WordPress Auto-Updates: What do you have to lose?
A new feature that will allow automatic updating of plugins and themes will be available in WordPress version 5.5, which is scheduled to be released on August 11, 2020. In this core release of the world’s most popular content management system, site owners will have the option to turn auto-updates on for individual plugins and themes directly from the WordPress admin dashboard.
In this post, we take a look at what happens in an automatic update, why WordPress core is adding this feature, the benefits and pitfalls of automatic updating, the three different approaches a site owner can take, and our overall recommendations from the Wordfence team to ensure the security and reliability of your WordPress websites.
What Happens During an Automatic Update?
Auto-updates for plugins and themes will be turned off by default upon release, meaning that auto-updates will not be automatically enabled when WordPress 5.5 is rolled out. Site owners will have to visit the theme or plugin dashboard to enable auto-updates and choose which packages to automatically update when a new version of the plugin or theme is available. Site owners can choose to turn on auto-updates for all of the installed plugins, choose to auto-update some of their plugins, or choose not to turn on auto-updates for any plugins whatsoever.
Auto-updates in WordPress 5.5 will only have an off or on toggle. Site owners won’t have the option to select different types of updates, such as only applying security updates, or only updating to minor releases.
Updates will be triggered by the wp-cron process twice daily. If the process finds that there are plugins or themes with available updates, whether a minor security fix or a large scale feature update, the new version of the plugin or theme will be downloaded and automatically installed on the site. Updates only occur if auto-updates are turned on for that particular plugin or theme.
These automatic updates are what operations engineers refer to as “unattended updates,” meaning that the code of plugins and themes are updated and deployed without the site owner’s participation. They may get triggered while a site owner is on the site publishing, they may get triggered overnight when a site owner is asleep, or during the day when the site owner is in the middle of an important meeting. The site owner will receive an email that updates have taken place, but if they miss that email, they might not know until they log in again and see a new version of the updated plugin or theme.
This marks a major shift from the attended updates currently required in WordPress. Currently, each plugin and theme update requires that the site owner or administrator initiate the updating process to download and install a new version of a plugin or theme.
In rare cases, some plugins have auto-updates built in and are already updating automatically. Wordfence is one of these plugins. Wordfence has offered an optional auto-update feature for several years to help keep our customers secure.
Why is WordPress Core Adding Automatic Updates?
One of the most prolific vectors of WordPress malware infections is the presence of vulnerabilities in out-of-date plugins, themes, and less frequently, WordPress core. By adding automated updating features to WordPress plugins and themes in the WordPress 5.5 core release, the core team looks to improve the security of WordPress installations across the board and make maintenance easier for site owners. Rather than having to log in to your WordPress site regularly to perform required plugin and theme updates, your site will run “unattended” updates when updates to installed plugins and themes are made available within the WordPress repository.
Last year, WordPress core added fatal error protections to the built-in WordPress site health functionality. When a fatal error occurs, fatal error protection determines which plugin caused the fatal error, and emails the site administrator so that they can troubleshoot the site with the problematic plugin deactivated in order to try and fix the issue. The addition of this feature likely gave the WordPress core team confidence that the risks of auto-updates would be easily managed by fatal error protection.
Is This a Good thing?
Overall, our philosophy is that providing automated updates is a good thing for a subset of WordPress sites. Blogs and informational or promotional sites which can often go unattended for months or years are at higher risk of being hacked via outdated plugins or themes. For these sites, the risk of being hacked outweighs the risk of an automatic update gone awry. However, for other kinds of sites, automated updates may create problems.
Problems and Pitfalls of Automated Updating
Unattended auto-updating of any code base is not without possible problems, and WordPress themes and plugins are not unique in this respect. Even attended updates can present difficulties. When the health and safety of your site is at stake, making an informed decision is critical. As such, we developed a few scenarios where auto-updates could cause potential problems such as site outages, data corruption, malicious content, amongst other undesirable effects.
Not all of these scenarios may affect you and your WordPress site. Below are a few caveats to keep in mind when determining what risk level your organization faces by enabling auto-updates.
