I have only ever done one WP site so I am not experienced in this but I would suggest that you read the contents of the update and decide if it is required.

Security updates are generally advisable. WP, being so popular and with its code being OS is regularly targeted by hackers.

Can security patches be applied without updating the whole ball of wax?

put it this way, I was left a site for 6 months without updating ( was a test site ) and went back to it to find it had been hacked ( tom thumb ) hack

Take no chances, I skipped once because it didn't say security update but probably wasn't so smart. Depending on the plugins you installed you may be in trouble, many are not updated in time, so that's a tough decision.

Since WP is extremely popular you have script kiddies targeting them a lot.

My hosting company's server was hacked the other day and my site, along with who knows how many others, were down 12 hours. Got me nervous.

In the past, I've asked my developer to wait a few months to install the new update, to give the plug-in developers time to catch up.

shallow, it may pay off in the end to buy the plugins. Choose the popular ones that are updated, even if they are paid plugins.

I've had the same problems. Last week I had a site shut down by a popular host and the reason they gave was a gallery plugin was hacked with an SQL injection that mucked up the shared server I am on.

I started password protecting the major folders and it seems to have helped.

The updates do cause me issues also. With 15 or so plugins several usually require special attention. In addition, file permissions almost always need changing to install and then resetting them to back original state is a hassle.

I oversee a lot of WordPress sites, for myself and for clients.

First of all - you absolutely need to update WordPress. Every time. It's ridiculous how fast the updates come some time, but that's just the way it is. Not to do so is a huge risk.

Second of all, despite my having a lot of WordPress sites, I almost never have a problem with plugins that don't work. I don't use a *ton* of plugins, but I use reputable ones with a good history (or someone I know) behind them.

If this were my issue, I would start looking at those plugins, one by one, and seeing if I am really using the best one for the job.

You shouldn't be having this many problems.

All are listed as compatibility "unknown" with WP 3.2.1 except the one noted below:


All in One SEO Pack

Comment Form Quicktags (3 "works" votes out of 3 total)

Custom Field Template

Google Analyticator

Google XML Sitemaps

NextGEN Gallery

Redirection

Search & Replace

W3 Total Cache

Yet Another Related Posts Plugin

Well just because they say "unknown" doesn't mean they're definitely going to break. It means WordPress issued a release and it's either not tested yet or the page just hasn't been updated yet. Of the ones you list there, All in One SEO Pack, XML Sitemaps (although personally I use Yoast's plugin which does both of the previous), NextGEN Gallery and W3 Total Cache should work with pretty much any updates. Maybe YARPP too; that's pretty common. I don't use Redirection anymore because I found it to be buggy, and the rest of them I am not familiar with.

Unfortunately, updates are not really negotiable and a cost of doing business. As soon as WP plugs up some hole or other, miscreants find another one. And same goes for plugins, too.

That said, Drupal *does* classify updates as security updates or not, and in the case of security updates, they tell you what the exploit is. Quite often in the case of Drupal, the exploit requires the user to have admin privileges for a particular module, which means that if you are the only one who has such privileges, you can choose not to update that module even though there is a security update for it.

I find this means I can track security alerts and releases and make an informed decision about whether or not a site needs to be updated or, as is often the case, the update concerns only a few bugs in features I don't use anyway.

I'd love to see WP adopt an approach like this, but I think it's still true that WP is to Drupal as Mac is to Linux. WP likes to hide the magic behind the curtain; Drupal makes you look at the naked wizard whether you want to or not.

Always patch. Always. And do it as soon as you see it come out.

Vulnerability exploits can appear within hours of a patch, and sometimes before, as the patches are often reactive to a known vulnerability, and for a pro hackers, they actually build bots that search google for files and headers unique to specific versions of WP installations, thereby making the hijack/hack fully automated. They can take thousands of sites per hour.

As for your plugins, I did some testing on 3.2.1:

All in One SEO Pack -> some garbled output, but basically works.

Custom Field Template -> Seems fine.

NextGEN Gallery -> Not a problem whatever, so long as the plugin itself is up to date. Use this on a number of sites.

If I get a chance, I'll test the others later on tonight.

If updates worry you, keep a separate installation going (you can have a second domain with a vanilla WP installation running for less than $100/year, well worth it for testing purposes), with a mirror list of plugins. Test every update there and see where you run into problems.

Thank you for the offer, grelmar! And for the helpful input from others.

I'm on a virtual server and my web developer set up a duplicate dev site, where he does the installation and developing, and then we both test things before he transfers them to the main site, he tests in the back end and I test the front end.

TO answer your topic title: YES. If you don't, there's a good chance you'll fall victim to a hack of some sorts.

Custom Field Template -> No issues noted.

Google Analyticator -> No issues noted.

Google XML Sitemaps -> no issues noted. Even had it build an XML sitemap. Nifty plugin.

Redirection -> No issues noted.

Search & Replace -> No issues noted.

W3 Total Cache -> No issues noted. Again, neat plugin, might have to play around with this one a bit more.

Yet Another Related Posts Plugin -> No issues noted.

In case your wondering, basically I installed each plugin, activated, quickly viewed a few site pages and admin pages, maybe tinkered a couple of settings, and tried to spot if anything broke.

The only one of the plugins you listed I noted anything was with the "All in One SEO Pack" which spat out a couple of errors and garbled output on one of the admin pages, but nothing visible to the "external" user.

I also deactivated the plugins to see if this had any adverse effects, and didn't come across any.

Keep in mind: I have a fairly straightforward theme, nothing JAX-y to get in the way or create conflicts. Also, I didn't have more than 3 of your plugins active at any one time. Your mileage may vary.

Also, good on you for testing on a duplicate site, it's really the only way to be sure that nothing is going to cause you grief. I have other plugins which might have inadvertently prevented errors from happening, although usually it's the other way around - too many plugins can conflict with each other.

Have a good night!

For NextGen Gallery make sure you have an old copy before you update (same for all your plugins). I have had it break before either doing an wp update or it will not play well with other plugins.

This is what happened with the latest 3.2.1
I also have w3 Total Cache and the two did not play well together.

So right now I have 3.2.1 WP version with both Next Gen 1.8.3 (old) and w3 Total Cache (0.9.2.4) because if I update these two plugins, my NextGen gallery slideshow will not work and my site has lots of images. I just need to find another image gallery that functions like Next Gen.

I would suggest you definitely update your WP theme and if you see that anything is broken, to disable all plugins. Enable each one, one by one until you find the culprit. Either use the old version plugin (like me), find a new plugin, or have your developer fix those plugins.

Tangential observation: Unless WP is different from all other programs in the known universe, the most useful and popular plugins will eventually be incorporated into the core and you will no longer have to deal with them.* If you've got a choice of multiple plugins that can do the same job-- as implied by names like "Yet Another" you-name-it-- use the one with the most solid history.


* Anyone who does php/bb forums may remember the jump from 2.x to 3. Bye-bye, 90% of formerly essential mods. How 'bout mod_access? That clock in the top right corner of your Mac's menu bar began life as a freeware extension. Et cetera.

I don't use WP but do have phpBB forum, realistically you need to learn PHP if you're going to install mods/plugins.

I try and minimize what I install even modding the mod and be sure to comment everything, all updates are manually done doing file comparisons.

(pretty sure the most useful and popular WP plugins will never be built into the core; some of them get built into the themes tho)

Grelmar said: "pro hackers, they actually build bots that search google for files and headers unique to specific versions of WP installations"

That's a technique with vBulleting hackers too, so forum owners get rid of the "Powered by vB 4.x.x" footer. If you can change the unique version identifiers, do so. Applies to any software package, I guess.