TLDR: The regular "WordPress Updates Notification" emails for WP Site customers are being discontinued. Vulnerability Reports will now be sent instead. Read on for details.
Customers on our WP Site (Plesk) hosting plans will be familiar with the email notifications that are sent, informing you of all new updates for your WordPress plugins and themes.
We are aware that some of our customers find these email notifications to be a nuisance, while others find them useful as a reminder to jump into their WordPress Dashboard now and again and install pending updates.
We appreciate the concerns that some customers have raised - that these emails can be too frequent - and we have been working on a solution, trying to find the balance between security and keeping our customers informed, while not pestering them with too many emails.
Current Policy
As a reminder - on WP Site plans - only updates that fix known vulnerabilities are installed automatically. General, day-to-day updates are left to the customer to install on their own schedule.
For quite a while now, our policy has been to not send email notifications about these discovered vulnerabilities. Primarily, because the updates are set to install automatically (so in many cases, no action is required). We also don't want to alarm customers unecessarily and send yet more emails. However, a trend that we have noticed over the last several months has lead us to reconsider this approach.
Please note: Our actual update policy is not changing in any way. Security updates for vulnerabilities will be installed automatically (where possible) just as before. We're only changing the type of email notifications that we send to you.
WordPress EcoSystem - Change is the only constant
More frequently, we are finding that a vulnerability is discovered in a plugin (and sometimes a theme) - but no update is immediately available - so Plesk is not able to install an update and patch the vulnerability. Sometimes a fix is released in the following days, and Plesk will install the update automatically, when it becomes available.
Other times, the plugin has been discontinued and the only option is to deactivate or remove the plugin completely. As this is likely to have some impact on the operation of your website, we can't automate this process, so the we need to reach out the customer and discuss their options.
Another increasingly regular occurance is that a vulnerability fix for a "premium" or "paid" WordPress plugin cannot be installed because the license has expired and so automatic update of the plugin is blocked.
In these cases, we have been sending a support ticket to the customer, prompting a discussion of the best course of action.
For these reasons we will be discontinuing the current WP Site email notifications of all pending updates, and will instead only send notifications of discovered vulnerabilities.
WordPress Vulnerabilities Email Notifications
The new notifications will use the subject line: "WP Toolkit - Vulnerability Report".
This means that you will receive fewer emails, but the emails you do receive will be more important. Often, the notification will just be informing you that vulnerabilities have been found and that updates were automatically installed. In these cases, the message you will see is:
"The following vulnerabilities are handled by WP Toolkit right now based on site autoupdate policy:"
In other cases, the notification will inform you that an update is not available or can't be installed (if possible, an explanation will be included), and therefore some user action is required. In these cases, the message you will see is:
"The following vulnerabilities need your attention because they have to be addressed manually:"
We hope that this change will reduce the email clutter sent to our customers, while also keeping you more informed of the most important updates that affect your websites.
Want to change the email address that these notifications are sent to?
You can change the recipient email address for all WP Site (Plesk) email notifications by logging into your Plesk Panel and going to Edit Profile, in the top menu bar.
Note that this is separate from any email addresses and notification settings in My WP NET. The WP Toolkit notifications are sent from the Plesk Panel, and so the recipient email address must be set there. The benefit of this is that you can use a different address to receive WP Toolkit notifications (such as your WP developer), while leaving all your My WP NET notifications as they are now.
These changes will be rolled out to all WP Site servers over the next few days. If you receive a vulnerability notification and don't know what to do - or just have questions - please don't hesitate to open a support ticket and we'll be happy to help!
