WordPress is a fantastic CMS, it makes my day-to-day job easy because I know it inside and out really well, any site I can build using WordPress I will because it does a lot of the heavy lifting for you. There is however a downside to using WordPress, updates.
Being one of the worlds most popular content management systems, WordPress like the very language it is built upon PHP, has encountered some pretty serious bugs over the years. It’s inevitable when developing any kind of application: new features = new bugs, new vulnerbilities and new ways hackers can destroy your site. WordPress has defnitely had its fair share of issues, but security updates are generally pretty fast.
This is the issue, the curse of WordPress. When you use it for a client site it’s obviously a current version of WordPress and if you’re like most WordPress developers you’re using at least one or two third party plugins to make your and the clients life easier.
You hand the site off and a few months later you get an email from the client saying the site is broken. You check out the site and surely enough, the site is broken. You login and see that the client has self-initiated an update on both the WordPress core and the plugins you were using. It’s great the client is trying to update, but it can create a fundamentally annoying problem.
Plugins and themes can’t always be future proof, you can do your best but a major rewrite of a plugin or small core change in WordPress is all that needs to happen to break a site. Recently a site I built for a client one year ago needed to be updated, two plugins being used have since been discontinued so when I updated WordPress (for security reasons) the plugins stopped working requiring them to have to be rewritten.
And recently again another client updated their WordPress site including one crucial plugin I always use: Advanced Custom Fields. The update for some unknown reason didn’t go to plan and the site broke, the client not being a developer of course didn’t backup the database or the files so I had to fix things by hand.
This isn’t just a WordPress specific issue, but it is an issue nonetheless because if you don’t update a WordPress site you can be rest assured that someone at some stage will exploit and deface the site. Do you hide the updates menu from the client completely? Do you chain yourself to the site forever offering to do all future updates?
I would be interested in hearing about how other developers handle this problem. It’s impossible from what I can see to make a completely future-proof updatable WordPress driven site. It’s inevitable at some stage of the site whether it be 4 months or 1 year that an update to either a plugin or WordPress itself breaks the site.
Currently all my clients (except my day job) use WordPress. I offer a yearly contract which covers updating WordPress and all plugins. If the work isn’t simple I tell how much x is going to cost and I given all options I can think of in order to get them what they want. So far I’ve not had any problems with WordPress or any plugins breaking.