Question About WordPress Updates and Security

Hey Everyone,

I have a new client that I did a couple of front-end modifications for in her WordPress. I’m in a new situation that is concerning and just want to make sure I know what I’m talking about before bringing it up.

Basically, her site was custom-designed and is a two year old version of WP (3.9). There’s a custom-made plugin that doesn’t allow for any updates: WP or any plugins (there are 56 active plugins).

She wants to add functionality to her site (hotel booking) that isn’t compatible with that version of WP. I’m trying to be delicate because she has trust issues and really trusts the developer, who has also been hosting the site for the last two years and she doesn’t trust me yet.

My question is, was it irresponsible on the developer’s part to disallow any updates? My understanding is that her site is more vulnerable to security threats, among other disadvantages from not consistently updating to the current version.

I don’t want to update anything because I have no idea if updating WP or any one of those plugins (some lost support a long time ago) will break her site. Also, I can’t pull it into a local environment because I don’t have FTP access to her server.

I want to be straight-forward with her because I feel like it was laziness on their part, but I’m hoping for some other professional opinions first. I should also add that she has very little technical understanding and doesn’t know about this. I get the impression that she might feel like I’m trying to manipulate her into investing more money into something she doesn’t need when I try to explain it. Thoughts?

Thanks in advance.

I’m not a WP developer, so I’m not best placed to comment on this with my limited knowledge of WP, but here goes.
Yes, not updating is a security risk.
It seems like very bad planning to create something that will not accommodate updates.

As far as I’m concerned, that plugin developer should never have disabled updates. All plugin developers worth anything will make sure that their plugin is updated at least every time the WordPress core is updated to ensure compatibility, not prevent proper updating of the core.

Most plugin and WordPress core updates are done for increased security (perhaps plugging newly discovered security holes in the code) and should never be ignored.

I would question why the plugin developer does not allow updates. If you disabled that custom plugin, updated the site, and then re-enabled the plugin, what would happen to the site? How crucial is that plugin to the functioning of the site?

I had to deal with a Drupal site for several months this year that was not kept up-to-date, got hacked, and was a major pain to clean up, update and get back on track. You don’t want to have to go through this with your client’s site.

By the way, is it really necessary for her to have 56 active plugins for the site to function properly?


From the Disable all WP Updates plugin web page:

It’s very important that you keep your WordPress theme, core and plugins up to date. If you don’t, your blog or website could be susceptible to security vulnerabilities or performance issues.

If you use this plugin, make sure you keep yourself up to date with new releases of your active WordPress version, plugins and themes and update them as new versions are released (simply by deactivating this plugin for a short time).

1 Like

I would make a full backup of her site including the database (really important) so that you can go back if anything goes wrong, and then go ahead, deactivate that plugin and update everything else that needs updating. Then reactivate the plugin.

As I said, if anything does go wrong, you can always just go back to the original state of things with your backups.

1 Like

You could start by advising her to trust nobody and that she should ask her developer that she trusts and has been hosting her site for the last 2 years, and is responsible for it being outdated and vulnerable, to make a full backup of the site for her…database and all files and plugins…and give it to her to hold on to, not for if she gets hacked, but for when.

Tell her that she will need to do this on a regular basis, especially after changes have been made on her site or new content has been added, and that she should keep all of the backups, in case any of them turn out to be no good.

Then you advise her that when she does get hacked, she should fire her developer and find herself someone more competent, more security minded, to rebuild her site from those backups she has been holding on to.

Then you walk away, because she falls in the category of “Clients from Hell”, and unfortunately, she will remain there until she learns, the hard way.


Not necessarily. We don’t know the circumstances and variables to make that judgement.

It probably is but it isn’t the developers responsibility to keep things updated unless they are getting compensated for it and/or included in the original contract. Not to mention the more and plugins the less likely it is to keep upgrades “simple” without breaking things.

So do you think you’re anyone to judge other peoples work when you are effectively working right on the production server. I would put your own competence to question.

I think you’re making a lot of unfair assessments without knowing all the circumstances of the original development effort. Circumstances like cost, timeline, feature creep, etc. For example, the developer could have very well offered to make site more compatible but client didn’t want to pay the extra costs.

Ultimately I think you need to focus less time on the quality of past development efforts and more on offering solutions that will fix problems.

