To people who make software, it seems apparent that it should be updated often. If the software isn’t regularly updated, many developers consider it to be abandoned and useless. Software is an evolving system, and it isn’t evolving it might as well be dead. Ordinary users don’t think like this, which is, at least in part, why developers and security experts have a hard time convincing users that regular updates are essential.
Consider a coffee connoisseur — smart, well-informed, and conscientious, but not a developer. After researching carefully, they buy the best espresso machine they can afford. An excellent quality espresso machine will last for years. If it breaks down, it will be repaired. If it makes excellent espresso, there’s no need to swap out the pumps and filters for newer, slightly better versions. There’s no need to replace the whole thing because a more advanced model is released with a fancy display to tell you how hot the water is.
The original machine makes excellent espresso; it’s good enough. It has quirks, but after months and years of use, they’re understood and comfortably familiar — to our espresso aficionado, the rough edges and leaky pipes are part of making something they love.
To a non-developer, a WordPress website looks more-or-less like an espresso machine. It’s a tool for publishing content on the web; it has form fields to fill and buttons to press, and it will reliably do the right thing with the correct input. It works. Perhaps not perfectly, but after a while, it’s understood and familiar. Why change things by updating them?
This is an entirely natural way to think about physical tools like espresso makers and hammers, but applying the same mental model to software is a big mistake. To someone who doesn’t understand the complexity beneath the surface, a WordPress site is just like an espresso machine, but software is many times more complicated.
Douglas Crockford, a well-regarded developer, expresses this quite straightforwardly.
Computer programs are the most complex things that humans make.
A useful piece of software is made of thousands and sometimes millions of intricate interlocking and interdependent parts. The more parts something has, the more ways there are for them to interact and the more ways there are for something to go wrong. Developers try to ensure that nothing does go wrong, but it’s inevitable that somewhere in thousands of lines of code, there are mistakes. It’s not like an espresso machine with a well-understood mechanism that behaves predictably. Writing complex software is like juggling a dozen balls while trying to pick a lock with your teeth — balls will be dropped.
No matter how happy you are with your website or application, it has bugs, and some of those bugs cause security issues. The older your site gets, the more likely it is that the bugs in its code have been discovered by hackers, who will exploit them. Programmers know this, and it’s why they don’t trust software that is not actively developed — no one is fixing the bugs!
If you don’t update your WordPress site — or any other content management system — the bugs won’t be fixed.
Even if you’re happy with the way your site works; even if you’re comfortable with its quirks; even if you don’t want any new features, you must update. If you don’t, your site will be hacked at some point, and then you may lose everything.