Why You Should Not Auto Update Your WordPress Plugins and Theme

As you probably already know, it is vital to keep your plugins and theme up to date regularly.

Take a peak at this constantly updated list of vulnerabilities:

Database of Vulnerabilities

In fact Patchstack have reported that in 2022, they saw 328% more security bugs reported in WordPress plugins compared to the year before. Sometimes these vulnerabilities affect millions of users.

For example the recent Elementor and Woocommerce vulnerability which affected sites which use both of those plugins.

Many WordPress website owners will want to setup auto updates, so that WordPress updates all plugins and theme. Auto updates were introduced into core WordPress 3.7.

However there is a major downside to auto updates and is the reason why I almost never enable them.

The reason is because updates can sometimes cause major problems – small bugs and even fatal errors that cause the site to go down. You are trusting a third party developer’s new code just released to go live on your site immediately. And there is a risk associated with this.

Example 1

In 2022, the Yoast 19.5 update famously cause fatal errors. The Yoast plugin has 5 million active installations.

Example 2

Recently in 2023, Cleantalk’s recent version caused critical errors. The was not reported widely. Here is a screenshot of the reports on their support forum.

Example 3

You might be thinking surely we can let WordPress core update automatically and especially the minor updates. Well… think again!

Recently the WordPress core update to version 6.2.1 caused site sites to break. So this affected those who use WordPress’ new FSE (Full Site Editing) feature, the shortcodes used in those templates rather than posts or pages. It impacted a lot of people who had automatic updates setup. They have had to either urgently revert back to the previous version, restore a backup or find another solution. Remember that visitors to these sites during this period would have experienced partially broken websites. See forum thread and the ticket.

Example 4

Another more recent example of a WordPress Version 6.6 update caused fatal errors. There were actually 2 issues causing fatal errors. One effected users of WP Super Cache. The other fatal error brought up this message “PHP Fatal error: Uncaught Error: Object of class WP_Comment could not be converted to string”, where WordPress’ extraction of the commenter’s name should have received the comment ID, but instead received the WP_Comment object, triggering a PHP fatal error.

This update also caused users of Divi to have all the links to display with underlines.

These issues were fixed in the next version of WordPress version 6.6.1.

Major Updates and Bugs

To further this argument, when plugins, theme and WordPress have major updates, even though they usually go through iterations of alpha and beta stages, when they go live, there are often bugs. And sometimes these are major, to a point where entire sections, page or an entire website can have major issues. So it is highly recommended to wait a while before updating software that has had a major recent update. This further confirms the argument that automatic updates can be highly risky.

The Solution

The best solution is to manually update plugins and theme regularly. Once per month is a good frequency. When you update the software you should check the website to ensure everything is running on the frontend as you expect. You can use a duplicated staging site to test the update before updating the live site. You must have backups, just in case you need to restore to the previous version. Best to wait some time before updating software that has had a recent major update.

It is good practice to keep up to date with WordPress security news in case a vulnerability is announced for a plugin or theme that you are using and you can update it right away. It just requires a quick check for example of the patchstack database mentioned at the start of this post. You can also keep up to date with Wordfence, Ithemes and Sucuri’s security updates.

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *