WordPress released a major update yesterday with some big changes. One of the features is the ability to apply all the plugins and themes updates automatically.
Earlier plugins updates could be automatically applied with the help of additional plugins. One popular plugin is Jetpack that can apply available updates automatically. Now WordPress 5.5 core supports auto-updates out of the box.
In this article, we will discuss the auto-update feature of WordPress. For many websites, this feature can be a lifesaver, but there may involve some risks for some.
How Auto-update works?
WordPress runs any scheduled task using WordPress cron jobs. WP cron jobs are different from Linux cron jobs. These cron jobs check for plugin updates two times a day and update the plugin in case it finds any update.
We should also know that WP cron jobs only run if the site has at least one visit in a day. That means if your site has no traffic, cron jobs will not run, and WordPress will check no plugin update. So to continue checking for the updates, you should at least have one daily visitor.
Pros & cons of WordPress plugin auto-updates
WordPress plugin auto-update has been released. Let us see the advantages and disadvantages of this feature.
Pros of WordPress plugins auto-update
I often say that the biggest threats to any WordPress site come from the installed plugins. Admins should conduct WordPress site audits regularly to avoid any security loopholes.
The important aspect of site auditing is to keep every piece of code up-to-date. Hackers also regularly audit WordPress plugins & themes to find any vulnerability. As hackers discover any vulnerability, they instruct their bots (scripts) to target WordPress sites that have those plugins installed.
WordPress and other security agencies analyze these attacks targetting a particular plugin; they audit the plugin and report the vulnerability to the plugin developers.
Plugin developers fix the vulnerability and provide an update as soon as possible. In most cases, an update is provided within one or two days. After the update is released, It is now up to site admins to install the update as soon as possible.
Many times admins do not log in to their site dashboard for many days. So they miss installing any available update. On the other hand, after plugin developers release the update, they also release a patch note that mentions what was fixed. So more and more hackers start to target that vulnerability on sites that have yet to install the update.
So every website that is using the vulnerable version of a plugin is in danger of getting hacked. Recently, a series of vulnerabilities were discovered in many popular plugins that could allow an attacker to gain complete access to the website admin dashboard.
One of the plugins involved was Divi Builder, a popular page builder plugin for WordPress. It contained Authenticated Arbitrary File Upload, allowing attackers to have contributor level or above capabilities to WordPress sites.
This flaw gave authenticated attackers, with contributor-level or above capabilities, the ability to upload arbitrary files, including PHP files, and achieve remote code execution on a vulnerable site’s server.wpvulndb
WordPress implementing auto-update feature for WordPress themes & plugins means WordPress websites are more secure than before. Admins may go on a holiday, and their site’s plugin will be regularly checked for updated versions. It’ll keep sites secure from an active attack that’s targetting the vulnerable version of a plugin.
Cons of WordPress plugins auto-update
It is important that WordPress has implemented this feature, and it will mostly protect WordPress sites but, there are a few disadvantages that you must know about before toggling the auto-update on for plugins & themes.
As I said above that the way auto-update works in WordPress is it runs WP cron jobs twice a day. Cron jobs only run if the website has a visit. In case you have a blog that you only keep as a hobby and only get visitors when you post something new, then the WP cron job won’t run any update at all.
That’s how WordPress cron jobs work. If you do not get website visits once in a while, you may still need to install updates manually. Though it is a rare case, and in most cases, sites will have at least one visit in a day.
Secondly, plugin auto-updates may break websites in a minority of cases. Admins should install plugins updates for custom themes after performing a proper analysis and make sure the update is fully compatible with your site’s customized features.
This is important for developers and agencies that develop or maintain sites with highly customized WordPress themes. If you maintain a few sites for clients who use custom themes, you might want to check the plugins updates before installing. If the site breaks, you may lose business from that client.
Overall the plugin and themes auto-update will work for a majority of sites. In few cases where sites have custom themes installed or using poorly coded plugins, the auto-update may break sites. Personally, I turn this feature on for most of my plugins because I know my developer has well-coded the theme & plugins and is ready to fix any issue as soon as it’s discovered.