- Concurrent auto-updates can fail. If a number of plugins have updates within a few hours, and wp-cron triggers them all to auto-update concurrently, this could lead to auto-updates failing on a server where resources are over utilized. If a triggered auto-update fails for any reason, the site may experience fatal error messages. In rare cases, plugins might become deactivated, or a site could be taken offline or stuck in maintenance mode.
- Issues may be introduced that limit site functionality without the site owner’s knowledge. For example, let’s say you have a WooCommerce store, and your WooCommerce supportive plugins auto-update while you’re on vacation. One of those supportive plugins has just been auto-updated, and that auto-update makes product checkout on your site impossible. It’s August. You usually have a seasonal slowdown when many people are on vacation, so the drop in sales is not unexpected. Meanwhile, your ecommerce site is essentially not functioning properly and your vacation is interrupted when a customer writes to you days later.
- Difficulty determining “what changed.” Whenever a problem occurs in IT operations, the first question to ask when trying to troubleshoot the problem is “What changed?” If you have two or more unattended updates that have occurred, multiple things have changed and it can become much harder to isolate the root cause of the problem.
- Vulnerabilities can be introduced with new features. With a recent update to the wpDiscuz plugin, new features introduced new vulnerabilities affecting over 80,000 WordPress sites. If your organization does a code review on any new plugin code being deployed to your production WordPress site, auto-updating removes your opportunity to do this code review and potentially catch vulnerabilities before they are deployed.
- Major version releases could have compatibility problems. Occasionally a vendor will put out a major release that makes significant changes to the code, or the database, or both. These higher risk releases could introduce problems, as we have seen with plugins that have a large installation base like Yoast and Jetpack. In April 2020, popular SEO plugin Yoast SEO released version 14.0, a major version release that refactored how information was stored in the WordPress database. We talked about the upcoming major update with Yoast CEO Marieke van de Rakt and COO Michiel Heijmans at WordCamp US last fall. This major update caused some sites to have issues that required immediate patching. For major plugin releases, it may make sense to take a “wait and see” approach to ensure the release is stable before deploying. Auto-updates remove your ability to take this approach.
- QA resources vary among plugins. Some plugins have large teams of developers and software quality assurance (SQA or QA) engineers behind them. Other plugins have smaller teams or are powered by a single developer who may be a hobbyist. Enabling auto-updates for plugins with larger teams is lower risk, because the plugin’s own QA team has provided comprehensive test coverage and significantly reduced the risk of anything going wrong with the release. Plugins with individual developers that lack QA resources should be considered higher risk due to the lack of test coverage or lack of testing altogether.
- Lack of canary releasing to test for issues. Canary updates roll out code to a small percentage of sites to check for problems. Chrome/Chromium uses this model to protect the larger install base from catastrophic issues. If no issues are detected, the update then rolls out to the rest of sites. WordPress has not built this system into auto-updates in version 5.5, and thus the auto-updates for a plugin roll out at the same time to the entire user population. This does not provide an early warning system that will reveal a catastrophic problem with a plugin. If you run a mission critical website, you can emulate the canary release process by waiting a few days before updating, for non security related releases. This may be a reason to disable auto-updates, depending on your specific needs.
Auto-updates Sounds Like It Has Problems. Does It Really?
With all of these pitfalls, there are obvious questions about whether or not having auto-updates enabled is a good solution. The biggest question you might have is: why Wordfence and other security experts recommend keeping plugins updated if rapid updating could introduce so many issues?
At the moment, nearly every update you perform on your site is done as an attended update. This means that you initiate the update, you know when your site has updated, you can read the developer’s changelog to determine whether or not it is a critical security update, a bug fix update, or a major release update on which you might want to wait. You can also test your site after every plugin update, and you are more likely to to determine the source of any problems introduced by a problematic plugin update.
By using unattended auto-updates, you lose that control and human intelligence when an update occurs.
We introduced auto-updates for the Wordfence plugin several years ago. We did this because, as a security plugin, it is critically important that our free and paid customers have the latest threat intelligence and security capability on their site. Before we deployed auto-updates in our own plugin, we spent a lot of time and energy ensuring our QA team and QA process was incredibly robust, with test coverage that is wide and deep.