All you really need to do is tell the client that hotel booking feature requires updating WordPress. Than offer your own cost associated with that work. If they ask why it cost so much when their understanding was it was just a matter of installing a plugin tell them that the version of WordPress they are on is to outdated to use the plugin. It is really quite simple. An alternative solution might be to develop a custom plugin/modification to work with the outdated WordPress version. Perhaps that might be a cheaper alternative. Cause really unless the client has specifically asked about security its not your job to make their site secure unless they pay for it and/or you have full ownership over the project working in-house.

I see my fair share of past poor decisions every week. Calling people out rarely does any good. Offering solutions and taking action does.


I said that I don’t want to make any updates - and I haven’t - because I can’t pull to a development server and don’t feel comfortable. All I’ve done is change the color of two buttons in a .css file and moving the site to a dev server seems a little overkill for that task. I am definitely putting my own competence into question, which is why I’m here asking you all for your valuable advice.

Cool, thankd oddz, your point of view is very helpful. When speaking with her, I haven’t called anyone out, only gathered information and stated facts about what it will take to get her what she wants, just like you suggested. You’re right, I don’t know the exact circumstances, but she seems completely surprised by the lack of ability to update and her vulnerability to security threats, as though it was never addressed. Maybe it was and she just doesn’t remember. That’s between them.

Ultimately, it’s in the past and it’s not really my business unless she wants it to be, in which case I’d need more info. I don’t think writing her off as a “client from hell” would be smart because she’s an honest lady who is willing to pay good money for quality work, she communicates well, and pays on time. All I can do is offer a solution, my price, and educate her as much as she wants in the process.

I’m actually not. The only statement I made that is unfair was that “I feel like it was laziness on their part”, and I understand now that it’s not helpful to think that way. Everything else in my post was simply stating the situation and asking a valid question.

Thanks everyone, this has been a super helpful conversation!

I don’t know if I’d call it laziness.

My guess is the plugin author was in a sense “freezing” the site so updates wouldn’t break dependencies.

It could very well be that the plugin author offered the option of continuing support vs. “freezing”, fully explained the differences, and the site owner weighed the risk / cost factors deciding for the latter.

In any case, I wouldn’t make any assumptions about what conversations may have taken place, but I would tactfully make her aware of the risks, in particular pointing out how much time has elapsed from her version to the current version. Hopefully she will feel she’s gotten her moneys worth and be willing to upgrade.


It’s worth noting that WordPress 3.9 is still in life (I think … don’t get me started on this, but WordPress appears to release updates for older versions without formally recognizing that those versions are still alive. WordPress 3.9.12 is available, but if you ask WordPress they’ll tell you WordPress is at version 4.5.2. WordPress has way too many versions that they are keeping up to date - 3.7, 3.8, 3.9, 4.0, 4.1, 4.2, 4.3, 4.4, and 4.5. Who knows when they will actually start killing off versions).

So if she’s using WordPress 3.9.12 she should be safe from any known security threats. At lest if she is running WordPress 3.9.12 and faces a security threat you can point the finger back at WordPress for not doing their job.

While it’s true that not every script update isn’t a security update, it’s just not something that I would really risk. If a new version of a script comes out (within the release tree you are using) then you need to upgrade to it, plain and simple. This will cover you should there be any security compromise on the account.

I’m not a huge fan of these rapid release schedules, it is easier to upgrade and find and resolve problems if you upgrade in step. Jumping from WordPress 3.9 to WordPress 4.5 may cause some problems. But had the upgrades gone in step: 3.9 to 4.0, 4.0 to 4.1, and so on. You would be more likely to catch any problems and be better able to handle them.


If you haven’t decided on the plugin for bookings I like this one:
It’s simple, easy to work with and free. I did get the pro version but it was not very expensive, currently $34 for life time support. I’ve been in contact with the support and it works.

That depends I would say. I constantly turn off auto updates if I take care of maintenance for a site. I do that because I want to be there and test the update when it happens. Then I have more control over it and I know if the update was the reason for something broken on the site. And I check for updates each day, I get an email from ithemes sync for all sites.
But if it’s a site I don’t do regular maintenance on I would leave auto updates on.

Yep, it’s best to take a full backup and have ftp access so it can be restored if something fails.

That’s a normal situation, you will have to earn her trust. And well some customers are never happy to pay and does not understand or appreciate the work we do. I try to avoid or fire those clients.
All you can do is tell them what needs to be done and if they’re not ready to pay for it you should let them go to somebody else and have them deal with it.
Good luck!

1 Like

This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.