If WordPress had a list of the most requested features, the ability to automatically update plugins and themes would surely be near the top.
Some good news: according to a recent development update, the ability to do this is now being beta-tested in the form of a new plugin for WordPress 5.5, due in August.
WordPress itself, the Content Management System Core, has had auto-updating since version 3.7 in 2013, which meant that security updates could be applied automatically.
Given the number of attacks exploiting WordPress vulnerabilities in the years leading up to that change, it was a big moment.
Unfortunately, the same wasn’t true of that other area of WordPress exposure, namely plugins and themes.
Whereas many years ago such add-ons were viewed as optional for most sites, these days many have become essential additions that add important capabilities to WordPress sites.
Vulnerabilities in these now generate a steady stream of stories:
- Plugins affected by Cross site scripting (XSS) flaws
- A plugin with 100,000 users afflicted by a vulnerability that could allow attackers to wipe content.
- Plugins with admin account password bypass flaws
We didn’t cherrypick these – all of these were from 2020.
Admins can either hack the updating themselves, or get their hands grubby and do it manually. The latter option has the obvious weakness that admins fall behind in updating, or simply ignore the problem entirely.
But how would admins know to update at all? Only if they receive security notices and pay attention to them, a haphazard process at best.
Once auto-updating appears in WordPress Core, admins will be able to opt in via the WP-admin screen. The design will still allow admins to opt out on a plugin-by-plugin or theme-by-theme basis.
This is important because updates can sometimes cause problems. For many sites, the risk of not updating will be outweighed by the risk of this happening automatically.
If admins opt in, they will also get summaries notifying them of changes, an important feature given that updates now appear regularly. The WordPress team wrote:
Now, your help is needed to test, validate, and improve the current feature to ensure that it meets the needs of the WordPress community.
Latest Naked Security podcast
LISTEN NOW
Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.
Bill Justesen
I’ve been using a third-party service to perform updates, and it has worked well for a few years for several sites. But if WordPress will do it automatically, then I’m all for not having to log in every day to this service and manually click ‘update all’. It’s really not a painful process, but one which I have to remember to do daily. If I’m on vacation, then the updates get delayed by a couple of days. In the past this hasn’t bitten me, but I’ve got a feeling it will in the future.
Since an update might break a site, you may want to have JetPack installed (a plugin directly developed by WordPress.com). Have it check your site for downtime monitoring to at least e-mail you if your site goes down. If it disappears about the time your site updated, at least you know to start disabling plugins to see which one broke.
temposuender
“… the ability to do this is now being beta-tested in the form of a new plugin for WordPress 5.5, due in August”
This is even worse than weak …. A simple feature, and we are waiting till the end of days.
In a real WordPress admins life …
I’m here totally with Bill above
1) do a daily backup (or more often)
2) have a script or tool or a human procedure that checks daily for updates and applies them regardless. .
3) check your site and if it breaks .. You better have done step 1 and restore your backup.
4) If you have multiple sites and find that procedure it too much. .. Automate it.
Were not any more in 1999 ….
Mark Stockley
I can understand the reticence of the WordPress team here. The implementation may be simple but the potential consequences are enormous. WordPress runs on about 30% of all websites. Unlike the core code, the WordPress team isn’t responsible for the quality of the coding and testing in plugins and can’t predict the effect of updates on all the countless different combinations of themes and plugins out there. Taking this step will inevitably lead to a lot of sites breaking at the same time at the hands of shoddy plugins, for which WordPress will be unfairly blamed.
If you know this is what you want, you have been able to use 3rd party services or plugins for years, and you’re probably good at keeping an eye out for breakages. This is for the people who don’t know what they want, who leave their sites to go fallow. Their sites will break and they won’t notice.
Steve
Is there an option for checking/notification only, for those who like to stay up-to-date but don’t want automated updates?
Mark Stockley
WordPress will already indicate if your themes and plugins need updating.
temposuender
There are 3rd party tools who do that management for you like https://infinitewp.com/ or https://managewp.com/
Marko
Auto-update feature is two bladed sword. Just look at Microsoft Windows 10.
Software is not yet ready for this. Because it is written by humans.