WordPress auto-updates and the importance of reading the changelog

WordPress 5.5, being released this week, introduces support for auto-updating plugins and themes when new versions are available, where possible. It’s a great feature and one that a dedicated group of contributors have worked hard to bring to the WordPress community.

Other folks, including this great post from WordFence, have already discussed the pros and cons of auto-updates when it comes to encouraging best practices in updating and maintaining a WordPress site. The short version: having more WordPress sites running the latest version of their plugins and themes is generally going to be a good thing, and yet there are a number of scenarios where it will also cause problems.

I’m definitely of the mind that it’s worth pushing through any bumps in the road to get to the point where the typical WordPress site owner does not have to worry about logging in to wp-admin and hitting a button in order to keep a site up to date and secure. As we’ve learned with apps on our smart phones or the firmware on our home routers, if the process for running the latest version of the software we depend on isn’t extremely convenient and reliable, most people will not bother until there’s a problem, or a security compromise, or a must-have feature they want. In the long run, auto-updates in WordPress core will yield more secure sites, and happier WordPress publishers.

At the same time, I don’t think we should give up on asking people to care about the details of what’s happening when a new plugin or theme is released and installed on to their WordPress site.

The WordPress plugin and theme directories are amazing collections of software that make WordPress do amazing things, but it’s still software written by humans. The software will have bugs and incompatibilities. Its creators will have varying levels of time and interest in securing and improving it. Sometimes the authors will have personal agendas or commercial interests that shape their decisions and ethics around what they put out in the world. And every once in a while, bad actors attempt to exploit these tools and systems for more malicious purposes.

For better or worse, these possibilities are all facts of life in a software ecosystem, and we shouldn’t expect them to change or go away. What we can do is remain aware of and educated about what’s being installed on any given WordPress site over time.

There are lots of helpful signals available when someone is first deciding to install a plugin or theme. How up to date it is, how helpful the “readme” is, what’s shown in the screenshots, the number and quality of reviews and ratings, the responsiveness and helpfulness of the author when it comes to support requests and feature requests, and so on.

But once that installation happens and the plugin or theme is in use, there are very few signals available to help a site owner or maintainer understand what’s changing over time as new releases are made. No one other than the plugin author has to review or test new code before it’s shipped out to many sites. I think most plugin and theme authors act in good faith, but in a worst-case scenario something like the WordPress.org plugin directory can become a distribution channel for malicious remote code execution.

This is an area for improvement in the WordPress theme and plugin ecosystem.

Right now, short of reading through the code diffs, a changelog is the main source of information available to help. Some plugin and theme authors take the time to craft helpful changelog entries, others do not. (There’s an unfortunate general trend and temptation in the world of software development to just write “bug fixes and other improvements” and assume no one cares about the details – argh!) And even the best changelog entry can leave a lot out, like how well new features and fixes were tested, or whether there’s some post-upgrade action needed by the user to have the changes take effect…let alone a plugin or theme completely changing ownership and/or business models without a mention going by in the changelog itself.

Still, I think reading the changelog for a new release, and understanding its implications, remains an essential part of running a WordPress site — even if you do it after the update has happened. I think this is especially true of WordPress professionals being paid by clients to build and maintain WordPress sites; if you have the technical expertise to read and interpret that data for the benefit of your client, you should! (By the same token, for plugin and theme authors publishing helpful and detailed changelogs remains an essential part of your responsibility to your users, and to the spirit of open source.)

I know from experience what the stakes are and what problems can arise when we stop paying attention to these details. I’m a plugin author and a WordPress developer, and I’ve also helped build, support and maintain some of the highest-traffic, highest-profile WordPress sites out there. But I’ve also seen how “everyday” WordPress sites are becoming more and more integral to the lives and livelihoods of people around the world, where even a minor plugin or theme bug can have a big impact.

So, I created WP Lookout because I wanted better tools for knowing about changes to the themes and plugins I depend on across all the WordPress sites I manage, without logging in to wp-admin. When a new version of a theme comes out, I wanted a direct link to its changelog, instead of fishing around in Trac. And I didn’t want to be surprised by things like a plugin or theme I’ve been using changing ownership months before I found out about it. Now, anyone can get timely notifications about changes to the WordPress themes and plugins they depend on across lots of sites, without having to commit to auto-updates or a comprehensive managed WordPress solution. (Yes, we have paid plans for power users but it’s free to track up to 20 plugins/themes.)

For many users, auto-updates happening behind the scenes will be very helpful and an improvement over the past. My thanks and appreciation go to the people who made it happen.

For the rest of us, whether you use WP Lookout, some other tool, or just take the time to find and read the changelogs on your own, let’s continue to cultivate a mindset of caring about the details of updates to the software we run.

Chris Hardie is the founder of WP Lookout.