Auto-updates on WordPress

Updates are very important for website security. Security gaps are closed, and outdated functions are replaced with new ones. But you have to remember to do it. It’s good that there is an option for automatic updates.

New versions of plugins are released relatively frequently. Depending on the number of plugins used on a website, updates may be required almost daily. The WordPress core, i.e., the WordPress CMS itself, receives minor updates approximately every 1 to 2 months, with a new version released about twice a year. Themes also receive updates, but less frequently than plugins. Updates are often security-related. So if a plugin offers an update, please do not ignore it.

Updates that close a known security vulnerability should always be installed as soon as possible.

Which plugins should be allowed to update automatically?

I roughly divide plugins into three groups:

• Plugins that are indirectly or directly important for the SECURITY of the website. These can be one of the common security plugins, plugins that create backups, and similar plugins. What they have in common is that they have nothing to do with the display of the website. At the same time, they usually have far-reaching permissions and can quickly become a risk.
• Plugins that are essential for the DISPLAY and FUNCTION of the website. Examples include WooCommerce for a shop, LearnDash for an e-learning platform, and, of course, all the additional plugins that you need to go with them.
• Plugins that do not affect the appearance or functionality but are useful tools. These include “KoKo Analytics,” “Yoast SEO,” “Enable Media Replace,” maintenance plugins, or something like “Admin Columns.”

Before enabling automatic updates for a plugin, you should ask yourself the following questions:

• How high is the risk if this plugin runs in an outdated version?
• How big is the danger that something on the website will break because of the automatic update? Like, for example, the display not working anymore, or the shop having a problem?

In addition, conflicts can always arise when two plugins clash after an update. Unfortunately, this cannot be completely ruled out.

Plugins that I usually update automatically

The plugins in the first group, i.e., those that are security-related but run in the background, are usually at the top of my list for automatic updates. Especially if a security vulnerability becomes known, I want it to be closed as quickly as possible.

I also frequently use automatic updates for plugins in the third group. This applies to all useful tools that are not directly responsible for the website’s appearance to visitors. As a rule, they should not cause errors that impair the functionality of the website.

Plugins for which I initiate updates manually

I don’t usually allow automatic updates for plugins that are essential for a web shop, an e-learning platform, or a booking system, for example. I usually read through the changelog before updating. This tells me what changes the update brings. If it’s only a minor update, the list is relatively short.
This helps me to identify potential sources of trouble. In other words, I know where I need to look more closely after the update.

With very complex systems, such as a WooCommerce shop or an e-learning platform, I have to take a close look and test thoroughly. Ideally, these updates should first take place in a staging environment, i.e., an exact copy of the website in the same environment as the live website. This allows you to update without serious consequences. If something does go wrong, you can take your time to search for the error.

How do I enable automatic updates?

Since WordPress version 3.7, it has been possible to select the option to automatically install updates for a plugin on the plugin overview page. For free plugins, updates usually come via WordPress.org. For premium plugins, for which you have purchased a license via the plugin’s website or a platform, these updates are usually delivered by these websites. In rare cases, you may need to download the latest version as a file and reinstall it.

If automatic updates have been enabled, they are usually performed once a day. Sometimes the plugin page will also indicate that an update is scheduled in x hours. Once the update is complete, the system will email the administrator’s address. If there were any problems during the update, you will also receive a message.
It is therefore important to use a current email address as the admin address so that you receive these emails.

Core updates from the WordPress system can also be updated automatically. Here, you can choose whether only minor updates, which usually contain security patches, should be performed, or whether major WordPress updates should also be performed automatically.

Pay attention to silent warning signs

It sometimes happens that a plugin is no longer being maintained. In other words, there will be no more updates at some point. This happens very quietly, and it is very easy to overlook. One indication is when the “auto-update” option disappears, meaning that the plugin can no longer be accessed via the WordPress repository.

In most cases, the old plugin still works, but it is no longer state-of-the-art and potentially unsafe. In this case, you should swiftly look for a replacement.

An exception would be if the plugin authors deliberately remove the plugin from the WordPress repository. In this case, however, a note would appear indicating where to get updates in the future and, above all, how to proceed in order to obtain them.

When an update goes wrong

Every now and then, an update causes the website to crash. In the worst case, all you see is the dreaded “white screen of death.” Then you have to find out what the culprit is and, if possible, revert to an earlier version of the respective theme or plugin. If that is not possible or practical, you have to consider whether you can replace or even delete the plugin.

---