Keeping wordpress sites up to date

Overthrow

Hey,
I'm wondering what the most convenient way of keeping a bunch of Wordpress sites up to date is?

Not updating to the latest version of a plugin and WP version means the site is vulnerable, but it's time consuming keeping everything updated especially across multiple sites.

I feel it's the web designers responsibility to keep the client's site secure, but the extra time required to keep things up to date really adds to the time a project takes and it being a monthly commitment eats in to the profitability of a build.

Feathers

I'd say it's 100% not your responsibility, unless you're getting some monthly/yearly income from offering support to the client. I'd give them 3 options when doing a build for someone — support/training/left to their own devices.

Sure otherwise eventually you're business will just fall over as you'll be spending more time on support than new builds. If you feel bad about charging, tell them you'll give them the first 3 months free maybe, but it's a legitimate business expense that they should be budgetting for.

Overthrow

Does it not really make an argument against using Wordpress for clients builds? Customers want a 'job done and paid for' solution, and if you're getting in to the mess of regular maintenance, it becomes a lot less attractive to deal with you then someone else who isn't building in WP and who won't bug you about keeping things updated etc.

Feathers

Overthrow wrote: »

It becomes a lot less attractive to deal with you then someone else who isn't building in WP and who won't bug you about keeping things updated etc.

It depends. The other guy who isn't building in Wordpress, what is he building in? If it's flat HTML the customer will have to pay you to make updates to the pages if he isn't savvy enough to do it himself. If it's another CMS, that has all the same problems as Wordpress.

It's not that the site is broken, you're improving it by offering the update.

Just looking at the Wordpress site — it has an automatic update feature. Though this could potentially cause the site to break.

If I was in your position, I'd explain to the client the pros & cons of automatically updating (latest security fixes vs possibility of custom functionality breaking), offer to set the site to auto-update (setting up a script to back-up your databases regularly just in case) & then charging a small retainer fee for your time that will be spent in fixing any issues.

As a matter of interest, have you had to fix many bugs because of updates?

Trojan

I do either:

1) Maintenance contract for updates OR
2) Give them training in them how to do it themselves (but warn them of the risks of going too long without updating)

fcrossen

Everythng said previously is spot on, i.e.
maintenance != development
and should be priced separately.

On the WP update issue, if you offer hosting to your clients, you can use WP Multisite with an appropriate plugin to handle the multiple domains. This means you are only updating one install of WP and clients can only use themes and plugins you approve. Plugins and themes are a major source of pain in a WP install.

stick-dan

You couldn't really lay the responsibility with the developer of the website if it was not agreed on to be a yearly reoccurring fee for ongoing maintenance when the project was in the inception stage.

My preferred way to approach this particular scenario is to offer packages where by the client would small incur yearly fees for ongoing maintenance and upkeep of the website. Likelihood is that they will be paying a reoccurring fee every year or two anyway seeing as there will be more than likely some sort of hosting fee to be charged so it could be bundled into that fee for hosting and made payable at the same time.

I don't think it's a viable or even valid option to allow WordPress sites to automatically update themselves. There are too many factors in play which could break a working website when upgrades are performed to the CMS or any of the Plugins.

Just my 2cents .

worc

From someone who has been involved with sourcing and then hiring web design companies be upfront about this and explain why it is required at the get go (and offer what Trojan does above) or you could piss off the clients...

I came into a project mid-way, well after a company had already been hired - the company was building a site for us with wordpress and never once mentioned it is something that requires updates to maintain security. I mentioned this to our guys and they felt like it was something the design company was either holding out on at the end to "get extra cash" after the fact or the company weren't smart enough to think of telling them about this early on and our guys lost respect for the company / felt they were half-assed given it was a pretty important thing to know about given the financial losses that could occur if a site goes down - so the people I was working with jumped ship once it was up and running - so another company now has the recurring updates income as a result.

