Today we’re going to walk you through what I consider to be the easiest, most reliable method for how to setup automatic updates for your WordPress plugins.
Why keeping your plugins updated is so important.
I would guess that at some point most WordPress users have had the unfortunate experience of their website getting hacked. In fact even if you think you’ve never been hacked, there’s a high probability that indeed you have and you simply haven’t noticed – yet!
This has led to the common perception that WordPress isn’t secure. The truth is that the WordPress core is very secure. Think about it, when was the last time you heard that WordPress.com or WordPress.org was hacked? So if that’s the case, then why do so many other WordPress sites suffer from security breaches? While there are many reasons for this, the single biggest reason in plugins. The good folks over at Wordfence know a thing or two about WordPress security and wrote a great post about how attackers gain access to WordPress sites. They identified plugins as being the biggest risk factor for WordPress hacks. We’re incredibly lucky to have such a wonderful, expansive and diverse WordPress plugin ecosystem. But that massive and diverse ecosystem comes with an often overlooked cost. Code quality in the WordPress ecosystem is incredibly inconsistent. Plugins are created by everyone from industry experts with decades of experience, to newbies who just discovered how to write php a week ago.
As a result, if you’re someone who is fond of installing plugins without first conducting due diligence on the plugin code quality you’re massively increasing the risk that you’re effectively opening up your site to a whole plethora of entry points for vulnerability scanners to gain access to your website. We’ll circle back to the best approach to vetting potential WordPress plugins you’d like to use in another post in the near future. But in short, the best advice is to do your research on the plugin itself and the developer before hitting the install button.
But being dilligent at the initial vetting phase isn’t enough. Even the best WordPress plugin developers will make mistakes and due to the open source nature of most WordPress plugins it’s easy for potential attackers to spend time trying to find new vulnerabilities in plugins. In fact, the more popular the plugin the bigger the motivation for hackers to find new vulnerabilities they can use to maximum effect on as many sites as possible. Just over 3 years ago we had the Slider Revolution hack which affected hundreds of thousands of WordPress websites. While that was a massive incident that lots of us will be aware of, there are many many more incidents that we rarely hear about. The WPScan Vulnerability Database does an excellent job tracking plugin security incidents and vulnerabilities.
The good news is that a lot of plugin developers react quickly to these vulnerabilities with fixes via plugin updates once they’re made aware of the issue. But the big problem is that while plugin updates might be released to quickly fix the issue, if you don’t update the plugin immediately after the update is released, you’re now running a website which opens security vulnerabilities that a hacker can take advantage of until you update the plugin. I call this the Plugin Vulnerability Window of Opportunity.
Why you must absolutely, positively have to have WordPress plugins updated automatically as soon as possible.
For most WordPress websites, the Plugin Vulnerability Window of Opportunity remains open for far too long. It’s also compounded by the fact that at any given time, your average WordPress website probably has multiple concurrent Plugin Vulnerability Windows open! The longer these windows remain open, the more likely your website is to get hacked. Most WordPress website owners don’t manually update their plugins quick enough to close these Vulnerability windows quickly. In fact, it’s pretty much impossible to feasibly expect someone to do this manually on an ongoing basis. Vulnerability windows can be exploited in minutes and hours after they become identified. Even if you religiously update plugins daily and as soon as you become aware that an update is available, it could already be too late.
It’s for this reason alone that you should implement a system to automatically update plugins as soon as they’re available for 99% of all WordPress plugins. I do have a couple of exceptions to this rule. WooCommerce is a big one. I exclude WooCommerce from this rule simply because quite often WooCommerce updates can be quite disruptive to a live eCommerce website. It’s still incredibly important to update WooCommerce as quick as possible and I would recommend you automate WooCommerce updates on your staging website and run tests there as soon as possible and then proceed to manually updating your live WooCommerce website.
Thankfully there are a ton of options available for automatically updating your WordPress plugins – and I’ve tried out most of them. But the one that has worked best for me is called Easy Updates Manager.
Easy Updates Manager
Aptly named, Easy Updates Manager is the plugin I’ve found to be the easiest and most effective WordPress plugin for automatically updating all your other WordPress plugins 🙂 Here’s the quick video intro to the plugin.
At the time of writing, the plugin has:
- Over 100,000 active installations
- 329 5 Star Reviews
- Maintained and supported by a well respected WordPress developer, Ronald Huereca
Ronald actually took over Easy Updates Manager from another young WordPress developer and spoke about his experience doing so at WordCamp Fort Worth in 2016. (you can also read his story.)
Suffice to say, Easy Updates Manager is in good hands 🙂 You should also check out Ronald’s other WordPress plugins.
I had previously been using Jetpacks built in feature to auto update plugins but found this to be unreliable with multisite, so when I read that Ronald first came to this plugin to introduce multisite support I knew it would be a good candidate to roll out across our network of WordPress websites. After using it now for several months I’ve been delighted with how well it has been working – so let’s take a closer look.
How to setup Easy Update Manager to automatically update all your plugins.
Once you install the plugin, you’ll see a new option under Dashboard → Update Options that looks like this.
Honestly, I found this screen to be a little confusing and not without it’s quirks. I know that Ronald is currently working on refactoring it to be a bit simpler. But, if you simply to go to Update Options → General I found that screen to be a lot clearer and simpler to use.
What we’re doing here is telling the plugin to update absolutely everything – WordPress core, all plugins and themes. The only setting I leave disabled is Development updates. We don’t want bleeding edge versions of WordPress core running on a production website 🙂
My favourite feature of Easy Updates Manager – Email notifications
Towards the bottom of the general tab you’ll need the option to enable core update emails. Go ahead and enter your email and enable this. This is without doubt my favourite feature of this plugin as this gives me the peace of mind to know my Vulnerability Windows are being closed as quick as possible without having to login to my WordPress websites on a daily basis.
Once the plugin completes updates, you should get an email that looks like this.
I got that email just 9 minutes after the plugin update was released on WordPress.org!
Now that’s what I call peace of mind 🙂
And that’s it! That’s all you need to do to setup automatic updates for all your WordPress plugins.
There are of course a ton of other features you can fine tune and configure and I would encourage you to spend some time studying all of those. If you’re running WooCommerce you can Disallow updates via Update Options → Plugins
I would also recommend keeping an eye on the logs every now and again just to make sure everything is being updated correctly.
How much does Easy Updates Manager cost?
Here’s the best bit – Easy Updates Manager is currently 100% free! If that were to ever change in the future I would have no hesitation paying for this plugin as it saves you a huge amount of time and provides great peace of mind that one of the biggest sources of WordPress website hacks is being well managed and nipped in the bud on an ongoing basis.