Feature aimed at improving the security of the WordPress ecosystem has been a ‘long time coming’

WordPress 5.5 rolls out with auto-updates for plugins, themes

WordPress 5.5 lands today with a new feature that will ensure plugins automatically update by default, shrinking the window of opportunity for cybercriminals looking to exploit known security vulnerabilities.

The feature, which also auto-updates WordPress site themes, has been absorbed into the WordPress core codebase after being tested and optimized as a beta plugin.

Webmasters who update to version 5.5 can now opt into all background updates, or enable and disable the feature on specific themes or plugins.

They will also receive regular email notifications of auto-update summaries and get access to hooks and constants to help them disable or define auto-update settings.

The feature will apply to all plugins in the vast WordPress repository, along with any premium plugins that have hooked into the WordPress update system.

The new function is one of six security-related updates that come bundled with WordPress 5.5, the second major release of 2020.

‘Long time coming’

“It’s hard to underplay how important this is,” Tim Nash, WordPress platform lead at web hosting service 34SP.com, tells The Daily Swig.

“This has been a long time coming” he adds, pointing out that smartphone apps and operating systems have long updated automatically.

Many managed WordPress hosts and third-party plugin developers already use WordPress configuration files – available since version 3.7 – to enable background updates.

However, Nash said that these DIY solutions can only be implemented by developers with the right technical skills, and lack the appropriate interface that allow site owners to monitor or refine the auto-update process.

In-the-wild exploits

Many of the 455 million websites powered by WordPress still run vulnerable plugin versions for weeks or even months after the release of security patches.

The Daily Swig recently reported, for instance, that a critical remote code execution (RCE) flaw in the Adning Advertising plugin was being exploited in the wild.

And in January, attackers took control of more than 2,000 WordPress websites via unpatched and end-of-life plugins in order to redirect unwitting victims to scam websites.

RELATED WordPress plugin vulnerability exposes 80,000 sites to remote takeover

But as growing numbers of websites migrate to WordPress 5.5, malicious hackers will have dwindling opportunities to exploit recently discovered security flaws, says Nash.

While the WordPress security expert points out that sites could still be compromised if something prevents “the update from occurring” immediately, “failure rates to updates are exceedingly low”, being “well below 1%” in 34SP.com’s case.

Outside the ecosystem

“Quite a few plugins and themes sit outside of that ecosystem,” he says. “It probably doesn’t make sense for custom-coded plugins and themes to be included and some premium plugins elect not to provide access either because they don't know how or prefer the user to go through their flow.”

Asked if these plugins might become less attractive to security-conscious webmasters, Nash said he has heard anecdotal evidence that “this is already happening” amid a sustained drive by the WordPress community to urge website owners to regularly apply updates.

However, he thinks site admins might still use plugins that don’t offer automatic updates, if they offer features unavailable elsewhere.

34SP.com has adopted the new auto-updater UI while keeping its backend updater system, and Nash, who has published advice on the topic, urges other providers to rethink their own auto-update policy.

WordPress core has been configured to automatically install minor security and maintenance updates since version 3.7, which was launched in 2013.

However, updating to WordPress 5.5, as with previous major updates, must still be done manually.

The WordPress team has issued a field guide for version 5.5, and advice on managing auto-updates, controlling email notifications and site health info, and recommended usage of the updates API.

RECOMMENDED Vulnerabilities in web and app frameworks fall, but weaponization rate jumps – study