WordPress Auto-Updates: What do you have to lose?

A new feature that will allow automatic updating of plugins and themes will be available in WordPress version 5.5, which is scheduled to be released on August 11, 2020. In this core release of the world’s most popular content management system, site owners will have the option to turn auto-updates on for individual plugins and themes directly from the WordPress admin dashboard.

In this post, we take a look at what happens in an automatic update, why WordPress core is adding this feature, the benefits and pitfalls of automatic updating, the three different approaches a site owner can take, and our overall recommendations from the Wordfence team to ensure the security and reliability of your WordPress websites.

What Happens During an Automatic Update?

Auto-updates for plugins and themes will be turned off by default upon release, meaning that auto-updates will not be automatically enabled when WordPress 5.5 is rolled out. Site owners will have to visit the theme or plugin dashboard to enable auto-updates and choose which packages to automatically update when a new version of the plugin or theme is available. Site owners can choose to turn on auto-updates for all of the installed plugins, choose to auto-update some of their plugins, or choose not to turn on auto-updates for any plugins whatsoever.

Auto-update option is a new feature available in WordPress 5.5.

Auto-updates in WordPress 5.5 will only have an off or on toggle. Site owners won’t have the option to select different types of updates, such as only applying security updates, or only updating to minor releases.

Updates will be triggered by the wp-cron process twice daily. If the process finds that there are plugins or themes with available updates, whether a minor security fix or a large scale feature update, the new version of the plugin or theme will be downloaded and automatically installed on the site. Updates only occur if auto-updates are turned on for that particular plugin or theme.

These automatic updates are what operations engineers refer to as “unattended updates,” meaning that the code of plugins and themes are updated and deployed without the site owner’s participation. They may get triggered while a site owner is on the site publishing, they may get triggered overnight when a site owner is asleep, or during the day when the site owner is in the middle of an important meeting. The site owner will receive an email that updates have taken place, but if they miss that email, they might not know until they log in again and see a new version of the updated plugin or theme.

This marks a major shift from the attended updates currently required in WordPress. Currently, each plugin and theme update requires that the site owner or administrator initiate the updating process to download and install a new version of a plugin or theme.

In rare cases, some plugins have auto-updates built in and are already updating automatically. Wordfence is one of these plugins. Wordfence has offered an optional auto-update feature for several years to help keep our customers secure.

Why is WordPress Core Adding Automatic Updates?

One of the most prolific vectors of WordPress malware infections is the presence of vulnerabilities in out-of-date plugins, themes, and less frequently, WordPress core. By adding automated updating features to WordPress plugins and themes in the WordPress 5.5 core release, the core team looks to improve the security of WordPress installations across the board and make maintenance easier for site owners. Rather than having to log in to your WordPress site regularly to perform required plugin and theme updates, your site will run “unattended” updates when updates to installed plugins and themes are made available within the WordPress repository.

Last year, WordPress core added fatal error protections to the built-in WordPress site health functionality. When a fatal error occurs, fatal error protection determines which plugin caused the fatal error, and emails the site administrator so that they can troubleshoot the site with the problematic plugin deactivated in order to try and fix the issue. The addition of this feature likely gave the WordPress core team confidence that the risks of auto-updates would be easily managed by fatal error protection.

Is This a Good thing?

Overall, our philosophy is that providing automated updates is a good thing for a subset of WordPress sites. Blogs and informational or promotional sites which can often go unattended for months or years are at higher risk of being hacked via outdated plugins or themes. For these sites, the risk of being hacked outweighs the risk of an automatic update gone awry. However, for other kinds of sites, automated updates may create problems.

Problems and Pitfalls of Automated Updating

Unattended auto-updating of any code base is not without possible problems, and WordPress themes and plugins are not unique in this respect. Even attended updates can present difficulties. When the health and safety of your site is at stake, making an informed decision is critical. As such, we developed a few scenarios where auto-updates could cause potential problems such as site outages, data corruption, malicious content, amongst other undesirable effects.

Not all of these scenarios may affect you and your WordPress site. Below are a few caveats to keep in mind when determining what risk level your organization faces by enabling auto-updates.

