For wordpress sites, there's lots of talk about the newly released version 5.5 and the auto-update features that it contains. Here's an overview of it, and the reason why WebCoast is taking this view on auto-updating.
A new feature that will allow automatic updating of plugins and themes will be available in WordPress version 5.5, which was released on August 11, 2020. In this core release site owners will have the option to turn auto-updates on for individual plugins and themes directly from the WordPress admin dashboard.
What Happens During an Automatic Update?
Auto-updates for plugins and themes will be turned off by default upon release, meaning that auto-updates will not be automatically enabled when WordPress 5.5 is rolled out. Site owners will have to visit the theme or plugin dashboard to enable auto-updates and choose which packages to automatically update when a new version of the plugin or theme is available. Site owners can choose to turn on auto-updates for all of the installed plugins, choose to auto-update some of their plugins, or choose not to turn on auto-updates for any plugins whatsoever.
These automatic updates are what operations engineers refer to as “unattended updates,” meaning that the code of plugins and themes are updated and deployed without the site owner’s participation. They may get triggered while a site owner is on the site publishing, they may get triggered overnight when a site owner is asleep, or during the day when the site owner is in the middle of an important meeting, or when on holiday! The site owner will receive an email that updates have taken place, but if they miss that email, they might not know until they log in again and see a new version of the updated plugin or theme.
This marks a major shift from the attended updates currently required in WordPress. Currently, each plugin and theme update requires that the site owner or administrator initiate the updating process to download and install a new version of a plugin or theme.
In rare cases, some plugins have auto-updates built in and are already updating automatically. Wordfence is one of these plugins. Wordfence has offered an optional auto-update feature for several years to help keep our customers secure.
Why is WordPress Core Adding Automatic Updates?
One of the most prolific vectors of WordPress malware infections is the presence of vulnerabilities in out-of-date plugins, themes, and less frequently, WordPress core. By adding automated updating features to WordPress plugins and themes in the WordPress 5.5 core release, the core team looks to improve the security of WordPress installations across the board and make maintenance easier for site owners. Rather than having to log in to your WordPress site regularly to perform required plugin and theme updates, your site will run “unattended” updates when updates to installed plugins and themes are made available within the WordPress repository.
Is This a Good thing?
Overall, our philosophy is that providing automated updates is a good thing for a subset of WordPress sites. If you are running a site that you have built yourself it is likely that you don't apply updates to themes or plugins regularly (or at all) so the site is therefore at a higher risk of being hacked via outdated plugins or themes. For these sites, the risk of being hacked outweighs the risk of an automatic update gone awry. However, for other kinds of sites, automated updates may create problems. When your site is built by WebCoast we routinely apply theme, plugin and core updates, and anything which is identified as a high or critical security release is done within hours.
Problems and Pitfalls of Automated Updating
Unattended auto-updating is not without possible problems, and WordPress themes and plugins are not unique in this respect. Even attended updates can present difficulties. Below are a few points to consider about auto-updates.
- Concurrent auto-updates can fail. If a number of plugins have updates within a few hours, and wp-cron triggers them all to auto-update concurrently, this could lead to auto-updates failing on a server where resources are over utilized. If a triggered auto-update fails for any reason, the site may experience fatal error messages. In rare cases, plugins might become deactivated, or a site could be taken offline or stuck in maintenance mode.
- Issues may be introduced that limit site functionality without the site owner’s knowledge. For example, let’s say you have gone on holiday. One of the plugins has just been auto-updated, and that auto-update breaks the layout of your site and makes it impossible to navigate around. It’s January. You usually have a seasonal slowdown when many people are on holiday, so the drop in enquiries is not unexpected. Meanwhile, your site is essentially not functioning properly and your holiday is interrupted when a employee calls you days later.
- Difficulty determining “what changed.” Whenever a problem occurs in IT operations, the first question to ask when trying to troubleshoot the problem is “What changed?” If you have two or more unattended updates that have occurred, multiple things have changed and it can become much harder to isolate the root cause of the problem.
- Vulnerabilities can be introduced with new features. With some plugins it's a good idea NOT to apply the update straight away. At WebCoast we know which plugin providers are going to be reliable, and may choose to enable auto-updates on only those few.
- Major version releases could have compatibility problems. Occasionally a vendor will put out a major release that makes significant changes to the code, or the database, or both. These higher risk releases could introduce problems, as we have seen with plugins that have a large installation base like Yoast. In April 2020, popular SEO plugin Yoast SEO released version 14.0, a major version release that refactored how information was stored in the WordPress database. For major plugin releases, it may make sense to take a “wait and see” approach to ensure the release is stable before deploying. Auto-updates remove your ability to take this approach.
- QA resources vary among plugins. Some plugins have large teams of developers and software quality assurance (SQA or QA) engineers behind them. Other plugins have smaller teams or are powered by a single developer who may be a hobbyist. Enabling auto-updates for plugins with larger teams is lower risk, because the plugin’s own QA team has provided comprehensive test coverage and significantly reduced the risk of anything going wrong with the release. Plugins with individual developers that lack QA resources should be considered higher risk due to the lack of test coverage or lack of testing altogether.
At the moment, nearly every update WebCoast performs on your site is done as an attended update. This means that we initiate the update, we know when your site has updated, we can read the developer’s changelog to determine whether or not it is a critical security update, a bug fix update, or a major release update on which we might want to wait. We can also test your site after every plugin update, and are more likely to to determine the source of any problems introduced by a problematic plugin update.
By using unattended auto-updates, we lose that control and human intelligence when an update occurs.
WebCoast's stance on Wordpress Auto-Updates
WebCoast will NOT use the new auto-updates in Wordpress 5.5 and ask that you DO NOT enable auto-updates on your site. We use a separate system which allows SCHEDULED updates to occur, and we use this facility on only trusted plugins. This means we can schedule the updates to occur during our business hours, and staggered so that if issues do occur, they don't occur for all our clients sites at the same time.
WebCoast are already actively maintaining each WordPress site. We already update WordPress core, plugins and themes as soon as is practicable.