Updates on WordPress security, Wordfence and what we're cooking in the lab today.

WordPress 5.0: How and When to Update

This entry was posted in Miscellaneous on December 5, 2018 by Mark Maunder   46 Replies

WordPress 5.0 is being released tomorrow, December 6th. This release contains a major change to the WordPress editor. The new editor, code-named Gutenberg, is a substantial leap forward in functionality. It uses a new block-based system for editing which allows you to embed a wide range of content in your posts and pages, and gives you a lot of flexibility in laying out those blocks on the page.

Once Gutenberg and WordPress 5.0 have stabilized, they will provide long term benefits to WordPress users and the community. But in the short term, this change may introduce challenges for some WordPress site owners. In this post we will discuss a few points that will help you decide when to upgrade to WordPress 5.0, and to formulate a successful strategy for making the transition.

Why is WordPress changing the editor?

The WordPress core development team has been talking about Gutenberg for quite some time. The goal, according to Matt Mullenweg, is “to simplify the first-time user experience with WordPress — for those who are writing, editing, publishing, and designing web pages. The editing experience is intended to give users a better visual representation of what their post or page will look like when they hit publish.”

Overall, we agree that Gutenberg will be a giant leap forward in using WordPress to create content online. But, as Matt stated, the goal is to simplify the experience for the first-time user. For the rest of us who have assembled a number of tools to fill the gaps in the older editor’s shortcomings, this will be a period of adjustment.

Potential Problems With Legacy Plugins and Themes

WordPress has been around for over 15 years, and in that time millions of websites have been created using the current editing framework. Often, sites are created and never updated to more modern themes. There are a large number of abandoned plugins installed on WordPress sites – plugins that are no longer being actively maintained by their developers.  No one is testing these abandoned plugins or older themes to see how they will behave with Gutenberg.

Adding to the complexity, many of these sites may be hosted on managed WordPress hosting services that will auto-update to the new WordPress version.

Some WordPress site owners may be unable to effectively edit pages they had previously published. Some may be unable to access their edit screen. There may be server 500 errors or white screens for some users. Or everything may run smoothly, even with legacy plugins and a legacy theme.

With over 60,000 unique plugins in the WordPress plugin directory, it is not feasible to test all of the plugins with the new editor. Actively maintained plugins are, for the most part, being tested by the plugin authors. Abandoned plugins will not have been tested, so it is up to you to test whether WordPress 5.0 will work with these plugins.

The same applies to themes. Many themes are actively maintained by their authors. In other cases, a theme may have been created as a single project for a customer or created for the community and then left unmaintained. These unmaintained themes have not been tested with Gutenberg and WordPress 5.0.

If you do anticipate compatibility problems with WordPress 5.0, you can keep the current WordPress editor by installing the WordPress Classic Editor Plugin. We recommend you do this ahead of time, rather than try to use the new editor with incompatible code. But it’s also worth pointing out that Gutenberg and WordPress 5.0 are a significant step forward in editing power and flexibility. So it is worth investing the time to make your site compatible, modifying it if needed, and then reaping the benefits of a brand new block-based editor.

Will Wordfence work with Gutenberg?

Yes. Wordfence does not interact with the editor, so it will not be impacted by Gutenberg. Our QA team has thoroughly verified that Wordfence is ready for Gutenberg and WordPress 5.0.

Because you do have Wordfence installed, you will receive a notification that WordPress is out of date and requires an update. Please keep in mind that this is no ordinary update. This is a major change to your content management system, and we recommend that if you’re not ready for the new editor, wait to update WordPress. Yes, you will receive security warnings from Wordfence because the basic premise has always been to keep open source software updated. If you are not entirely ready for WordPress 5.0, however, there is no harm in staying on the current version while you get ready.

The current version of WordPress core is 4.9.8. If you remain on this version, you will continue to receive security updates from the WordPress core team. The current policy of the WordPress security team is to back-port security fixes to all auto-update compatible WordPress core versions. That means that all versions of WordPress core will continue to receive security updates all the way back to WordPress 3.7. This is not an open-ended policy and may change in the future.