We test our plugin on a large number of hosting platforms and with a large number of configurations before releasing any code. This does a good job of mimicking the canary release process by running the plugin on a wide range of systems before deploying to the entire user population. Once we were satisfied that auto-updating our customer’s Wordfence plugins was low risk, we deployed this feature. We haven’t had a signficant problem since, while our customers have benefited from automatic updates to their mission critical security plugin.
We continue to invest heavily in our QA team, infrastructure and processes to keep the risk of auto-updates very low.
The Three Approaches
We believe that you should make an informed choice about WordPress plugin auto-updates, knowing the benefits and pitfalls.
There are three ways you can approach auto-updates:
- Turn auto-update on for all plugins.
- Turn auto-update on for some plugins.
- Turn auto-update off for all plugins.
Which Update Strategy Is Right for You?
WordPress is popular because WordPress is so flexible. You can have a site that is an enterprise level application with millions of users, a learning management system with hundreds of users or a niche membership site. WordPress enables publishers and businesses in an infinite number of ways. Your update strategy will depend on your particular circumstances and needs.
To help guide your decision making, we have developed personas that represent several kinds of WordPress sites and site owners, to help you make an informed decision about your auto-update strategy. With each persona comes a different level of risk tolerance, and with that comes with a different approach to enabling auto-updates.
You developed a site to write about something near and dear to you, but you hardly ever sign in, you don’t actively maintain your plugins, and you trust that the Wordfence firewall is just going to block any malicious attacks. You randomly update plugins on one day every few months when you log in.
For this Hobbyist WordPress user, we recommend that you turn auto-updates for all themes and plugins ON.
- The risk is lower as you are not relying on your WordPress site for income or services.
- You are not checking on your site as frequently, so auto-updates ensure your site remains up to date which improves security.
- The cost of an auto-update impacting your users is low. Worst case is that your content goes missing for a period of time until you discover the problem and fix it.
Small Business Brochureware
An agency helped you design your site, but you perform maintenance and updates on your site yourself. You don’t update your site much, and rarely log in. Having your site unavailable for a short time would be noticed by few and your site serves mostly as a marketing vehicle.
For the Small Business Brochureware WordPress user, we recommend that you turn auto-updates for all themes and plugins ON.
- The risk is moderate as you are not relying directly on your WordPress site for income or services, but rather for marketing.
- You are not checking on your site as frequently so auto-updates can ensure your site remains up to date, which improves security.
- User impact in the case of down-time is low. Worst case for users is that your marketing content goes missing for a period of time. Though an issue may occur with an auto-updating plugin, in the greater scheme of things, it’s more important that your plugins remain updated to improve security and stability.
Small Business Ecommerce
Your site is an integral part of your business. It takes orders and payments from customers or has other interactive elements such as a membership site, a learning management site, or other interactive commerce elements that cause your site’s database to change frequently. You sign into the admin dashboard regularly, and you perform your own attended updates.
For the Small Business Ecommerce WordPress user, we recommend that you turn auto-updates for themes and plugins ON selectively, and only in rare cases. If you are confident that a plugin vendor has a robust QA team and process, and a strong reputation for releasing solid code, then you may consider turning auto-updates on for that vendor’s plugins. Doing this will help you benefit from a quick update to releases that may include security fixes.
We recommend that you continue to perform attended updates on plugins that do not have a strong QA team and process. In these cases you may want to wait to determine if the release is problematic before updating. You will also be performing an attended update, which ensures you are present and observing your site performance, so that you can catch issues early and fix them quickly.
- The risk is higher as you are relying directly on your WordPress site for income and services. Thus you want to be careful implementing auto-updates so that it does not impact your revenue.
- You are signing into, and checking on your site more frequently, so auto-updates are not as much of a necessity, provided you still update in a timely manner.
- Keep in mind that the plugins that auto-update will be updated without you present, as an unattended update. If you trust the team behind the plugin to deploy quality code to your site on demand, then enabling auto-updates for that plugin is still appropriate.
Agencies or businesses with many sites
You are managing sites for numerous customers and you have operations staff, QA personnel and QA processes in place to perform attended updates and test for problems before deploying new code. All the sites under your care are considered mission critical.
