(Updated May 2020) Until about 2014, I had never had any websites hacked, however, hacking…
The release of WordPress version 5.5 (11th August 2020) [superceded by version 5.5.1 on 1st September 2020] included a preliminary implementation of an option to enable automatic updates for themes and plugins in your website. Auto-updates for plugins and themes will be turned off by default so you will need to enable it for each individual item if you want to use it.
Here at Scalar Enterprises, we have always been advocates of good security for your website. To keep your WordPress site secure, you should always update your plugins and themes to the latest versions.
The addition of auto updates therefore at first glance sounds like a good thing but when thought through it might not be such a good idea. When using auto-updates, you lose the benefits of experience, human intelligence and control that you have when doing it manually.
WordPress themes and plugins are developed by a wide range of developers, some are large companies with lots of developers and rigid quality standards while at the other end of the scale, there are hobbyists with no quality standards at all. The bottom line here is that you cannot rely on all plugins quality – some might even include vulnerabilities, some of which could be included deliberately.
How we do it now
The general approach to doing manual updates we use at Scalar Enterprises is to first create an initial backup of the site files so that if anything goes wrong, the previous state at that time can be restored. The next step is then updating the plugins and themes one at a time in a controlled manner, checking after each update that the site still functions correctly. If anything stops working, you clearly know what changed and when it occurred and you immediately know where the problem lies and you can go about fixing it.
We do a lot of updates on a large number of websites each month and often test new versions out on less sensitive test sites first, particularly if they are major updates. From our experience, we know in advance if any are likely to give problems and we know what to look out for. This reduces the risk considerably and minimises the time it takes us to implement the updates and any site down time.
Auto updates and issues
With auto updates, the process is very different. Firstly, WordPress does not create a backup before installing the updates. It relies on you having previously set up periodic automatic updates on the site (or manual backups) so if you don’t have this in place you cannot restore the site if it breaks.
WordPress 5.5.x runs auto updates twice a day (you cannot tell it when, it could be at any time it chooses). It relies on WordPress “Cron tasks” to actually perform the update(s). It is worth noting that if your site has low traffic, regular Cron tasks may not run as expected so it might be the case that tasks could be delayed for some time until the site sees more activity. Also, some shared hosting providers these days do not allow Cron tasks to run on their servers in which case you would not be able to use the automatic functions anyway.
A big potential problem is if all auto updates are enabled for all plugins and themes, it could try and run them all simultaneously which could overload the server (particularly on shared hosting). Updates could fail to complete, hang in an incomplete state, or could even crash the server, taking the website down (e.g. the site displays a white screen or server error).
Also, the auto update feature does not apply for major version updates of plugins or themes or premium plugins and some already have the feature disabled so these would still need to be updated manually anyway as required.
Assuming the auto update process ends in a known state, by default, WordPress sends email notifications to the website administrator to inform them that plugins and themes were automatically updated. These email notifications are sent when:
- One or more plugins or themes successfully auto-updated
- One or more plugins or themes failed to auto-update
- Some plugins or themes were successfully auto-updated, and some of them failed
If any update does not complete for some reason, it could leave the site in a “fatal error mode” or “maintenance mode” (i.e. site no longer visible – maybe a white screen with or without a short error message). Also, it might mean that a plugin is deactivated due to a problem and then that functionality (e.g. a contact form, event calendar or e-commerce function) would not work anymore until the problem is resolved even though the rest of the site is working.
The biggest problem with the above examples is that you might not know your site is down unless you are checking it on a regular basis each day (remember updates occur twice a day) or a customer informs you.
A further issue is that at that stage, you would have no idea of what caused the problem – it could have occurred with any of the plugins or themes at any instant over a period of time since you last checked the site was working. This means you would need to restore the site to its previous working state (assuming you have a backup) and then manually go through and update each plugin and theme one at a time, testing as you go to see where things fail. It is quite common for a business website to include 20 to 30 plugins so you can see this could be a big job.
Major updates to plugins, particularly if they introduce new features can lead to compatibility problems and even addition of new vulnerabilities. Generally major updates should be tested on a test site first. Obviously auto update on the live site would not allow this.
The same applies to themes – we have seen a few major updates on themes that broke the websites when installed since the new versions had been totally re-written and were not backward compatible with previous versions. Not all themes can be updated easily via the WordPress admin panel, some will need to be manually installed via ftp directly to the server.
So what to do ?
As previously mentioned, this is just the preliminary release of WordPress auto update feature so given time things might improve but for us, we don’t feel it is the time to enable it on our sites.
To date, we have only ever allowed one plugin to update itself (via its own built in feature) on any of our websites we have produced and that is the Wordfence security plugin that protects our sites from attacks and malware so that they have the latest threat intelligence and security capability. Wordfence are a major player in the industry with extensive testing regimes and very high quality standards so we are happy to allow their plugin to update itself.
Hopefully, this article clarifies the situation for you so that you can decide what you want to do on your website.