How do I know if I am ready?

Do you have a testing environment for your website? Have you tried the new Gutenberg editor? Are you using a modern version of PHP? Great, you’ll likely be prepared for WordPress version 5.0. As with all major releases, we recommend updating your test environment first to look for problems.

Look for anomalies with all of your page layouts. It also makes sense to go back in time on your test environment and review older posts and pages to ensure they’re ready for the new editor.

As always back up both your site files and your database prior to any update, especially an update of this magnitude.

If your hosting provider auto-updates

If you’re on managed WordPress hosting, your hosting provider will automatically update WordPress for you. Your managed WordPress provider should be taking backups for you. Check with your hosting provider to see what support they will provide for the new WordPress editor and when they will be updating to WordPress 5.0. Some hosting providers, like Page.ly, are waiting until January of next year to do the update.

If you’re using a page builder or premium theme

If your site uses a page builder like Visual Composer, Divi, Beaver Builder or any other tool that uses shortcodes, check with the developer to ensure that your tool is ready for Gutenberg. Many page builders come bundled with premium themes. You may need to check with your theme developer to ensure that you have the updated versions installed on your sites.

What are the security implications of Gutenberg?

We are not currently aware of any security issues with WordPress 5.0 or Gutenberg. The project is being moved into production at a rapid pace which increases the risk of a security issue emerging, because this reduces the amount of time available for testing and debugging.

At this phase in the evolution of WordPress, there are a large number of security teams globally that have eyes on the code and are actively conducting research to determine if there are vulnerabilities in new WordPress releases. As soon as an issue emerges, our team will react and release a firewall rule in real-time to protect our Premium Wordfence customers.

Once WordPress 5.0 is released, there will likely be a series of smaller releases that will emerge over the following weeks. We recommend that you monitor the official WordPress blog and if they announce a security update, upgrade as soon as possible.

Overall This is Good News

As mentioned above, Gutenberg and WordPress 5.0 are a major leap forward in the evolution of WordPress. Rapid innovation does not come without risk or inconvenience to a such a large user base. Our team is excited to embrace the new WordPress and to use it ourselves. By following our recommendations above, you can reduce the risk of this transition and migrate smoothly into 2019 with a powerful new editor for WordPress.

 

Did you enjoy this post? Share it!

46 Comments on "WordPress 5.0: How and When to Update"

Tom Martin December 5, 2018 at 11:20 am • Reply

Can I use one of several plugins to make sure the new editor can't be selected...even if I upgrade to WP 5.0

Kathy Zant December 5, 2018 at 12:19 pm • Reply

Hi Tom! The classic editor plugin, if installed on your site, will ensure your site continues to use the classic editor even after updating to WordPress 5.0. If you're concerned, install that plugin prior to update. And with any update, ensure you backup your site files and database prior to updating, especially a major release.

I Love Wordfence December 5, 2018 at 11:29 am • Reply

Thanks for this, just installed classic editor on all sites, tried Gutenberg but very confusing to work with.

Michael December 5, 2018 at 11:55 am • Reply

Thank you very much for this Post. Very helpful!

louis judice December 5, 2018 at 12:02 pm • Reply

Just to be sure, sites will not auto update to 5.0, correct ?

(assuming you do not have some explicit or host provided tool to do this.)

Kathy Zant December 5, 2018 at 12:12 pm • Reply

Hi Louis. Major versions won't autoupdate on their own. But if you're on a managed hosting provider, your host may push out an update. Check with them. If you're concerned, install the classic editor plugin to be sure. As well, it's always a good idea to backup your site files and database regularly.

Harry Reinhardt December 5, 2018 at 12:03 pm • Reply

Will be interesting to see what acceptance rate is for long established sites vs. newbies. I suspect sites like mine that have many years worth of content will not play well with Gutenberg. Many may take the "if it works don't break it" approach and continue using the classic editor. And for commercial sites, the cost of converting to Gutenberg may also be a factor.

