auto plugin updates

Automated Plugin Updates for WordPress – No More Worrying?

The automatic updates for minor versions of WordPress have proven themselves for years. But does it also work with Plugins? This question has been investigated by WordPress developer Florian Simeth and has helpful tips from security and maintenance expert Marc Nilius in his analysis.

Anyone WordPress who has been in operation for a longer time knows that the automated updates of the core software work quite well and usually without problems. If it weren't for the plugins. typically, the thought of automated plugin updates makes the necks of most website administrators curl. Anyone who has ever gritted his teeth before clicking the update button knows what I am talking about.

You never really know for sure if the updates will go through properly. Not even if the update itself does not fail at all, but the errors are lurking somewhere - not obvious - underground. Most of the colleagues I interviewed would not perform automated plugin updates, at least not for all plugins. But why is that actually the case?

When automatic Plugin updates bring risks with them

658 volunteers contributed to version 5.3 of WordPress . Not every Plugin project has this man (and woman) power. Most of the free Plugins in the WordPress -Plugin directory is developed by only one person (or maybe a small team). This is not to say that these Plugins are bad per se. However, we know from the past that it is usually the Plugins that open security holes, making their own WordPress instance a target for hackers.

It can therefore be assumed that the code quality suffers or is tested too little. Why this is so, I do not want to explain at this point longer. But it explains why we quickly click on the update button for well-known Plugins like YoastSEO and rather not for others.

"Basically, you can recognize problem cases by the fact that something has gone wrong before," Marc Nilius wrote to me in an e-mail interview. According to his own information, he currently maintains about 200 WordPress instances and knows his "Pappenheimer" only too well. Now Yoast certainly has a big team behind its own free YoastSEO-Plugin, which is active on over five million WordPress sites active. For the company's flagship, it does everything it can to make sure nothing goes wrong. That comes with effort. An effort that a developer alone may not be able or willing to handle. So what can be done?

Ways to minimize risks through Plugins

1. do not use old Plugins

"Democratizing Publishing" is a pointed tagline for WordPress . The fact that anyone can just quickly set up a WordPress site is a brilliant thing, but it automatically leads to those people wanting to expand site at some point. And they do so with Plugins. Since they usually can't program themselves, they search the eternal WorldWideWeb for a remedy. And there are plenty of them. 

Currently, there are almost 55,000 extensions in the Plugin directory alone. What works is used. Without paying attention to whether the Plugin is being further developed or whether it is compatible with the current WordPress version. This is not always true and in the end often leads to a healthy distrust of updates. Because often such Plugins tends to stop working at some point. Even if this can take a few years.

Of course, there are also positive examples. For example, there is a huge company behind WooSidebars. Nevertheless, the Plugin has not received any updates for a year. It hasn't been tested with the latest WordPress versions, but still works fine in many cases. How much longer? The first comments in the support area already point to an end. But the user doesn't notice anything. During the installation, only a small, inconspicuous hint shows this deficiency. A dangerous thing.

woosidebars

Of course, when you start your blogging career, you often don't have money for custom development. For these people, there is no other alternative. Nevertheless, one should keep in mind that - due to the security risks mentioned above - as few (old) Plugins as possible should be used.

2. Plugins do not adjust yourself

To save development time, official as well as unofficial Plugins are often simply adapted by own developers. If the version number or the name of the Plugins is not changed, WordPress offers an update, although this may not be carried out because it would otherwise overwrite the own changes.

"Customized Plugins often depends too much on Theme functionalities", Marc also knows. If something changes in the Theme, the Plugin does not run correctly anymore. So there are many problems. But doing everything yourself from scratch, i.e. only using your own developments, is not a real alternative here either.

3. do not use bad Plugins

What's a "bad"plugin? This question is not easy to answer. Especially not in layman's terms. Of course, one could ask the operators whether automated tests of new versions are carried out. But who does? Many WordPress -users do not even know that such a thing is possible. In addition, such tests (if they are performed) often have nothing to do with live situations. Which is also comprehensible from the developer's point of view. Who tests each plugin with eachtheme? Or each plugin with every otherplugin? That won't do. The developers cannot be trusted to do that either.

The same applies here: Not using "bad" Plugins is also not a real alternative. Although the quality rating is already the first hurdle for many users, you should at least actively test new Plugins yourself before you include it on a livesite . But more about that in a moment. 

Why auto updates fail

Fact is: You cannot simply not use WordPress -Plugins . The above mentioned problems will always exist. So another solution has to be found. So the question you have to ask yourself is: "How can you - despite all the problems - still perform automatic updates for WordPress -Plugins ?". And this question inevitably leads to the next one: "What could possibly go wrong?"

Here are some possibilities:

  1. PHP-Fatal-Error: The website does not work at all because of a serious error.
  2. The Plugin does not work (anymore) with other Plugins and/or the Theme. This manifests itself in several ways:
    a) functions are no longer available or
    b) the layout changes in the frontend.
  3. Non-existent backward compatibility makes rollback difficult.
  4. The database is so large that a backup would take a very long time.

