If WordPress had a list of the most requested features, the ability to automatically update plugins and themes would surely be near the top.
Some good news: according to a recent development update, the ability to do this is now being beta-tested in the form of a new plugin for WordPress 5.5, due in August.
WordPress itself, the Content Management System Core, has had auto-updating since version 3.7 in 2013, which meant that security updates could be applied automatically.
Given the number of attacks exploiting WordPress vulnerabilities in the years leading up to that change, it was a big moment.
Unfortunately, the same wasn’t true of that other area of WordPress exposure, namely plugins and themes.
Whereas many years ago such add-ons were viewed as optional for most sites, these days many have become essential additions that add important capabilities to WordPress sites.
Vulnerabilities in these now generate a steady stream of stories:
- Plugins affected by Cross site scripting (XSS) flaws
- A plugin with 100,000 users afflicted by a vulnerability that could allow attackers to wipe content.
- Plugins with admin account password bypass flaws
We didn’t cherrypick these – all of these were from 2020.
Admins can either hack the updating themselves, or get their hands grubby and do it manually. The latter option has the obvious weakness that admins fall behind in updating, or simply ignore the problem entirely.
But how would admins know to update at all? Only if they receive security notices and pay attention to them, a haphazard process at best.
Once auto-updating appears in WordPress Core, admins will be able to opt in via the WP-admin screen. The design will still allow admins to opt out on a plugin-by-plugin or theme-by-theme basis.
This is important because updates can sometimes cause problems. For many sites, the risk of not updating will be outweighed by the risk of this happening automatically.
If admins opt in, they will also get summaries notifying them of changes, an important feature given that updates now appear regularly. The WordPress team wrote:
Now, your help is needed to test, validate, and improve the current feature to ensure that it meets the needs of the WordPress community.
Latest Naked Security podcast
Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.