This article explains the WP NET policy with regards to the updating of WordPress plugins as part of our Managed WordPress support service.
Whenever possible and practicable, WP NET will deploy WordPress plugin updates that address any known serious security vulnerability, as soon as reasonable after the plugin author releases an update.
- General, non-security related plugin updates are the responsibility of the customer
- WP NET recommends that customers keep their WordPress plugins up-to-date
- Important security patches and updates for WordPress plugins will be installed by WP NET whenever possible (details below)
- Please review our WordPress Core Update Policy and our WordPress Theme Update Policy
General, Non-Security Related Plugin Updates
The customer is responsible for all day-to-day, general updates of their WordPress plugins. This means updates that only include general improvements, new features, bug fixes and other, non-security related changes.
Security and Critical Bugfix Plugin Updates
NOTE: The following applies to plugins downloaded from the WordPress.org Plugin Directory only.
WP NET staff use specialised software to monitor security databases, blogs and other sources so that we are informed of vulnerabilities and other security issues with WordPress plugins as they are discovered.
If a serious security vulnerability is discovered in a WordPress plugin we will automatically deploy updates to address the issues as soon as practicable after the plugin author makes a patch available.
Security Updates for Premium / Paid Plugins
Many premium / paid WordPress plugins require that they are authorised to receive automatic updates through the WordPress Admin by way of an activation or license key. It is the customers responsibility to ensure that licenses and activation keys are in place so that updates can be received. If an activation or license key is not present, or has expired, WP NET may not be able to deploy updates for the plugin in question.
WP NET does not accept any responsibility for any problems that may arise from a bug or security vulnerability in a premium plugin that is blocked from receiving updates because of an expired or missing license activation.
Furthermore, if a plugin is installed that has no automatic update facility (or does not interface correctly with the WordPress update API), WP NET accepts no responsibility for any problems that may arise from a bug or security vulnerability that may exist in said plugin.
If a serious security vulnerability is discovered in a premium plugin and WP NET has no ability to deploy an update, we will contact you and advise you of our recommended course of action. In extreme cases, we may deactivate the plugin.
DISCLAIMER: WP NET accepts no responsibility for any data-loss, site defacement or other malicious activity that may occur due to a website compromise as a direct result of an exploited WordPress plugin or theme.
Due to the widespread implications of updating WooCommerce across major versions -- for example, updating from version 2.4 to 2.5 -- these updates are not covered by WP NET's Managed WordPress support policy. However, security updates for minor version updates are supported, where possible.
For example, if a security vulnerability is discovered in WooCommerce v2.5.4 and lower, and a fix is provided in version 2.5.5:
- All customers already on v2.5.x (i.e. 2.5.0, 2.5.1, 2.5.2, 2.5.3 and 2.5.4) will be automatically updated to v2.5.5.
- Customers on earlier major versions, such as 2.2.x, 2.3.x, 2.4.x will not be updated
The reason for this is that major WooCommerce versions often include significant changes that could negatively impact your site or break functionality. Furthermore, updating major WooCommerce versions usually requires that you update your WooCommerce theme to support any important changes. Also, if you have customised any WooCommerce templates by way of a child-theme, those templates may also need to be updated.
When a serious vulnerability is discovered in WooCommerce we will usually contact customers by email, advisng them about the issue and providing a recommended course of action.
In some extreme and rare circumstances, if a very serious vulnerability is discovered, and a patch is not yet available, we may -- at our discretion -- deactivate or remove a plugin if we deem it necessary to maintain the overall integrity, security and performance of our networks and hosting systems.
Please note that serious security vulnerability means any bug or other flaw that could compromise the security or significantly impair the performance of our customers websites or our servers and hosting systems. This applies to plugins from the official WordPress plugin repository and premium / paid plugins.
Miscellaneous Plugin Updates
WP NET will -- on occasion -- deploy non-security related updates for WordPress plugins as a courtesy to our customers. These will typically be for plugins that have a very large userbase (hundreds of thousands or millions of users) and where WP NET deems the update to be very low-risk / low-impact, but also helpful to maintain the usability and performance of our customer's websites.
Examples of plugins we may update (not a complete list):
- WP Super Cache
- W3 Total Cache
- Yoast SEO
- Google Analytics by Yoast
- WP Multibyte Patch
- Wordfence Security
- Sucuri Security
- iThemes Security
- Regenerate Thumbnails
- Contact Form 7
- Duplicate Post
- Ninja Forms
- Google Analyticator
- User Role Editor
Some plugins are disallowed on our servers for performance or security reasons and will be removed if they are detected. Please see the Disallowed WordPress Plugins for details.
If you have any questions regarding this policy or need any help or advice regarding updating WordPress plugins, please do not hesitate to open a support ticket and we will gladly help.