1. Concurrent auto-updates can fail. If a number of plugins have updates within a few hours, and wp-cron triggers them all to auto-update concurrently, this could lead to auto-updates failing on a server where resources are over utilized. If a triggered auto-update fails for any reason, the site may experience fatal error messages. In rare cases, plugins might become deactivated, or a site could be taken offline or stuck in maintenance mode.
2. Issues may be introduced that limit site functionality without the site owner’s knowledge. For example, let’s say you have a WooCommerce store, and your WooCommerce supportive plugins auto-update while you’re on vacation. One of those supportive plugins has just been auto-updated, and that auto-update makes product checkout on your site impossible. It’s August. You usually have a seasonal slowdown when many people are on vacation, so the drop in sales is not unexpected. Meanwhile, your ecommerce site is essentially not functioning properly and your vacation is interrupted when a customer writes to you days later.
3. Difficulty determining “what changed.” Whenever a problem occurs in IT operations, the first question to ask when trying to troubleshoot the problem is “What changed?” If you have two or more unattended updates that have occurred, multiple things have changed and it can become much harder to isolate the root cause of the problem.
4. Vulnerabilities can be introduced with new features. With a recent update to the wpDiscuz plugin, new features introduced new vulnerabilities affecting over 80,000 WordPress sites. If your organization does a code review on any new plugin code being deployed to your production WordPress site, auto-updating removes your opportunity to do this code review and potentially catch vulnerabilities before they are deployed.
5. Major version releases could have compatibility problems. Occasionally a vendor will put out a major release that makes significant changes to the code, or the database, or both. These higher risk releases could introduce problems, as we have seen with plugins that have a large installation base like Yoast and Jetpack. In April 2020, popular SEO plugin Yoast SEO released version 14.0, a major version release that refactored how information was stored in the WordPress database. We talked about the upcoming major update with Yoast CEO Marieke van de Rakt and COO Michiel Heijmans at WordCamp US last fall. This major update caused some sites to have issues that required immediate patching. For major plugin releases, it may make sense to take a “wait and see” approach to ensure the release is stable before deploying. Auto-updates remove your ability to take this approach.
6. QA resources vary among plugins. Some plugins have large teams of developers and software quality assurance (SQA or QA) engineers behind them. Other plugins have smaller teams or are powered by a single developer who may be a hobbyist. Enabling auto-updates for plugins with larger teams is lower risk, because the plugin’s own QA team has provided comprehensive test coverage and significantly reduced the risk of anything going wrong with the release. Plugins with individual developers that lack QA resources should be considered higher risk due to the lack of test coverage or lack of testing altogether.
7. Lack of canary releasing to test for issues. Canary updates roll out code to a small percentage of sites to check for problems. Chrome/Chromium uses this model to protect the larger install base from catastrophic issues. If no issues are detected, the update then rolls out to the rest of sites. WordPress has not built this system into auto-updates in version 5.5, and thus the auto-updates for a plugin roll out at the same time to the entire user population. This does not provide an early warning system that will reveal a catastrophic problem with a plugin. If you run a mission critical website, you can emulate the canary release process by waiting a few days before updating, for non security related releases. This may be a reason to disable auto-updates, depending on your specific needs.

Auto-updates Sounds Like It Has Problems. Does It Really?

With all of these pitfalls, there are obvious questions about whether or not having auto-updates enabled is a good solution. The biggest question you might have is: why Wordfence and other security experts recommend keeping plugins updated if rapid updating could introduce so many issues?

At the moment, nearly every update you perform on your site is done as an attended update. This means that you initiate the update, you know when your site has updated, you can read the developer’s changelog to determine whether or not it is a critical security update, a bug fix update, or a major release update on which you might want to wait. You can also test your site after every plugin update, and you are more likely to to determine the source of any problems introduced by a problematic plugin update.

By using unattended auto-updates, you lose that control and human intelligence when an update occurs.

We introduced auto-updates for the Wordfence plugin several years ago. We did this because, as a security plugin, it is critically important that our free and paid customers have the latest threat intelligence and security capability on their site. Before we deployed auto-updates in our own plugin, we spent a lot of time and energy ensuring our QA team and QA process was incredibly robust, with test coverage that is wide and deep.

We test our plugin on a large number of hosting platforms and with a large number of configurations before releasing any code. This does a good job of mimicking the canary release process by running the plugin on a wide range of systems before deploying to the entire user population. Once we were satisfied that auto-updating our customer’s Wordfence plugins was low risk, we deployed this feature. We haven’t had a signficant problem since, while our customers have benefited from automatic updates to their mission critical security plugin.

We continue to invest heavily in our QA team, infrastructure and processes to keep the risk of auto-updates very low.

The Three Approaches

We believe that you should make an informed choice about WordPress plugin auto-updates, knowing the benefits and pitfalls.

There are three ways you can approach auto-updates:

1. Turn auto-update on for all plugins.
2. Turn auto-update on for some plugins.
3. Turn auto-update off for all plugins.

Which Update Strategy Is Right for You?

WordPress is popular because WordPress is so flexible. You can have a site that is an enterprise level application with millions of users, a learning management system with hundreds of users or a niche membership site. WordPress enables publishers and businesses in an infinite number of ways. Your update strategy will depend on your particular circumstances and needs.

To help guide your decision making, we have developed personas that represent several kinds of WordPress sites and site owners, to help you make an informed decision about your auto-update strategy. With each persona comes a different level of risk tolerance, and with that comes with a different approach to enabling auto-updates.

Hobbyist/Blogger

You developed a site to write about something near and dear to you, but you hardly ever sign in, you don’t actively maintain your plugins, and you trust that the Wordfence firewall is just going to block any malicious attacks. You randomly update plugins on one day every few months when you log in.

