One of my projects is helping out a small non-profit. Their advocacy website is in WordPress. So when WordPress.org let them know that a new version was out, WordPress recommended upgrading 3 days after the release. The non-profit had a natural question: Should we upgrade our site to the new version? Seems logical. Newer is better, right?
Well not so fast.
The issue is one of managing risk by understanding the risks and the benefits. Here is where some analysis can be helpful.
Story of Wedding Cakes
In one of my former lives, I was an event photographer. I always vowed (pun intended) to not do weddings. The primary reason – the expectations of the customer (bride) are unreal. On that magical day, expectations are unreal and beyond control. If the baker makes a mistake, I as the photographer am already doomed. The expectation is perfection. For the entire wedding day. Everything. Including the weather. If anyone on the ‘team’ makes a mistake and all fail. Especially since everyone can make a cake, press a button on a camera (or cell phone, or a computer). So the question becomes why is making a cake (especially for a wedding day) so complicated? Well after listening to a few bakers and artists, I learned there are a thousand critical points where a simple cake turns complicated. Mostly because for each layer you add, all the little mistakes on the layer below it show up. Those little mistakes get amplified until you end up with the tower of Pisa or worse. While it may all work in the shop, taking it to the wedding or putting it out in public can expose those issues in ways not desired.
It becomes about risk. And managing risk. You cannot get rid of all the risks, but you can mitigate and prevent risk in many ways. Did I mention that risk plays into it.
Simple WordPress Upgrade – that’s all
A similar situation exists with a ‘simple’ WordPress website.
Now don’t get me wrong, I feel WordPress is a great tool for most websites (since most websites are simple in objective and construction). For those websites that is is not the case (more complicated) the conversation becomes far more nuanced. And I recommend WordPress as the 1st consideration for a site. Even if it does not belong on WordPress, it becomes a great prototyping tool, and scrum development platform for at least a place to converse with key stakeholders.
Recently, I was asked ‘should we upgrade to the latest version of WordPress?’ WordPress 3.3 had been released 4 days ago, and logging in to update the site created a prompt to upgrade. The short answer was ‘not now’. But I was not in a short answer mood. A big part of the issue was risk management, and the software layers involved like the layers on a wedding cake. I took this opportunity to have a teach able moment in understanding more about what is happening on a website.
Layers Upon Layers Upon Layers
In the world of web services, that layer cake that creates a website is sometimes referred to as LAMP (Linux, Apache, MS Sql, PHP). A whole other topic worthy of its own site, let alone a single entry. But back to the layers on our website ‘cake’ for this non-profit site.
- Why, let me start with listing the layers we are using, and where there could be issues:
- The hosting company hardware – usually shielded by the operating system. In fact most people working with a hosting company do not even know what the hardware is, or when it was last updated or changed. Not knowing is fine, but that hardware may not play well with this new version. But maybe this new release creates a lot more disk input/output and an old model hard drive cannot handle it. It it is a new ‘fancy’ SSD drive not optimized for this change and will wear out in only a couple of week. Perhaps the hardware is very slow in its RAM, and this new version is optimized for fast RAM and actually slows down because of this hardware configuration. Probably only a .1% chance of causing grief in this scenario.
- The hosting company OS (operating system), typically a Linux variation for most hosting companies not using heavy database tools. Again typically hidden, and takes some effort to determine the micro-release. But this is key in making sure all the hardware plays with the software. Whose version (or distribution) of Linux probably adds .1% risk. The micro-release adds about a .2% chance of challenge. (.4% running total)
- The web serving software (typically Apache or Microsoft IIS) and it’s micro-release. Again another layer to work in partnership with all other layers. This adds a .8% chance of challenge, mostly because it is more directly accessed and more configurable by the hosting company to meet the needs of the type of hosting (shared, virtual hosting, VPS-virtual private server, full server, reselling…). (1.2% running total)
- The control panel software (cPanel being the largest in the Apache web hosting management arena). This is the tool that lets you manage your hosting account. It lets you:
- create users,
- email accounts,
- empty log files,
- add more space for x subdomain,
- lock out Suzy’s account until she pays, or forward until she returns from long term absence.
