How to update WordPress safely: core, plugins, themes
Published on July 4, 2026 7 min read
Updating WordPress without breaking your site? Learn how to update the core, plugins and themes safely, set up auto-updates and restore your site.
Updating WordPress is one of the most important routines for anyone who runs a website. Every update to the core, your plugins and your theme closes security holes, keeps everything compatible and often makes your site faster. This guide explains why updates matter, how to update WordPress safely step by step, how to set up auto-updates and what to do if an update breaks your site.
Why updating WordPress matters
A WordPress site is made up of three layers that you update separately: the core (WordPress itself), your plugins and your theme. All three receive regular updates, and keeping them current matters for three reasons.
Security
Outdated components are the biggest security risk in WordPress. Security firm Patchstack's State of WordPress Security 2024 report found that 96 percent of all reported vulnerabilities were in plugins and 4 percent in themes. Only seven were found in the WordPress core itself, none of them widespread. Almost half (43 percent) could be exploited without logging in. Updating closes exactly those gaps. Together with a valid SSL certificate, updates are the foundation of a secure site.
Compatibility
Plugins, themes and the core all have to work with each other and with your server's PHP version. WordPress recommends PHP 8.3 or higher. When one component falls behind, features can stop working or clash with a newer plugin. Regular updates keep everything in step.
Speed
New versions often include performance improvements and take advantage of faster PHP versions, so an up-to-date site usually loads more quickly. If you want to go further afterwards, read how to speed up your website.
Before you start: make a backup first
The vast majority of updates go smoothly, but a small chance of a conflict always remains. That is why you start with a fresh backup every time. As long as you can fall back on a copy, a failed update is never more than a brief setback.
Make a full backup of your files and your database before you change anything. You can find out how in our guide on how to make a website backup. If you run an important or busy site, consider testing large updates in a staging environment first. More on that below.
How to update WordPress in 5 steps
Update your components one at a time and check your site after each step. That way you know straight away which update caused any problem. You will find all updates in your WordPress dashboard under Dashboard > Updates.
- Make a backup. Create a current copy of your files and database and store it away from your site, for example on your computer or in external storage.
- Update the WordPress core. Go to Dashboard > Updates and bring WordPress itself up to the latest version. WordPress has installed minor updates automatically since version 3.7; major updates you apply here yourself.
- Update your plugins one by one. Update each plugin separately and check your site after every one. That way you spot a conflict immediately, rather than after running ten updates at once.
- Update your theme. If you use a customised theme, work with a child theme or note your changes, so a theme update does not overwrite your custom work.
- Check your site. Look at the front end and the dashboard, log out and test your site as a visitor too. Pay attention to your most important pages, your forms and your web shop if you have one.
Setting up auto-updates
If you would rather not update by hand every week, you can have updates applied automatically. You can do this in WordPress itself and, depending on your hosting, through WordPress Toolkit in Plesk.
Auto-updates in WordPress itself
Since WordPress 5.5 you can switch on auto-updates per plugin and per theme from the dashboard. Go to Plugins and click "Enable auto-updates" next to a plugin, then do the same under Appearance > Themes. Security updates for the core have run automatically since version 3.7. Auto-updates are convenient, but keep an eye on your site now and then, because an automatic update can cause a conflict too.
Auto-updates through WordPress Toolkit in Plesk
If your hosting runs on Plesk, WordPress Toolkit is often available. It lets you manage the updates for several sites in one place and set per site what may be updated automatically. The Smart Update feature goes further: it first makes a copy of your site, runs the update on that copy and automatically compares before-and-after screenshots. If Smart Update spots a problem, the update is not applied to your live site. Smart Update is a paid add-on and is not available on every hosting plan. If you are not sure whether you have WordPress Toolkit, ask your hosting provider.
Testing large updates in a staging environment
A staging environment is a separate, shielded copy of your site that visitors never see. There you can test large updates, a new plugin or a theme change without any risk to your live site. Once everything works as expected, you push the change through to your real site.
For a simple blog this is usually not necessary, but for a web shop or a business site with many plugins it is a sensible habit. WordPress Toolkit in Plesk can create such a staging copy for you, and there are also standalone plugins that offer staging.
What to do if an update breaks your site
If something does go wrong despite your care, stay calm. It is usually fixed quickly. Below are the most common situations and how to handle them.
| Symptom | Cause | Solution |
|---|---|---|
| Blank page or critical error | A plugin or theme clashes with the new version | Since version 5.2, WordPress emails a recovery mode link to your admin address. Log in through that link and disable the component. |
| Site works, but something looks off | A theme or plugin update changed the layout | Clear your cache, check the component's settings and, if needed, update the matching theme or plugin as well. |
| A plugin shows an error | The plugin is not ready for the new core yet | Disable the plugin for now, wait for an update from its maker or look for an alternative. |
| Nothing works any more | Several problems at once | Restore your backup. If you have Plesk with WordPress Toolkit, you can also roll back to an earlier state or a restore point. |
Locked out of your dashboard? Log in through the recovery mode link in the email from WordPress, or restore your most recent backup. Then try the update again, this time one component at a time.
With a fresh backup, updates applied one at a time and a quick check afterwards, you keep your WordPress site secure, compatible and fast. Stuck? Feel free to contact our support team and we will be glad to help.
Frequently asked questions
How often should I update WordPress?
Check your site for updates weekly if you can, and install security updates as soon as possible. WordPress applies minor core updates automatically. For plugins and themes, the sooner you update, the smaller the chance that a known flaw gets exploited.
Should I update the core or the plugins first?
Always make a backup first. Then update in this order: the WordPress core first, then your plugins one by one and finally your theme. Check your site after each step so you can see straight away which component caused a problem.
Are automatic updates safe?
Automatic security updates for the core have run since WordPress 3.7 and are very reliable. Auto-updates for plugins and themes are convenient but carry a small chance of a conflict. For extra certainty, use Smart Update or a staging environment and check your site from time to time.
My site is blank after an update. What now?
Since WordPress 5.2, a critical error automatically triggers an email with a recovery mode link to your admin address. Use that link to log in and disable the component causing the error. If that does not work, restore your backup.
Which PHP version do I need for WordPress?
WordPress recommends PHP 8.3 or higher for the best security and speed. LJPc hosting runs the latest PHP version by default. If you are unsure which version your site uses, check it in your hosting environment or ask support.