which updates tend to be smooth, and how frequently problems arise.
WordPress activity log plugins, such as WP Activity Log, can automate this tracking if you prefer not to do it manually.
A Note on Auto-Updates
WordPress allows you to enable automatic updates for individual plugins. For sites without professional management, auto-updates are better than nothing. If you have backups and know how to restore from them, enabling auto-updates, combined with an uptime monitoring tool, is a reasonable approach.
But auto-updates bypass the entire process outlined above. There is no pre-update check, no changelog review, and no one-at-a-time testing.
For sites with managed hosting and support, we turn auto-updates off and handle updates through a system that includes staging, automated testing, and human review when issues arise.
For a deeper look at this topic, see our article on WordPress auto-updates and what to enable.
The Bigger Picture
Updates are not a one-time task. They are an ongoing commitment to keeping your WordPress site secure, stable, and performing well.
Weekly updates mean 52 rounds of security and performance patches per year. Monthly drops that to 12. That gap shows up directly in security and stability.
This safe WordPress update process is what we follow across every site we manage. For some organizations, following this process yourself is entirely feasible. For others, especially those running e-commerce, membership systems, or multiple sites, this is exactly the kind of work worth handing to a team that does it every day.
If you are looking for a team to handle WordPress updates, security, and ongoing maintenance, learn about our WordPress maintenance plans. This is part of our broader WordPress update guide, which covers everything from update schedules to auto-update configuration to knowing when to hold off on a plugin update.