We do a lot of CMS updates and upgrades here at Hop Studios. No, really: A lot. But that means we know a thing or two about how often you should update. Read on for our advice on updating the most popular CMSs in use today!
As always, we recommend holding off on installing any major updates until a smaller patch has been released. Major updates typically introduce new features or breaking functionality, which often introduces new bugs to the software.
What’s the difference between a major version and a minor version? And what’s a patch?
Most software today is identified by a version number looking something like this: 3.12.7. This two-dot, three-number pattern means that software probably follows a versioning standard known as SemVer a.k.a. Semantic Versioning.
In our hypothetical software version 3.12.7, the first number (3 in this example) is the Major version. This number is theoretically incremented only when there is a change to the way the software works with other software (technically, when the publica API changes in a non-compatible way). In practice, changing a major version number is also often done when there’s complete rewrite or rebranding, even if it doesn’t break older compatibility.
The second number (12 in this example) is the Minor version. This is incremented for improvements, new features, changes and updates as long as they won’t break anything that came before. (Hypothetically.)
The third number (7 in our example) is the Patch version. This is incremented for bug fixes and very minor changes. In practice, you usually release a patch version to fix bugs. While developers rarely actively introduce known breaking changes in a patch fix, sometimes a bug fix has an unintended consequence and breaks existing functionality.
Check out the official site to learn more about SemVer!
Update Schedule for ExpressionEngine
ExpressionEngine currently releases new versions approximately every 3-6 weeks, though there was a long stretch in 2020 where it wasn’t updating very often at all.
ExpressionEngine is one of the most secure and bug-free CMSs that we work with. Wordpress, for instance, has had 360 security vulnerabilities since 2004 (as of this posting), each of which could be exploited as a security hole—and that doesn’t include its plugins.
Meanwhile, ExpressionEngine has had… 14 vulnerabilities. This isn’t just because WordPress powers more websites, it’s because of the care and professionalism of the folks who write and support ExpressionEngine.
Because of this security history, we feel comfortable recommending checking EE for updates on a two-month cycle.
We also recommend skipping any X.0.0 release until it’s at least X.0.1—that’s just reasonable cautious behavior.
The core of ExpressionEngine itself is quite simple to keep updated, due to an excellent and safe one-click updater that can also be run as a command-line task.
Currently, the third-party add-ons to ExpressionEngine used by most sites add some additional complexity and time to update, but we hope that improvements will be made in that area someday.
If you find yourself still running an old version of ExpressionEngine, you’ll be pleased to learn that with the release of ExpressionEngine 7 in August 2022, you can now update from EE 2.0 all the way up to the latest release with a single click! (Truth be told, it’s more like 5 or 6 clicks—there’s a confirmation, you gotta open the menu—but it’s still great news and a lot easier than it used to be).
Update Schedule for Craft CMS
Craft has a very active community and development team, typically pushing out updates every week or two to fix bugs and add new features for their users. They also tend to push out a release, and then immediately follow it with a patch or two in the days following the release.
Because of their quick turnaround on fixing bugs and relatively fast development cycle, we recommend a monthly update cycle for Craft users. We also recommend waiting for more than just a .0 or .1 release—often, it takes until the .5 or .6 release for the flurry of fixes to settle down. We use the calendar and wait about 2 weeks after a .0 release, except in cases of important security releases (i.e. when there’s a known exploit).
As mentioned above for our ExpressionEngine users, Craft sites usually also rely on plug-ins for a large portion of their functionality, and all plug-ins should be checked and updated at the same time as the core CMS. With Craft, there is often a complex interdependence on particular versions of particular plug-ins, so it can sometimes be a little tricky to keep everything upgraded “just enough” to the proper version. However, Craft makes it easier to actually DO the updating of plug-ins, which is nice.
As always, remember to back up all of your files and database before updating!
WordPress
WordPress is the most popular CMS in the world and has the most exploits of any CMS. Because of its security issues and size, it’s the most targeted by hackers. WP sites also tend to have a wider array of add-ons, many of which are free or poorly maintained or both. It also has a wider selection of systems with which it interfaces. All these things lead to a larger and more porous surface area for attacks and greater pressure to exploit security holes.
Because of this, we recommend updating your entire WordPress installation (core and add-ons both) frequently as is reasonably possible, and certainly no less than monthly. Many other shops will do this weekly or bi-weekly. WordPress itself is updated about every 4-8 weeks, and is usually very backwards compatible.
WordPress has always allowed minor version updates (updates that are (supposed to be) backwards compatible) to be performed automatically with a single click in the admin panel. As of version 5.6, WordPress allows admins to perform major updates (which may break your plug-ins or even your whole site) in the same way. This is an opt-in feature, and requires setting a variable in your config file to enable it. It can be turned off by changing the setting within the WordPress admin panel.
Although this process is “automatic,” it still requires logging in to the admin panel and clicking the update button. You can update all your plug-ins individually or as a batch with one click, and your themes as well. And you should!
As always, be sure to check that your files and database are backed up before performing any updates!
What about Ghost, Bludit, Drupal, and other popular CMSs?
An up-and-comer in the CMS space, Ghost has been gaining a lot of traction in the tech-centric blogging world. And they’re not the only ones! There are dozens of new and interesting content systems around today.
So, how often should you update them? Generally speaking, we recommend not falling more than about a week behind a software’s minor version updates or patches-with-security-fixes.
So, if a piece of software receives regular weekly or monthly patches, you should have a similar schedule—to at least check for a security issue in the latest version.
And remember: though it might seem nice that your CMS is only updated every three months, if you see that the CMS you’re using is not getting frequent security and feature updates from the developers, it might be time to switch to one of the CMSs we’ve mentioned. Effective updates from a reliable development team keep you and your site visitors secure and are a sign of a healthy CMS core and community.
Are you unsure whether your CMS needs updating? Send us a message and we’ll help you determine if it’s the right time to update your site.