Solution approaches for successful Plugin updates

Recognize bad Plugins

Let's start with the user. How could the user recognize a "bad" Plugin ? Since the layman can't check if the code quality is good, a system would have to be created that could. The question is: Would such a thing work? And the answer is quite clear: Yes!

The nice thing is that a small WordPress team is already working on such a system. It is called Tide. Tide's vision is to perform automated quality tests for all WordPress -Plugins and -Themes and to make these test results visible for both the authors and the end users of these Plugins and Themes .

It is not yet finished, but in the future Tide will help laymen to better understand what kind of installation plugins they are installing. Until then, you have to stick to the plugin metadata that is plugin displayed on WordPress.org in the plugin directory for each one:

plugin meta
  1. The date of the last update. Frequent updating can indicate an active development process. In most cases, the developers then also take care of fixing bugs.
  2. Number of installations. A very high number not only indicates popularity, but can also be an indication that the authors earn money with the Plugin (e.g. via a Pro version). This creates some pressure on the part of the manufacturer. He certainly has an interest in ensuring that the free Plugin also works without errors.
  3. Tested until. Again, this is just a version number that can be adjusted by the developer at any time without any third party evidence. However, a current version number is an indication that the authors regularly update the Plugin .
  4. PHP version. While it's nice that developers continue to support low version numbers of PHP, a higher version would be safer. PHP version 5.6.x has not received security updates since late 2018. Currently, 7.4 is the current version. It will receive security updates until December 2022.

Recognize good & safe Plugins

For more help on how to evaluate the quality of WordPress -Plugins , just check out our article "13 Tips for Making the Right Plugin Choice" from Torsten Landsiedel .

Automated browser tests

Now it gets a bit more difficult. Especially for the WordPress user who has no programming knowledge. If you depend on important functions, you should test them regularly - preferably automated, of course.

Puppeteer is a NodeJS library that provides a high-level API for controlling the Chrome browser via the DevTools protocol. Puppeteer runs headless by default, but can be configured to open the browser so you can watch what's happening.

Functional tests

There are many use cases for such tests. Shop operators can check whether products can still be added to the shopping cart. Or whether forms can still be submitted.

Of course, not all cases can be covered. However, a small automatic test is in most cases more effective than the simple visual inspection. After all, it is not always possible to test all functions of a site after every small update. Especially if it is very extensive.

Visual regression testing

Even a "visual inspection" could be automated with today's means. This works relatively easy, for example, with BackstopJS. The configuration is done quickly via a JSON file. A backstop test in the console is enough to start the comparison. Finally, the tool opens a browser window and displays the differences:

visual regression tests

Visual regression test with BackstopJS: The buy button disappeared after a Plugin update on my site .

Since BackstopJS also gives a detailed, machine-readable report with a distinction value in percent, you could, for example, be notified by email when there has been a significant change in layout.

Rollback

Let's say all the updates were done and the automatic tests failed. What to do? Of course, backups can be imported automatically. But this only works in three cases: 

  1. If the host has an interface through which a rollback can be triggered automatically.
  2. Or if you have SSH access.
  3. And if the backup is small enough. Otherwise, the restore will take several hours in the worst case.

Many developers know all too well that most of this is often not possible. Either SSH access is not available in the first place or there are timeouts due to lack of resources on the server.

The advantages of auto-updates

Auto-updates also bring noteworthy advantages. Especially if you manage several WordPress sites , this saves a lot of time. Another plus: In case of security vulnerabilities, your Plugin will be updated automatically as soon as a secure update is available. You can readmore aboutthe advantages of auto-updates in our new e-book.

Other solutions?

Of course, my view is only one of many. There are other, mostly more expensive solutions. For example, instead of importing a backup afterwards, a copy of the site can be made beforehand (Staging concept) and all possible updates and tests can be carried out with it. If the test is positive, the updates can be installed on the livesite as well. Then of course (mostly) completely automatically and without raised hackles.

Another idea would be to simply have WordPress create static sites . Then the site would be a bit more independent from the actual core. Plugins for this purpose has existed for eight years: WPStatic, for example. But again, this doesn't work for everyone. Especially not for highly dynamic sites like online shops.

Final thoughts

How you do it, you do it wrong, right? No! Ultimately, it depends on your own website, your own wishes and, of course, your wallet. Who does not run a critical sites and it is sometimes okay that a website throws errors, who installs an auto-updatePlugin

With the Raidboxes add-on you can also Fully Managed add-on to activate automatic plugin and theme updates. In the settings of your BOX you can also exclude individual plug-ins and themes with which you have already had problems from the auto-updates

Probably automated plugin updates will work for most of the small sites ones, but they are relatively easy anyway. Those who have bigger sites ones may also have the bigger purse to take appropriate measures. Everyone in between must find their own solution.

Did you like the article?

Your rating helps us improve our future content.

Post a comment

Your email address will not be published.