And, in my humble opinion, the current Gutenberg UI is not exactly a walk in the park.

Kathy Zant December 5, 2018 at 12:17 pm • Reply

Hi Harry! Yes, it will definitely be interesting to see how site owners choose to move forward. I've chosen to move some of my personal sites to Gutenberg, and we know a few enterprise installations that are embracing the new editor. And yet, I understand how change can be challenging, too. While Gutenberg did take some getting used to, I'm now finding it to be a much easier method of publishing. The built in capabilities of handling pasted content from other environments (Microsoft Word, etc.) are worth the effort of installing in a test environment and giving it a try.

Sam December 5, 2018 at 12:08 pm • Reply

Is there a way to install this on all WP at the same time? I surely don't want to spend all that time doing this, with one day's warning!

Kathy Zant December 5, 2018 at 12:35 pm • Reply

If your hosting provider is not set to auto update your WordPress installation to the latest version, you will be fine. Check with your host to be sure, and then update WordPress when you are ready to do so. There is no problem with staying on the current version of WordPress until you're ready.

3PRIME December 5, 2018 at 12:08 pm • Reply

Very timely post, thank you! I tried out gutenberg a month ago and its a big step in the right direction but I don't think it is going to replace the popular layout builders for some time to come.

louis judice December 5, 2018 at 12:17 pm • Reply

Thanks!

Ron Richardson December 5, 2018 at 12:22 pm • Reply

This is just plain crazy... on the initial release, why make Gutenberg the default? There will be a worldwide panic! And, I'm hearing that it will need a php update to version 7. Yikes...

Kathy Zant December 5, 2018 at 12:33 pm • Reply

Not crazy at all if you're prepared for it, and because you're here, you sound like someone who is prepared, Ron! You should be updating PHP on your server as well, as older versions are no longer supported and EOL this month. More information is here: https://www.wordfence.com/blog/2018/10/php5-dangerous/ Thanks for your comment.

Ray Gulick December 5, 2018 at 12:24 pm • Reply

Would like to strongly encourage that WordFence support ClassicPress.

Moses Monday December 5, 2018 at 12:25 pm • Reply

This is a timely step in the right direction. I guess there is serious need for database backup before switching to the 5.0.
I'm also sure the next update (5.1) would help a lot too.

Kathy Zant December 5, 2018 at 12:30 pm • Reply

You should definitely back up files and database before any update, especially with a major release.

Brad December 5, 2018 at 1:00 pm • Reply

Updating to PHP 7 should already be on your shortlist. It's not some scary thing. It's as simple as selecting PHP 7 from a dropdown menu usually.

Jeff Quandt December 5, 2018 at 2:06 pm • Reply

Another thing I had heard is WordPress 5 requires php 7.0 or higher. Servers running older versions like 5.X may experience issues.

Have you heard anything about this?

Jeff Quandt December 5, 2018 at 2:08 pm • Reply

I have also added a PHP compatibility checker plugin to see whether sites I work on have any issues. It checks all the plugins and theme and provides a nice report.

Linda December 5, 2018 at 2:13 pm • Reply

Why did they think releasing a major version with a significant functional change at the beginning of the busiest time of the year for small businesses (well, nearly everyone, really) was a good idea? Especially since the Gutenberg plugin in the WordPress repository has a staggeringly low 2.5 star rating (1072 1&2-star reviews vs. 562 3-star and up).

Slow down, fix the known problems (within the last day there are numerous comments of "irresponsible", "unwanted", "difficult to use", and "complete mess"), and release after the holiday season when developers, webmasters, store owners, and everyone else using WordPress isn't up to their eyeballs in other things.