If this is your situation, we recommend that you continue to NOT use auto-updates as currently implemented.
- The risk is much higher, as you or your customers are relying directly on the WordPress sites in your care for income and services. Thus you want to avoid using auto-update so that it does not impact your revenue or that of your clients.
- You are actively maintaining each WordPress site and have the resources to do so. You already update WordPress core, plugins and themes as soon as is practicable.
- User impact is costly. Website users may experience issues making purchases or signing up for services.
You have staging servers, development servers, and you perform code reviews on new plugins to look for potential vulnerabilities introduced in all updates before deploying. Nothing ends up on production servers without being rigorously tested by a stellar QA team. Your processes are built for 24/7 availability and you have the resources and team to power them.
As an enterprise user, we recommend you do not use unattended auto-updates in the current implementation.
- The risk is at its highest as your WordPress site is mission critical.
- Your QA team rapidly evaluates and tests new plugin releases in your staging environment. Auto-updates would remove this step.
- Your operations team rapidly deploys well tested code into production using attended updates. Auto-updates would remove this process.
- The business impact of a website disruption is extreme. Customers may experience issues making purchases, signing up for services, or accessing your content and resources.
How to Begin Using Auto-Updates
Regardless of which persona you are, we recommend holding off on enabling auto-updates until a few weeks or months after WordPress 5.5 has been released. As with any major change to software, bugs or issues may be found and patched in the next few weeks. We recommend waiting to ensure that auto-updates in WordPress 5.5 has time to undergo rigorous real-world testing before enabling auto-updates.
Even with auto-updates on, we still recommend regular backups for your site. We also recommend using a service such as Website Pulse or StatusCake to monitor your site availability.
The Future of Auto-Updates
WordPress 5.5 is a preliminary implementation of auto-updates, and is useful for a subset of sites. We do expect continued development of auto-update tools, perhaps even with the addition of beta, alpha, and canary releases to add more functionality and reliability to the auto-update process.
We hope that this discussion has provided insight into the new auto-updates feature in WordPress 5.5 and will guide you to making an informed decision. As always, you are welcome to post questions and comments below.
Thank you to Chloe Chamberland, Ram Gall, Matt Rusnak and Kathy Zant for their research and contributions to this post.
Excellent and insightful post. I run a small business ecommerce site, and a business non-ecommerce site and prefer manual updates except for WP. My sites are tightly managed and are updated after weekly backup. Your advice for blogs and relatively static sites is spot-on, as those are especially low hanging fruit for hackers because they are not typically managed. In my previous career, I worked with enterprise customers on software deployment and management on enterprise servers. You stated rightly that enterprise sites must be tested thoroughly before any update is rolled out. Good work, Wordfence!
Thank you for the detailed post. I'm more than likely going to turn auto updates to off, just less of a headache I suppose.
No need to turn autoupdates off, since that is the default setting ; )
This is great information! I love how you break down the use-cases. I will share this article with our clients.
I my experience, many times new releases of plugins contains bugs or errors, they need to be checked manually, better if that can be done in a test site. Normally I have on hand the WP Rollback plugin, just in case...
Wordpress is much more fragile than Chrome, a WP site is composed by software coming from many different sources (plugins and themes).
There is no canary releases, the development cycle is way TOO FAST, having 3 or even 4 releases per year, just a couple of weeks for beta testing. As an example, Yoast has a two weeks release schedule, new features every two weeks. Were are they going?
Wordpress and plugin creators should stop waisting customer money with this fast release schedule. Apple has one mayor release per year, the rest are security patches and fixes. And, still you can choose if you upgrade or not.
Some plugin authors can be trusted, some others, wait and see before updating. Today, I have an update waiting until I check it or I find posts in the Support Forum complaining about the update. Maybe you have to wait for a couple of days until a new minor release comes through.
As one of the those involved in implementing the new auto-updates feature in WP 5.5., I have to say this is a great review of the pros & cons for different types of plugins, themes and site owners!
Enabling auto-updates is certainly not something that all site owners should do lightly and you've given readers a wealth of good information to consider based on their particular circumstances.
