How to Install/Update WordPress Plugins

A practical, step-by-step guide to installing and updating GPL WordPress plugins safely. Includes backups, staging, hash verification, rollback plans, and troubleshooting.
GPLUno Guides

How to Install and Safely Update GPL WordPress Plugins

This guide shows you the safest way to install and update GPL plugins. We cover backups, staging, hash verification, update methods, and fast rollback if something goes wrong.

Last updated September 7, 2025 · Not legal advice

TL;DR Back up first, verify the zip, test on staging, then update in production during a quiet window. Keep the previous version handy so you can roll back in one minute.

1) Before you start: safe habits

Back up Database + wp-content. Verify your restore steps once so you are not guessing later.
Quiet window Update when traffic is low. Turn on a short maintenance page if the site is busy.
One change at a time Update one key plugin, test, then move on. It makes troubleshooting simple.
Keep the previous zip Store the last working version in a folder called rollback/.

Quick backups

With WP-CLI

# From your WP root
wp db export backups/db-$(date +%F).sql
tar -czf backups/wp-content-$(date +%F).tar.gz wp-content

cPanel or hosting: run an application backup and download it. If your host offers “staging,” use it.

2) Download and verify the plugin zip

Only use a trusted source. For GPL distributions, check the version, the changelog, and the checksum. Verifying the hash takes 10 seconds and saves hours later.

Verify on macOS or Linux

shasum -a 256 plugin-file.zip
# Compare the output with the SHA256 shown on the download page

Verify on Windows (PowerShell)

Get-FileHash .\plugin-file.zip -Algorithm SHA256
# Compare the Hash value to the expected checksum
If hashes do not match do not install. Re-download and compare again. If it still fails, contact the distributor.
Good signWhy it matters
Checksum (SHA256) is providedLets you prove integrity
Clear version and dateAvoids outdated code
Changelog providedSpot breaking changes
License file presentGPL compliance and trust

3) Choose your install or update method

A) WordPress dashboard (easy) Recommended

  1. Go to Plugins → Add New → Upload Plugin.
  2. Choose the verified zip and click Install Now.
  3. If this is an update, WordPress may detect the existing plugin and offer a Replace current with uploaded option. Confirm.
  4. Click Activate or leave it inactive until you finish testing.
Tip If you see “Destination folder already exists,” delete the old plugin folder via SFTP first, or use WP-CLI with --force.

B) WP-CLI (fast and scriptable)

Ideal for developers and for repeatable updates on staging and production.

# Install from a local zip
wp plugin install /path/to/plugin-file.zip --force

# Or from a URL you trust
wp plugin install "https://example.com/path/plugin-file.zip" --force

# Activate when ready
wp plugin activate plugin-slug

# List plugin versions and status
wp plugin list | grep plugin-slug
Use --force with care It replaces files. Keep your backup and previous zip for rollback.

C) SFTP manual replace

  1. Extract the zip locally. Ensure structure is plugin-slug/plugin-slug.php.
  2. Connect via SFTP to wp-content/plugins/.
  3. Rename current folder to plugin-slug-old as a quick backup.
  4. Upload the new plugin-slug folder.
  5. Check the site, then delete plugin-slug-old once you are sure.
Do not overwrite partially Remove the old folder or rename it, then upload clean. Mixed files cause hard-to-diagnose bugs.

D) Using a distributor updater plugin (if available)

If your distributor provides an updater helper, install it once and link your order or account. You will see update notices like any other plugin. This does not require a vendor’s license key.

4) Staging first, production second

Test updates where customers cannot see them. Most hosts offer a staging toggle. If not, run a local copy.

What to test

  • Homepage loads without errors
  • Primary forms submit (contact, checkout, sign in)
  • Admin flows work (save post, clear cache, regenerate CSS)
  • Plugin’s main feature works end to end

Helpful tools

  • WP_DEBUG_LOG on staging
  • Browser console for JS errors
  • Server error log for PHP fatals
  • Health Check plugin’s Troubleshooting Mode
Green light When staging is clean, repeat the exact method on production. Keep the previous zip open on your desktop in case you need to revert.

5) Rollback plan

If something breaks, do not panic. Rollback is simple if you prepared a safe point.

Fast file rollback

  1. Deactivate the plugin.
  2. Delete the plugin folder from wp-content/plugins.
  3. Install the previous version zip you saved.
  4. Activate and test.

Database restore (if migrations ran)

Some updates run database changes. If you see data errors:

# Restore DB with WP-CLI
wp db import backups/db-YYYY-MM-DD.sql

Then restore wp-content if you changed files:

tar -xzf backups/wp-content-YYYY-MM-DD.tar.gz
Major versions For big plugins like WooCommerce or Elementor, read the changelog. If the update includes schema changes, do a full site backup and test checkout or editor flows on staging before production.

6) Update schedules that work

Site typeCadenceNotes
Small brochure siteMonthlyApply security updates sooner
Blog or content siteEvery 2 weeksCheck theme and editor compatibility
Store or membershipWeeklySecurity first. Stage and test checkout
Mission criticalWeekly with stagingMaintenance window and rollback ready

7) Troubleshooting common issues

White screen or fatal error

  • Enable debug on staging: add define('WP_DEBUG', true); define('WP_DEBUG_LOG', true); in wp-config.php.
  • Check wp-content/debug.log for the exact file and line.
  • Deactivate the plugin via WP-CLI: wp plugin deactivate plugin-slug.
  • Rollback to the previous version, then contact the distributor with the error trace.

“Destination folder already exists”

  • Use WP-CLI with --force or delete the old folder over SFTP first.
  • Make sure the zip is not nested like plugin-slug-v1.2/plugin-slug/....

Settings disappeared

  • Most plugins store settings in the database and should remain after updates.
  • If a reset happened, restore yesterday’s DB backup and review the plugin’s migration notes.

JavaScript conflicts after update

  • Hard refresh and clear cache. If you use a cache plugin or CDN, purge it.
  • Open the browser console. Find the first error and identify the plugin or theme file.
  • Temporarily switch to a default theme on staging and test again.

8) Quick FAQ

Do I need the original vendor license key?
No. The GPL gives you rights to the code. Vendors often tie their private update servers to a license key. You can still install and update manually or through a distributor’s updater.
Will updating remove my custom edits?
If you edited files directly inside the plugin, updates will overwrite them. Move custom code to a small helper plugin or to functions.php to keep it safe.
How do I know an update is safe?
Read the changelog, test on staging, verify the hash, and keep a backup. If your site is revenue-critical, wait a few days for bugfix point releases.
What about theme and core order?
Update WordPress core first, then themes, then plugins. For WooCommerce, check its compatibility notes before updating add-ons.

9) How GPLUno helps

  • We show version, date, and changelog where available.
  • We provide SHA256 checksums so you can verify downloads.
  • We preserve GPL license files and original notices.
  • We plan to offer an optional updater helper so you can get update notices in your dashboard without a vendor license key.
Need help with a specific plugin update? Share the version you are on, the version you want, and the error from debug.log. We will point you to a safe path.
© GPLUno. “WordPress” and related trademarks are owned by the WordPress Foundation and are used for descriptive purposes only.
  • Published
    7 September 2025
  • Page views
    152
Back
Top