Robert Stiles December 5, 2018 at 3:00 pm • Reply

I downloaded wordpress within the last 60 days and started hosting with Siteground at same time. Your opinion only - should I expect any issues? Current using php7.1

Linnson December 5, 2018 at 3:01 pm • Reply

Has two blogs, Gutenberg on one and classic on one. Have been working for a couple of months. Gutenberg is not good at all, it's bad. It's mostly bad because it's all hidden. You do not know where to write somewhere because the editor window is invisible until you click it and eventually find it, then it will be visible. Likewise, with function choices, they are hidden behind plus and strange. Have more to say about it but it will suffice. Classic must remain as long as Wordpress is available otherwise I choose something else.

MS December 5, 2018 at 5:32 pm • Reply

In your article you mention that "The current version of WordPress core is 4.9.8. If you remain on this version, you will continue to receive security updates from the WordPress core team." Would automatic updates have to be turned on to get any security updates for 4.9.8? I like to back up my site before applying any WP update, so I have turned on auto updating. Are security patch updates for older WP versions available for download WP.org?

Mike December 13, 2018 at 1:05 pm • Reply

I too would like to know if I would need to do a complete manual update or if there are patch versions that have just what has changed between versions.

Also if auto updates are turned on does that mean it will auto update from 4.9.8 to 5.0.1 or will it only auto update to 4.9.9?

Kathy Zant December 13, 2018 at 1:13 pm • Reply

If you are currently at 4.9.8 and have autoupdates on, you will autoupdate to 4.9.9. Major versions do not autoupdate, only minor versions. If for example, you were using 4.7.11, it would autoupdate to 4.7.12 for security patches. Autoupdating wouldn't lead to 4.8. To explore versions and their logical autoupdate path, the full archive of releases can be found here: https://wordpress.org/download/releases/

John Le Fevre December 5, 2018 at 7:58 pm • Reply

The new WordPress 5.0 is an abomination. It's a childish retur to the horrible concept of ReadySetGo in 90s and an attempt to dumb the platform down.

We looked at it a month ago and estimated it will add 15 minutes per hour to a publishing deadline that doesn't have 30 seconds of extra time. It's awkward, cumbersome, and childish.

If this becomes the default with a plugin that hides the 'better-smarter-easier' interface then we will migrate off WordPress.

Jodi shaw December 5, 2018 at 8:45 pm • Reply

I don't really understand why everybody is freaking out Gutenberg is absolutely amazing I love the ability of being able to move the blocks around not having to scroll up and down the screen with the classic editor being so mundane I love the ability of being able to duplicate blocks which makes it much easier when you're creating something like a gift guide regular blog posts are now created with more imagination and it's only going to improve people need to stop being so scared of the future and embrace it play around with it it's not the end of the world. I do have a question though if we're already using the Gutenberg plugin should we disable that before the update?

Zakes Maaya December 5, 2018 at 9:17 pm • Reply

I tried Gutenberg and didn't work for me, the classic editor still the way. I don't think is the right way to replace something working, however, we welcome the evolution.

Wumi Olatunji December 6, 2018 at 12:03 am • Reply

I decided to use Gutenberg exclusively in my latest projects. Yes, it took a while to understand the layout but I actually prefer it to the classic editor now. And I love the extensions sprouting up to add more goodies. Yes, I've been stuck with some errant blocks a few times but overall I think it's a great leap in the right direction. Kudos to the development team.

Crimson King December 6, 2018 at 1:18 am • Reply

I'd like to second the proposal for Wordfence to officially support ClassicPress. I've installed the Classic Editor plugin on all my WP sites but doesn't it seem a bit wrong that you have to install a plugin just to retain a core WP feature? ClassicPress seems the way forward to me and it'd be great to see it supported by plugin developers.

Rico December 6, 2018 at 8:32 am • Reply

OK, I still don't get it. Even with Gutenberg disabled one would still need to switch to PHP7 because the 5.0 version would not support the pre 7 versions?

My hosting provider don't have WP autoupdate option but my sites are always updated automatically.
The way I see it - it would be best to disable the auto update options in wp-config.php.

