The companion to the seven things to check before a WordPress major upgrade is the question that comes right after: when do you actually apply it?
A new WordPress major drops today. Do you ship it to production tonight? Tomorrow? In a week? Hold for the next scheduled monthly maintenance? This call tends to live in tribal knowledge, but a few clear axes combined together give you a calibration framework you can apply every time without re-deciding from scratch. Here are five axes worth using.
Premise — majors are not security patches
The first thing to anchor: a major upgrade is not a security patch.
WordPress ships security fixes via minor releases (6.4.1 → 6.4.2, 6.5.0 → 6.5.1 — the second-digit bumps). Those are same-day apply by default. Major releases (6.4 → 6.5, eventually some 6.x → 7.0) carry new features and API changes; they aren’t released to be applied immediately for security reasons.
Without this distinction, the felt urgency of “we have to apply this for security” pushes you to rush majors that should wait. Minors immediately, majors by judgment — that separation is the first rule worth writing down.
Axis 1 — wait for x.0.1
For essentially every major release, x.0.1 (the first patch release) lands within 1–3 weeks and absorbs the critical bugs that surfaced after launch.
Past examples have included things like “the admin goes white under specific settings,” “a particular theme breaks the block editor,” “DB migration stalls in specific environments.” Nobody hit these on launch day; they emerged as the world started using it for days or weeks.
Just waiting for x.0.1 instead of x.0 sidesteps most of those launch-window bugs. For the first few weeks after a major lands, the world’s WordPress installations are effectively running the beta test. Being downstream of the people who hit the mines is the rational position for a maintenance practice.
Axis 2 — wait until major plugin vendors update “Tested up to”
The thing that breaks most after a major upgrade is, almost always, plugin compatibility. Theme compatibility follows, but plugins dominate the impact column.
What to watch is whether major plugin vendors have declared support. Concretely:
- ACF (Advanced Custom Fields)
- WooCommerce (mandatory if you’re touching commerce)
- Yoast SEO / Rank Math (SEO)
- Elementor / Beaver Builder (page builders)
- WPML / Polylang (multilingual)
- Wordfence / iThemes Security (security)
Until these heavyweight plugins bump Tested up to in their readme.txt or publish a “we support it” announcement on their blog, production-side adoption stays paused. If the major plugins haven’t caught up, the WordPress release hasn’t ‘aged’ yet is the call we make.
Axis 3 — soak in staging for a week
The staging step from W1 has an extra job for majors: catch the bugs that surface over elapsed time, not just the ones visible right after upgrade. Specifically:
- wp-cron continues to run (daily / weekly jobs fire on schedule)
- Email delivery hasn’t quietly broken (comment notifications, contact forms)
- Caches haven’t corrupted into stale content
- Image / OGP generation doesn’t fail under time-delayed conditions
These don’t show up in “upgrade and click around the admin for ten minutes.” They need at least a week of natural operation. Soak the staging site for a week; if the error logs aren’t accumulating anything strange, you’ve earned the right to consider production.
Axis 4 — site risk profile
“When to apply” also shifts with the site’s risk profile. A rough three-tier breakdown:
| Profile | Examples | Recommended wait |
|---|---|---|
| High risk | Commerce, booking, membership, LMS | After x.0.2 + all major plugins confirmed + 2 weeks of staging |
| Medium risk | Mid-size corporate, blog/media, contact forms | After x.0.1 + major plugins confirmed + 1 week of staging |
| Low risk | Static corporate, internal portal, experimentation | After x.0.1 + a few days of staging |
Commerce and booking directly translate “dropped orders = lost revenue,” so the longer wait pays for itself. A static corporate site might tolerate a minor layout glitch with no immediate business impact, so a more forward posture is fine.
Avoiding “all sites upgrade on the same day” and applying in waves by risk profile is one of the better distribution strategies for a maintenance practice.
Axis 5 — alignment with the client contract / SLA
Last axis is contractual. If you have monthly recurring maintenance contracts, aligning major upgrades to the next monthly window makes contractual sense — it’s the cleanest billing and scope story.
Check each release for “is there an emergency-update need that exceeds monthly-maintenance scope?” If no, fold it into the next month. If yes (rare cases where a critical security fix rides on the major), carve it out as a separate engagement with its own scope and price.
Writing this boundary into the contract upfront reduces the friction between “apply this now” and “let’s wait” expectations across clients, and the operational rhythm stays steady.
Framing — the cost of waiting vs. the cost of charging in
Stacking five axes can read as “we never do anything,” but waiting has real costs:
- The window without new features is longer
- When you do upgrade, the delta accumulates with simultaneous minor updates
- You drift closer to old-version support cutoffs
Charging in has its own:
- Outages → client trust erosion
- Recovery cost (including after-hours engineering)
- In some cases, direct business continuity impact
Calibrating between those, against each site’s risk profile, is the heart of “when to apply.” There’s no closed-form rule, but the five axes together give you a decision skeleton that doesn’t drift.
When a major upgrade does turn into an incident, you may need to invoke a post-rollback halt path on the core — and remembering that a rushed upgrade can create extended recovery work makes the few-week wait for x.0.1 look, in long-term maintenance ROI terms, very nearly always in the black. Read together with five failure patterns — which turns past incidents into types — and the calibration sharpens further.