- This adds about .3% risk to the stack. (1.5% running total)
- The install software. This is typically a button on the control panel software. Sometimes it needs to be updated to handle the customizations in the lower layers. This adds about.5% risk to the stack (2% running total)
- Add-ins – these can be at almost any of these levels but 2 main areas would be at the Apache/web serving software like a spam tool on the server, or log tracking tool (for collecting traffic statistics). Depending on how many are running, for a stable hosting company they add .1% risk to upgrading a WordPress level. (2.1% running total)
- WordPress release itself. This it what is creating the website on top of all the other layers to be shared with the world through the WWW. This adds risk based on where WordPress is in its lifecycle (the risk changes from when the product is new and ‘raw’, to stable, to needing to change and catch up to other tools that are ‘beating’ it in the industry, to being at its end of life cycle). At this point in WordPress’ cycle I would estimate that a .x (vs x. or .xx release) adds 1.5% risk to a stable ‘simple’ website. Part of this risk is just updating any software that is installed and running over installing from scratch. It is much easier to build from scratch in most software then to overlay running software and not do any harm (3.6% running total)
Plugins or Add-ons to WordPress. These are the SEO optimization tools, traffic analysis tools, and the other 17,409 plugins currently registered at WordPress.ORG (http://wordpress.org/extend/plugins/). These can add lots of challenge and conflicts. This is where a patient attitude can pay off in saved aspirin and Tylenol. This adds 2% to the risk (5.6% running total)
- The theme in WordPress. There are 1,458 as of today registered at WordPress (http://wordpress.org/extend/themes/). This is just what is registered at the site. This layer is the template gives the look and feel of the site, integrates all the previous layers (especially the plugins) to the site. Since this is on top of WordPress, it is more susceptible to issues. The risk level here is a function of how mature the software it is sitting on, and how major the release is. In this case a 3.x release, and a simple theme with few plugins (sorry for adding so many weasel words here, but it gets specific quickly) I estimate the risk at .2% (5.8% running total)
- Customization of the WordPress theme – this can be very minimal from changing the color theme from blue to green, or as major as adding a blog to a theme that was not designed for it. In this example, we had minimal customization on a simple theme. I estimate it adds .1% risk. (5.9% running total risk)
- Some tweaks to the stack that the hosting company added that is not clear, documented and well maintained. This is a black box of unknown. Since I did not choose or research this hosting company, I will guess the risk factor by the size and reputation of the hosting company. A better way to determine a more accurate risk estimate would be to look at the questions and comments posted by customers of the hosting company based on real issues they have had. Part of the detective work is to look at the responses and timeline of the hosting company. My estimate is .2% in this instance. (6.1% running total)
- Security patches applied to all the layers listed above based on when they came out, how thoroughly they were tested and how long they have been applied. Add .1% risk this month. (6.2% running total)
Add all the risk estimates up (sorry, the risk is cumulative), and the potential risk to upgrade is around 1 in 18 upgrades will have some challenge. This is where a testing and roll-back plan comes into play. And that is a whole other entry.
Conclusion on New WordPress Release
As complicated as this all sounds, new releases do usually work quite well. They typically run far more reliably then my car. The world we live in is complicated, but our ability to understand its systems is also incredible. Embrace the fun of change. Even a field of sugar cane and acres of wheat that make the wedding cake changes and evolves. Ask any farmer and they will certainly tell you about risk and risk management. Just like our web serving stack.
But remember there is risk, and consider the trade off of benefit to risk in your upgrade decisions. Oh, that is a whole other side to this analysis – what are the benefits of a change, or in this case an upgrade?
What kind of risk management do you typically perform in your decisions to upgrade software? Comment and contribute to the conversation below.
As I wrote about yesterday, One of my projects is helping out a small non-profit with online presence and social marketing. Their simple site is in WordPress, so when WordPress.org let them know that a new version was out. Of course, they recommended upgrading just days after the release. So the executive director asked the natural question: Should we upgrade our site to the new version? Seems logical, newer is better, right?
Well not so fast.