I agree! This was an excellent review of the WORDPRESS update concerning automatic updates. It gives us a chance to understand and make the right decision for our websites!
I have several sites that all fit into the small marketing theme, and for some of them auto-update will be best.
For my main blog, I have had significant problems in the past, although not for some time, with WP's own Jetpack. Consequently I always update it separately. Admittedly it has behaved itself over the past two years, but can WP guarantee they aren't going to mess it up in future?
Maybe the answer for me is to auto-update everything except Jetpack.
Thank you for a very helfpul article.
Thank yso much for this great analysis. Now I know which of my sites I have to turn auto update on for. I also believe it's best to wait a little to see how this feature will work with WordPress. Thank you for a great article.
Thanks for this outstanding post! We update two sites every two or four days, so our option will be turning off the auto-update. We are afraid of having some compatibility or security issue if the plugin is automatically update.
Interesting feature. Thanks for the in-depth examination. I am inclined to hold off on using auto-updates until WP gives us the ability to choose between different types. I would probably enable security and bug-fix updates, but not major feature additions.
Thanks very much. Very helpful and much appreciated.
Thank you for this post. To answer your question in two words:
The customer. That is what I could lose.
I am in one of your last categories and I am taking care of several websites. Auto updates is a nightmare. I always wait some days with major updates. During the first couple of weeks, someone always find problems. And then you get the .01 - .02 - .03 updates. So better wait.
If it is critical security updates, I do of course update immediately.
But I always take an extra backup of the site before I do any updates.
Currently, I am setting up AkeebaBackup to do automatic full backups every week and database backups every day. Stored on a server somewhere else in the world. Combined with two other backup systems, I thinnk that should be enough :-)
Very informative. A few years ago we had the ability to auto update at the hosting server level. We had a catastrophic event happen during an auto update, due to a server time out that caused all hell to break loose. Thank God for backups.
It was at this time we decided the auto update option was not one in our favor. We get service request through our website, and contacts that can very well be delivery time critical.
As always, thanks again for a very informative post. I been doing this since the mid 90s and Wordfence is my #1 security plug in on all my sites.
Access Control Integration, Inc.
Memphis Tennessee, USA
I have been doing auto-updates for years. What seems to be new is the ability to control auto-updates directly from the dashboard rather than using Jetpack and wordpress.com. Is that correct or am I missing something?
Yes, controlling auto-updates from wp-admin is new feature in the open source WordPress package, version 5.5 that is releasing next week.
gracias, excelente informe, le tengo terror a las automatizaciones automáticas y a Dios gracias existen las copias de seguridad, esperemos esta nueva versión sea para bien!
Glad to hear they're going to let us choose which plugins can be auto-updated, rather than an all or nothing approach. I've got no problem with some of the core plugins getting updated automatically, but others like Yoast and Jetpack, I'd much rather let them get the bugs worked out before updating and potentially breaking stuff.
Great article, everyone should read this.
I'd recommend auto-updates always be Off for the following:
* WooCommerce -- major releases always break some shops, either slightly (theme) or badly (crash!)
* Gravity Forms -- if you have add-ons, updates can break your site if they aren't updated for compatibility
* Yoast SEO -- even minor releases can break editing the site, or drop you off Google's radar
All very popular, so others will quickly find and report problems. Best to test in a dev site, and also wait to see what reports come in on their support channels.
Strongly agree with leaving auto-updates of WooCommerce OFF, and I'd add an additional reason. WC has a large support team that seems to be doing a decent job of testing updates prior to release. What I have experienced is other plugin compatibility. Whenever a WC update is available it (thankfully) features a list of existing, installed plugins that have yet to be tested with the newest WC version. Sometimes it can takes weeks or more before the other plugin devs update their products or at minimum confirm compatibility.
Really good information! It reminded me to check change history, before updating. So far I just click "update" anytime an update is released. I may save myself some unwanted trouble, if I let major updates rest for a while (and be tested by other users) before updating.
We'll definitely not be using this feature (we don't even have Wordfence set to autoupdate). We've found that the greater risk is updates breaking a site rather than being hacked (though a hack is tougher to fix).