For this Hobbyist WordPress user, we recommend that you turn auto-updates for all themes and plugins ON.

Why?

• The risk is lower as you are not relying on your WordPress site for income or services.
• You are not checking on your site as frequently, so auto-updates ensure your site remains up to date which improves security.
• The cost of an auto-update impacting your users is low. Worst case is that your content goes missing for a period of time until you discover the problem and fix it.

Small Business Brochureware

An agency helped you design your site, but you perform maintenance and updates on your site yourself. You don’t update your site much, and rarely log in. Having your site unavailable for a short time would be noticed by few and your site serves mostly as a marketing vehicle.

For the Small Business Brochureware WordPress user, we recommend that you turn auto-updates for all themes and plugins ON.

Why?

• The risk is moderate as you are not relying directly on your WordPress site for income or services, but rather for marketing.
• You are not checking on your site as frequently so auto-updates can ensure your site remains up to date, which improves security.
• User impact in the case of down-time is low. Worst case for users is that your marketing content goes missing for a period of time. Though an issue may occur with an auto-updating plugin, in the greater scheme of things, it’s more important that your plugins remain updated to improve security and stability.

Small Business Ecommerce

Your site is an integral part of your business. It takes orders and payments from customers or has other interactive elements such as a membership site, a learning management site, or other interactive commerce elements that cause your site’s database to change frequently. You sign into the admin dashboard regularly, and you perform your own attended updates.

For the Small Business Ecommerce WordPress user, we recommend that you turn auto-updates for themes and plugins ON selectively, and only in rare cases. If you are confident that a plugin vendor has a robust QA team and process, and a strong reputation for releasing solid code, then you may consider turning auto-updates on for that vendor’s plugins. Doing this will help you benefit from a quick update to releases that may include security fixes.

We recommend that you continue to perform attended updates on plugins that do not have a strong QA team and process. In these cases you may want to wait to determine if the release is problematic before updating. You will also be performing an attended update, which ensures you are present and observing your site performance, so that you can catch issues early and fix them quickly.

Why?

• The risk is higher as you are relying directly on your WordPress site for income and services. Thus you want to be careful implementing auto-updates so that it does not impact your revenue.
• You are signing into, and checking on your site more frequently, so auto-updates are not as much of a necessity, provided you still update in a timely manner.
• Keep in mind that the plugins that auto-update will be updated without you present, as an unattended update. If you trust the team behind the plugin to deploy quality code to your site on demand, then enabling auto-updates for that plugin is still appropriate.

Agencies or businesses with many sites

You are managing sites for numerous customers and you have operations staff, QA personnel and QA processes in place to perform attended updates and test for problems before deploying new code. All the sites under your care are considered mission critical.

If this is your situation, we recommend that you continue to NOT use auto-updates as currently implemented.

Why?

• The risk is much higher, as you or your customers are relying directly on the WordPress sites in your care for income and services. Thus you want to avoid using auto-update so that it does not impact your revenue or that of your clients.
• You are actively maintaining each WordPress site and have the resources to do so. You already update WordPress core, plugins and themes as soon as is practicable.
• User impact is costly. Website users may experience issues making purchases or signing up for services.

Enterprise

You have staging servers, development servers, and you perform code reviews on new plugins to look for potential vulnerabilities introduced in all updates before deploying. Nothing ends up on production servers without being rigorously tested by a stellar QA team. Your processes are built for 24/7 availability and you have the resources and team to power them.

As an enterprise user, we recommend you do not use unattended auto-updates in the current implementation.

Why?

• The risk is at its highest as your WordPress site is mission critical.
• Your QA team rapidly evaluates and tests new plugin releases in your staging environment. Auto-updates would remove this step.
• Your operations team rapidly deploys well tested code into production using attended updates. Auto-updates would remove this process.
• The business impact of a website disruption is extreme. Customers may experience issues making purchases, signing up for services, or accessing your content and resources.

How to Begin Using Auto-Updates

Regardless of which persona you are, we recommend holding off on enabling auto-updates until a few weeks or months after WordPress 5.5 has been released. As with any major change to software, bugs or issues may be found and patched in the next few weeks. We recommend waiting to ensure that auto-updates in WordPress 5.5 has time to undergo rigorous real-world testing before enabling auto-updates.

Even with auto-updates on, we still recommend regular backups for your site. We also recommend using a service such as Website Pulse or StatusCake to monitor your site availability.

The Future of Auto-Updates

WordPress 5.5 is a preliminary implementation of auto-updates, and is useful for a subset of sites. We do expect continued development of auto-update tools, perhaps even with the addition of beta, alpha, and canary releases to add more functionality and reliability to the auto-update process.

We hope that this discussion has provided insight into the new auto-updates feature in WordPress 5.5 and will guide you to making an informed decision. As always, you are welcome to post questions and comments below.

Thank you to Chloe Chamberland, Ram Gall, Matt Rusnak and Kathy Zant for their research and contributions to this post.