Definitely put it in as a recurring cost because it is, if you end up doing this pro-bono then after you've designed a lot of website you'll eventually spend all day updating websites for free... (bad business :mad:)

Overthrow

Thanks for the replies. For my existing clients, I'm thinking of doing all the updates now, at no extra cost to them.

Obviously I don't want to carry out this work indefinitely, so maybe in a few months time I'll contact them and ask if they'd like some quick security maintenance done on their site - treat it as an upsell so that they don't feel it was a hidden cost I was keeping from them.

Then for my new clients I'll ask them before the beginning of the project if they'd like a hosting package, or hosting + security maintenance. The question is, what is a fair amount to charge for this?

Also, do you think this is a reason not to build in Wordpress? Are the security risks with it the same as any site, or do the plugins etc make it more at risk?

cormee

Overthrow wrote: »

For my existing clients, I'm thinking of doing all the updates now, at no extra cost to them.

This is a crazy idea. At best you won't make a penny from it, at worst you'll update a plugin that crashes the site, then you'll have an angry ex-customer and a lot of unpaid work to do.

If the site owner doesn't have a maintenance agreement, and you become aware of an issue with a plugin, alert the owner, explain how it can be fixed and at what cost, and let them decide on the appropriate steps to be taken - do not make that decision for them, doing so would be very unprofessional.

Feathers

Overthrow wrote: »

Also, do you think this is a reason not to build in Wordpress? Are the security risks with it the same as any site, or do the plugins etc make it more at risk?

An open-source project means that you have 1,000s of developers working on it. If you're using a plug-in that's popular:

a) The security loop-hole is more likely to be spotted
b) It's more likely to be fixed by someone else (leaving the only thing for you to do is to install the update)

If you're writing your own code from scratch, you're much more likely to include security errors (even with a decent level of PHP) as it's only you looking at the code — it's just human error, happens to everyone.

The downside to Wordpress is if you don't update (& you also don't remove/make private the signs that point to what version you're using, such as the licence file), a malicious user just has to look at the Wordpress changelog to be pointed directly to the weaknesses.

Overthrow

Hi again,
Thanks for the replies. I'm wondering now what I should charge as a security maintenance fee.

I was thinking of something like €30/year for hosting, or €100/year for hosting and security maintenance.

I can see this annoying my clients though as in this day and age 100/year is considerable. Seems another reason to just go with the site builders etc, or the cowboys charging 200 for a site.

worc

Overthrow wrote: »

Hi again,
Thanks for the replies. I'm wondering now what I should charge as a security maintenance fee.

I was thinking of something like €30/year for hosting, or €100/year for hosting and security maintenance.

I can see this annoying my clients though as in this day and age 100/year is considerable. Seems another reason to just go with the site builders etc, or the cowboys charging 200 for a site.

It's how you do it though - €8.33 per month sounds better than €100 a year...

Overthrow wrote: »

Seems another reason to just go with the site builders etc, or the cowboys charging 200 for a site.

And then their sites gets hacked and they come crawling back to you to sort it out...

pflat

Hi, just a bit of advice from someone who's been down that route. Charging someone 8.33 a month for what essentially will evolve into a whole lot more than just pressing the update button on a cms is lunacy.

If a client isn't willing to pay you at least a couple of hunded euro a year to look after their hosting and cms updates, drop them.

What if something goes wrong? What if their site gets hacked? Are you going to be liable, considering that they paid you a whopping 8.33 a month to do this job for them?

If you do something for free once, how do you think a client will feel if you suddenly start charging them for the service; "but you didn't charge me before?".

IMHO.

Feathers

Overthrow wrote: »

Hi again,
Thanks for the replies. I'm wondering now what I should charge as a security maintenance fee.

I was thinking of something like €30/year for hosting, or €100/year for hosting and security maintenance.

I can see this annoying my clients though as in this day and age 100/year is considerable. Seems another reason to just go with the site builders etc, or the cowboys charging 200 for a site.

Also, I'd be careful how you word that one in terms of contract — as in, making it clear that you're applying hotfixes/updates which will help with security. As opposed to taking responsibility for the site's security in any more meaningful way outside of that.