Auto Update WordPress Plugins

How To Auto Update WordPress Plugins

Auto Update WordPress Plugins

WordPress Plugin Updates – A Security Hole

So you’ve chosen a host that takes security seriously, you have automatic WordPress updates installed, you’re running on PHP 7, you have .htaccess protection, you’ve secured your folder permissions, you’ve disabled the admin user and a whole host of other things to secure your website. But when you login to your WP dashboard you see 10 outstanding WordPress plugin updates. This is a huge security hole. You simply must auto update WordPress plugins!

Outdated plugins are the major source of WordPress hacks and exploits. According to WPScan Vulnerability Database there are over 1500 vulnerabilities in WordPress plugins. In fact Plugin vulnerabilities account for over have the listed vulnerabilities compared to 34% attributed to WordPress core and 14% of the listed vulnerabilities come from WordPress themes.

If you use a well-maintained plugin it is likely the developer is continually patching their plugin code. But if you wait 2 weeks to update plugins you are at risk from being compromised. As server administrators we see hacks from plugins all the time.

Auto Update WordPress Plugins – with a plugin….

If you haven’t logged into your WordPress dashboard for a while you are sure to see a whole bunch of plugins that require updates. Let’s face it, if you have a lot of plugins this update maintenance quickly becomes a chore. It is also completely unnecessary because the ability to auto update WordPress plugins (and themes) is built into WordPress core (since WordPress 3.7). It requires a code edit which is why it is not universally used. You can just add this code to your theme’s functions.php:


add_filter( 'auto_update_plugin', '__return_true' );


The average user is not going to bother with that though. However, there are a number of plugins that will auto update WordPress plugins for you. And with my favorite plugin you can even select which plugins to auto update (or rather you just disable the auto updates for selected plugins). It is called Automatic Plugin Updates and appears to be well-maintained. Once installed and activated navigate to Settings > Automatic Plugin Updates and disable updates for any plugins you don’t wish to automatically update.


Auto Update WordPress Plugins Settings


At the bottom of the Settings page you can also enable/disable email notifications for when updates have occurred.

But wait, you are not done yet.

You are now safe from any exploits found in the code of a well-maintained plugin. What about those plugins you installed 3 years ago and were then abandoned? If the code in those plugins become vulnerable no-one is coming to the rescue. You might not even know a plugin has been abandoned until you get hacked.

I mentioned WPScan Vulnerability Database earlier. This website tracks the majority of vulnerabilities and exploits found in WordPress core, plugins and themes. They also provide an API and there a number of plugins you can install that use this API and scan your plugins as well as core itself and installed themes. The one I use is Plugin Security Scanner and is well-maintained.


Plugin Security Scanner



This is a simple but powerful plugin. It scans your WordPress once a day and emails you if it detects any vulnerabilities listed in WPScan. It scans WordPress core, themes and plugins. Now you are protected against hacks from old plugins.


If you take WordPress security seriously hope you’ll consider adding these tools to your WordPress security arsenal.

About the author

Laurence Flynn

Hey! I'm Laurence, hosting industry veteran and entrepreneur, obsessed with web performance. My aim is to build the cheapest and fastest Optimized WordPress Hosting platform available today. Our back-end systems include Nginx and Redis combined with PHP 7, FPM and MariaDB to deliver maximum performance. Our front-end UI is powered by the beautiful Plesk control panel to deliver a smooth user experience. All secured with Imunify360, artificial intelligence and machine learning. Connect with me on LinkedIn.

Add Comment

Click here to post a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.