WordPress auto updates: What have you got to lose?
A new feature that will allow automatic updating of plugins and themes will be available in WordPress version 5.5. This is scheduled to be released on August 11, 2020 and it’s a significant addition. In this core release of the world’s most popular content management system, site owners will have the option to turn auto-updates on for individual plugins and themes directly from the WordPress admin dashboard.
Sounds like a good idea maybe, but maybe not. Troublesome plugins, the risk to your e-commerce site and more all loom large. Sometimes, it’s best to leave it to the techie who can deal with it for you and manage your upgrades…
So what’s going to change?
Auto-updates for plugins and themes will be turned off by default upon release, meaning that auto-updates will not be automatically enabled when WordPress 5.5 is rolled out. Site owners will have to visit the theme or plugin dashboard to enable auto-updates and choose which packages to automatically update. Site owners can choose to turn on auto-updates for all of the installed plugins, choose to auto-update some of their plugins, or choose not to turn on auto-updates for any plugins whatsoever.
Updates will be triggered by the wp-cron process twice daily. If the process finds that there are plugins or themes with available updates, whether a minor security fix or a large scale feature update, the new version of the plugin or theme will be downloaded and automatically installed on the site. Updates only occur if auto-updates are turned on for that particular plugin or theme.
Tell me more about automatic updates
These automatic updates are what operations engineers refer to as “unattended updates”, meaning that the code of plugins and themes are updated and deployed without the site owner’s participation. They may get triggered while a site owner is on the site publishing, they may get triggered overnight when a site owner is asleep, or during the day when the site owner is in the middle of an important meeting. The site owner will receive an email that updates have taken place, but if they miss that email, they might not know until they log in again and see a new version of the updated plugin or theme.
This marks a major shift from the attended updates currently required in WordPress. Currently, each plugin and theme update requires that the site owner or administrator initiate the updating process to download and install a new version of a plugin or theme.
In rare cases, some plugins have auto-updates built in and are already updating automatically.
So why are WordPress doing this?
One of the most prolific vectors of WordPress malware infections is the presence of vulnerabilities in out-of-date plugins, themes, and less frequently, WordPress core. By adding automated updating features to WordPress plugins and themes in the WordPress 5.5 core release, the core team looks to improve the security of WordPress installations across the board and make maintenance easier for site owners. Rather than having to log in to your WordPress site regularly to perform required plugin and theme updates, your site will run “unattended” updates when updates to installed plugins and themes are made available within the WordPress repository.
Last year, WordPress core added fatal error protections to the built-in WordPress site health functionality. When a fatal error occurs, fatal error protection determines which plugin caused the fatal error, and emails the site administrator so that they can troubleshoot the site with the problematic plugin deactivated in order to try and fix the issue. The addition of this feature likely gave the WordPress core team confidence that the risks of auto-updates would be easily managed by fatal error protection.
This eliminated the majority of ‘white screen of death’ issues.
We think this is a good change, providing automated updates for a subset of WordPress sites. Blogs and informational or promotional sites which can often go unattended for months or years are at higher risk of being hacked via outdated plugins or themes. For these sites, the risk of being hacked outweighs the risk of an automatic update gone awry. However, for other kinds of sites, automated updates may create problems.
So what’s the likely problems with auto updates?
Unattended auto-updating of any code base is not without possible problems, and WordPress themes and plugins are not unique in this respect. Even attended updates can present difficulties. When the health and safety of your site is at stake, making an informed decision is critical. As such, we investigated a few scenarios where auto-updates could cause potential problems such as site outages, data corruption, malicious content, amongst other undesirable effects.
Not all of these scenarios may affect you and your WordPress site. Below are a few caveats to keep in mind when determining what risk level you face by enabling auto-updates:
- Concurrent auto-updates can fail
- Issues may be introduced that limit functionality within a site
- Difficulty determining what changed when troubleshooting
- Vulnerabilities can be introduced with untested new features
- Major version releases can have compatibility problems
- Quality Assurance can vary between plugins
- Lack of ‘canary releasing’ to test for issues
With all of these pitfalls, there are obvious questions about whether or not having auto-updates enabled is a good solution. The biggest question you might have is: why do security experts recommend keeping plugins updated if rapid updating could introduce so many issues?
At the moment, nearly every update you perform on your site is done as an attended update. This means that you initiate the update, you know when your site has updated, you can read the developer’s changelog to determine whether or not it is a critical security update, a bug fix update, or a major release update on which you might want to wait. You can also test your site after every plugin update, and you are more likely to to determine the source of any problems introduced by a problematic plugin update.
By using unattended auto-updates, you lose that control and human intelligence when an update occurs.
The three approaches
We believe that you should make an informed choice about WordPress plugin auto-updates, knowing the benefits and pitfalls. There are three ways you can approach auto-updates:
- Turn auto-update on for all plugins
- Turn auto-update on for some plugins
- Turn auto-update off for all plugins
WordPress is popular because WordPress is so flexible. You can have a site that is an enterprise level application with millions of users, a learning management system with hundreds of users or a niche membership site. WordPress enables publishers and businesses in an infinite number of ways. Your update strategy will depend on your particular circumstances and needs.
We can offer help and advice on which approach you should take and already have a set range of recommendations in place. Talk to us today to see which approach suits you best.
This page is supported by third-party advertising…