WordPress 3.3 was release 4 days ago. My short answer was not now. It is probably best to add this to the list of todo’s for next year. But I was not in a short answer mood. A big part of the issue was risk management, and the software layers involved like the layers on a wedding cake.
In one of my former lives, I was an event photographer. I always vowed (pun intended) to not do weddings. The reason – the expectations are unreal.
A similar situation exists with a ‘simple’ WordPress website and its’ many layers of software that are used to let someone see our site. Tomorrow I will run down the different layers, but for now, here are the reasons that most jump out to not upgrade.
Now don’t get me wrong, I feel WordPress is a great tool for most websites (since most websites are simple in objective and construction). Those that is is not (more complicated) the conversation becomes far more nuanced. And I recommend WordPress as the 1st consideration for a site. Even if it does not belong on WordPress, it becomes a great prototyping tool and scrum development platform for at least a place to converse with key stakeholders about how to meet the site’s goals.
Recently I was asked ‘should we upgrade to the latest version of WordPress?’ So my reactions were:
- New releases are best tested by others. Unless they are fixing a core issue that is not working today. I am so appreciative of the thousands in the Internet and in the WordPress community that will find all the other ways a new release does not work on all configurations all the time. They will share with all the different layers and get those problems fixed. Hopefully before we upgrade.
- This release does not really improve our world today. This new release does not really change the limitations of the template, it may make new templates easier to build or old templates easier to improve, but it will not ‘fix’ the limitation of the existing template. So this is another reason not to upgrade right away. Tomorrow I will go over all the different layers and what risk I estimate they add to such an upgrade, but here are a couple of highlights:
- Whenever changing software and its many layers, it is important to have a testing plan and program. We have not had the time to develop that, and it should be done before we upgrade releases.
- Add all the risk up (sorry the risk is cumulative), and the potential risk to upgrade is around 1 in 18 upgrades will have some challenge. This is where a testing and roll-back plan (the ability to undo the changes in case they make it worse then the ‘upgrade’) come into play.
- There is no testing plan in place yet. A testing plan minimizes these risks by being able to duplicate the above issues as close as possible, and determine if in our specific circumstances, if there is a problem. For usually very few dollars, a test bed can be set up (usually less then $50 per year). Costs usually include:
- ‘testing domain’ – $10 per year
- setting up a 2nd domain/website – $10
- Reinstalling WordPress, plugins and all the other layers listed above. The key is they need to be all the same version and configuration except the one change/upgrade (in this case new version of WordPress).
- Possibly some testing software (although there are many low volume free versions) to thoroughly test a site, and some monitoring software to see how the ‘new’ version works.
- This does not include the extra time on various peoples part to:
- Define a testing plan.
- Set up the testing platform.
- But, once a process is defined, it will be much easier for all future upgrades, and far less stress before, during, and after (if there is a problem, there is a test bed to go see what is happening, and how to troubleshoot it, especially if the site is not fully down, but only ‘damaged’.)
- This of course assumes a low volume, simple site. Issues, and solutions scale up as the sites objectives and complexity scale up. However, these fundamentals still apply, we have to add other considerations.
- Other questions to consider:
- Has the hosting company added the new release to its auto install packs?
- Have they tested the new release on their servers (at least on one of them, they should all be the same, but as you can see from above there are a lot of areas where variations can be introduced)?
- Has the theme tested itself on the new release? Their site or page should list comparability with the current release.
- Have all the plug-ins (or add-ons) been tested as compatible with the new release? According to the page http://www.projectrace.com/wp-admin/update-core.php it has not yet be tested.
- These three ‘pre-tests’ will be very helpful in determine when to start considering when we should install the new release. Relatively speaking this is not a major release and does not seem to add much.
Sorry for giving a long answer to a short question, I got on a roll and wanted to map it out to share with others. Even if you don’t set up the testing platform, just thinking through the issues and steps to test them will improve your ability to resolve issues once they do occur. Not if, but when. So this exercise in risk management has value in many different ways. And yes it is a pain in the productivity to getting it all out.
What are your thoughts on WordPress 3.3 and upgrading software?