2026 update: updating WordPress plugins, themes, and core files is still one of the best ways to keep a site secure, stable, and fast. It can also feel risky when the site makes money, takes appointments, or belongs to a customer. The safe approach is not “click everything and hope.” Make a backup, update in the right order, check the site, and know how you will roll back before you start.
This guide is for normal WordPress site owners, cPanel users, Plesk users, and small hosting customers who want a practical update path without turning a simple maintenance task into a long outage.
Before you update WordPress
Start with a full backup. That means the WordPress files, uploads, themes, plugins, and the database. A plugin backup is useful, but a hosting-level backup or server snapshot is better when you have access to one. If you are on managed hosting, confirm that the backup is recent and restorable before changing anything important.
- Check your current versions. Write down the WordPress version, PHP version, active theme, key plugins, and hosting panel version if you use cPanel or Plesk.
- Read the update notes. Pay special attention to ecommerce, membership, form, cache, security, builder, and payment plugins.
- Update during a quiet window. Avoid busy checkout hours, campaign launches, and customer support peak times.
- Use staging when available. Test major plugin, theme, PHP, and WordPress core updates on staging before touching the live site.
- Know the recovery path. If the dashboard goes down, you may need hosting backups, file manager access, FTP/SFTP, phpMyAdmin, or WP Toolkit.
If the site already has a blank screen or Error 500, pause the normal update plan and use the WordPress White Screen or Error 500 debugging guide first. Updating a broken site can make the original cause harder to identify.
Step 1: Update plugins first, but do the risky ones carefully
Plugins are the most common place where WordPress sites fall behind. Update small, low-risk plugins first, then handle high-impact plugins one at a time. High-impact plugins include WooCommerce, payment plugins, booking systems, security plugins, cache plugins, SEO plugins, form plugins, page builders, membership systems, and anything that changes logins or user roles.
After each high-impact update, check the pages that plugin controls. For example, after a form plugin update, submit a test form. After a cache plugin update, purge the cache and check the public page. After a payment plugin update, verify checkout behavior without placing a real customer order unless your payment provider has a test mode.
If an update fails and locks you out of wp-admin, the phpMyAdmin plugin-disable guide explains one safe recovery option for cPanel-style hosting.
Step 2: Update themes and child themes
Theme updates can affect layout, menus, headers, footers, templates, and mobile views. If your site uses a child theme, keep the parent theme updated but do not overwrite custom child-theme files unless you know exactly what changed.
- Preview the home page, contact page, service pages, blog posts, and any landing pages after the update.
- Check mobile layout, menus, forms, and buttons.
- Confirm that custom CSS and theme builder templates still load correctly.
- Review any theme license or update channel warnings before updating a commercial theme.
For builder-heavy sites, update the builder plugin and theme together when the vendor says they are paired. This is especially important for Elementor, WooCommerce themes, and custom builder stacks.
Step 3: Update WordPress core
Once plugins and themes are current, update WordPress core from the Dashboard > Updates screen. Minor security releases are usually low-risk and should be applied quickly. Major releases deserve more care, especially when the site uses custom code, older themes, or many plugins.
After the core update finishes, log out and back in, then check the dashboard for database update prompts. If WordPress asks to update the database, make sure your backup is complete, then run the database update and check the front end again.
Step 4: Check PHP and hosting compatibility
WordPress updates often expose older PHP problems. A plugin may work on one PHP version and fail on another. Before switching PHP versions, check the plugin vendor notes and test staging if possible. If your host provides MultiPHP Manager, Plesk PHP settings, or WP Toolkit, use those tools to check compatibility before changing the live site.
Plesk users should also review the Plesk Obsidian update operations guide because WP Toolkit, PHP handlers, extension updates, and panel-side security features can affect WordPress maintenance.
Step 5: Verify the site after updates
Do not assume the update worked just because the dashboard says it finished. Open the site in a private browser window and check the pages visitors actually use.
- Home page, service pages, blog posts, and contact page.
- Forms, login, search, comments, carts, checkout, downloads, and account pages.
- Menus, mobile layout, images, popups, and builder templates.
- Cache purge, CDN purge, and any optimization plugin output.
- Server logs, PHP error logs, security plugin notices, and WordPress Site Health.
If the update was security-related, also review administrator users, recently changed files, unexpected plugin folders, and failed login spikes. The WordPress hosting security checklist is a good follow-up when a site was already behind or when a plugin update was prompted by a public vulnerability.
When you should not update blindly
Do not blindly update a production site when you already see database errors, disk-space warnings, broken PHP extensions, malware alerts, failed backups, expired licenses, or a known plugin conflict. Fix the underlying hosting or security problem first, then update from a clean baseline.
If a plugin has no fixed version, has been removed from the WordPress plugin directory, or keeps showing serious security issues, plan a replacement instead of repeatedly trusting emergency fixes. Recent examples are tracked in the WordPress plugin vulnerability roundup and individual Fix I.T. Phill patch guides.
Quick update checklist
- Confirm a restorable backup.
- Update during a maintenance window.
- Update plugins, themes, then WordPress core.
- Handle ecommerce, security, cache, builder, and login plugins one at a time.
- Purge cache/CDN after the update.
- Check the public site, dashboard, forms, checkout, and logs.
- Remove unused plugins and themes after confirming the site is stable.
WordPress updates are not something to fear, but they do need a process. Back up first, update in a controlled order, verify the important pages, and keep a recovery path ready. That is the difference between routine maintenance and a surprise outage.