Display

Choose how you want to view this site. Your choices are saved on this device.

Text size
Page width
Theme

Security & maintenance

Patch cadence: how often “update everything” should happen

Updated 2026-04-11 · Practical guide for NZ small businesses

Short answer: Set a predictable rhythm—weekly quick checks, monthly deeper updates, immediate patches for serious CVEs—so “update everything” is a habit, not a panic.

NZ SMEs using WordPress or similar stacks fall behind when nobody owns the calendar; attackers love stale plugins more than exotic zero-days.

A practical cadence

  • Weekly (15 minutes): dashboard notices, failed backups, uptime alerts, and a glance at core/plugin release notes for critical security flags.
  • Monthly (longer): apply routine core, theme, and plugin updates on staging first if you have it; smoke-test forms, checkout, and key landing pages.
  • Ad hoc: emergency security releases from vendors you trust—schedule within days, not “when we get around to it”.

Order of operations

Snapshot or confirm backups, update staging, verify, then production during a low-traffic window. Document versions changed so rollback is possible.

Who owns it?

Name one accountable person even if an agency executes—ownership prevents “I thought you did that” gaps after staff changes.

Frequently asked questions

Should I enable auto-updates?

Minor patch levels are often fine for security; test majors for WooCommerce, memberships, and custom code paths.

What if updates break the site?

Restore from backup, isolate the component (theme vs plugin), and seek vendor guidance—freeze further changes until root cause is clear.