Chris December 6, 2018 at 9:08 am • Reply

Thank me later
define( 'WP_AUTO_UPDATE_CORE', false );

Bilal December 6, 2018 at 12:35 pm • Reply

Do you have any comment on whether you'll be supporting ClassicPress (https://www.classicpress.net/) anytime soon? Lots of us in the dev community are switching to it.

Mark Maunder December 6, 2018 at 1:28 pm • Reply

We are not and currently have no plans to. That may change.

Rico December 6, 2018 at 1:25 pm • Reply

Yes, I wanted to do that but some say such an important updates doesn't upgrade automatically. Can anyone confirm or deny this?

In the meanwhile I did a little experiment. Swtiched PHP version back to 5.6 and upgraded my test site to WP 5.0. Everything works the same. I have a theme with Page Builder by Site Origin and it is working the same as before. I think that's good news.

Rick December 6, 2018 at 10:04 pm • Reply

I think this might be better, since it allows auto-updates of minor versions, just not major ones.

define( 'WP_AUTO_UPDATE_CORE', minor );

Vilnis Vesma December 7, 2018 at 12:38 am • Reply

Wish I had read this blog when it first came out. I have one site hosted on GoDaddy who have forced the upgrade on me and I find myself stuck with Gutenburg, which I had previously tried on another of my sites and immediately rejected. Editing my GoDaddy-hosted home page is now really awkward because of the way that Gutenburg renders it (even though it is just some text with an image next to it) and to add insult to injury, the editor's so-called 'Preview' button shows the UNedited version of the page! What...?

Kurt December 7, 2018 at 3:16 pm • Reply

"The goal, according to Matt Mullenweg, is 'to simplify the first-time user experience with WordPress — for those who are writing, editing, publishing, and designing web pages.'" I've briefly dabbled with Gutenberg and in my opinion, Gutenberg is not simple. The classic editor is much simpler in my opinion.

Kurt December 7, 2018 at 3:21 pm • Reply

You're not stuck with Gutenberg. You can install the Classic Editor plugin which from what I've read will disable Gutenberg. Reference the following post by Grayson Bell at iMark Interactive: https://www.imarkinteractive.com/how-to-easily-disable-gutenberg-wordpress-5/

Kurt December 7, 2018 at 3:23 pm • Reply

Agreed..it's definitely NOT a simplified version of the classic editor.

Kurt December 7, 2018 at 3:30 pm • Reply

Yeah, I was just thinking about users who have multiple posts. Seems like it would be very time consuming if one wanted to go back and manually update multiple posts to be more compliant with Gutenberg. From what I've read, all existing posts are migrated to one large classic code block when you upgrade to WP 5.0 and Gutenberg.

I realize that you can still use the classic editor, supposedly up to or through 2021, but eventually users may have to bite the bullet and learn to use Gutenberg.

Kurt December 7, 2018 at 3:32 pm • Reply

That may depend on your hosting provider.

Kurt December 7, 2018 at 3:34 pm • Reply

Unless you're hosting provider auto-updates, you have the choice NOT to upgrade. I'm on SiteGround and I choose whether or not to upgrade.

Kurt December 7, 2018 at 3:37 pm • Reply

SiteGround hosting provider customer here...you should have the option whether or not to upgrade. From what I've read, it's best to hold off upgrading your live site for now. Since you're a SiteGround user, checkout my post on creating a staging/testing site on SiteGround: https://sharedbits.net/creating-a-wordpress-staging-testing-site-on-siteground/

Kurt December 7, 2018 at 3:44 pm • Reply

You might want to refer to a response by Kathy Zant to a comment by Ron Richardson above. There's a link about PHP 5 being dangerous.


Protect your websites with the #1 WordPress Security Plugin

Get Premium
Over 90 million downloads

Wordfence Newsletter

Get WordPress Security Alerts and Product Updates

Leave a Reply

All comments are moderated before being published. Inappropriate or off-topic comments may not be approved.