However if Wordpress were to change it so that just security updates could be enabled that would be interesting!
As always, superb, well thought-out advice from the Wordfence team. I now know exactly what to do with our site, and why, regarding automatic updates (or not). You folks deserve to reap All the rewards your skills and communication deserves. A BIG thank you! Roger
We've been using an extension for that : Companion Auto update. (We've shunned Jetpack long ago for privacy concerns)
As an agency we manage, to quote you, "numerous sites", an the headache of maintaining all of them up to date has been greatly reduced with this extension. The auto-updates pitfalls, while real, in our experience are few and seldom and the benefits totally outweigh the few inconveniences that we met along the way. (And we have remote daily backups of all sites in any case, hourly db backups for the e-commerce sites, and a convenient WP roll back extension, just to roll back an update quickly without need of restoring a backup)
The extension also keeps a detailed log of what has been updated and when, allows you to do minor and/or major core updates, plugins update, and theme updates. All can be turned off individually, the frequency of updates is selectable and it mails a report whenever an update has been done.
So the new functionalities in WP 5.5, while welcome, are not new to us, and honestly, from what your article says, the extension we use manages it better than the planned core functionalities seem to be going to. (especially the detailed updates logs)
We'll certainly give the new functionalities a whirl, in order to compare, (always better to use a core functionality rather than an extension if it does the same job with no obvious advantage towards the using the extension), time will tell which solution we'll keep
Thanks for the plugin recommendation; definitely something to investigate and see if it will mitigate some concerns. The logging of the updates performed looks particularly interesting.
Thank you for the clear and detailed explanation! Very helpful.
Many thanks for this comprehensive and well-structured advice. I really appreciate the work you do, which is invaluable in helping me manage our small non-profit site.
The last time I had auto-updates on, I visited the site and got WSOD. It turned out to be a plugin update that produced a fatal error. So now I'm hesitant to use auto-updates.
They should put a feature auto-update for just security update (Patch vulnerability) with plugin and themes
Which means only update if there this update have security update and is urgent!
Very nice article, thanks! Maybe usefull for some websites but I will wait several weeks before considering to use this new feature.
An excellent blog post! Very informative. Thanks for sharing.
As a life-long (read: old) IT person, I cringe at some of the obvious shortcomings of new web companies that chase new features and ignore operational stability.
That NEVER hapens with Wordfence. This thoughtful, informative blog is another example of their security and operations focus. ITIL, baby! I love you guys, and that's why I spend money on your full product. Thank you.
WP v5.5 broke a number of editing and other admin features on a WooCommerce/Flatsome Theme site I manage. Tabs became unresponsive, editing layouts were corrupted, etc. Although the front end seemed to be functioning normally I did not want to risk any of their sales.
To resolve the issues initially I installed Enable jQuery Migrate Helper:
That seemed to resolve all of the issues. It also allowed me to utilize the Updraft Plus restore option. Prior to that the restore button wasn't responsive.
After a full file and database restoration including to WP v5.4.2 everything is working normally again.
There are numerous complaints about problems with WP v5.5 on the "Fixing WordPress" support forum:
I'll wait until WP and/or the theme and plugin devs get everything ironed out before updating it again.
Yes, we agree. We see plugin conflicts happening every week as we do Website Care for our WordPress clients. Our experience finds about 20% of plugin upgrades fail or result in a problem of some type.
What's scarier is that some of these issues aren't apparent right away but only after testing functionality like forms, e-commerce, searching, etc. You don't want to find out 3 weeks later that your e-commerce or contact form was not working correctly. Yes, some human intelligence is required.
We've turned off automatic upgrades for our clients and we instead do upgrades by hand (some of it is automated) where there's a human doing testing to make sure key functions of the website keep working fine. Any business that relies heavily on their website should turn off automatic upgrades and have them done by hand with testing (taking backups beforehand, of course).
Good article... we AGREE!
Great post - really helpful thanks.
Just found the new release of one of my plugins (Contact Form 7 Extension For Mailchimp) does not give you control of auto-updating :-( - it auto-updates whether you want it to or not. I've mailed them.