While working with customers on their servers, we often see WordPress plugins that are out of date, and a cavalier attitude from our customers when it comes to keeping their plugins current. Plugin maintenance typically takes a backseat to more pressing business matters, and it’s no wonder why. The site and plugin are functioning as intended and there is often a fear that updating a plugin may break an already working site. This process makes sense on the surface, but if you take a deeper look at the issue, the logic use quickly falls apart.
Why Do Plugins Get Updates?
There are typically two reasons WordPress plugins have pending updates: new features and code corrections. For the first, often a new feature or small tweak has been added to the plugin code for additional functionality or to expand on existing functionality. Ironically, these are often the updates that cause “things to break” due to changes to the way page elements look or function, how the plugin is used, or dependencies between it and another plugin.
While we do see update improvements being made to plugins, a good portion of the time the updates are due to bugs or security vulnerabilities. Most plugin developers are not spending the majority of their time thinking of ways to rework their plugins to add functionality. The the time invested in functionality is typically spent in the development stage prior to it’s release. Once a plugin is initially developed and hit’s the market, the focus of its creators shifts to protecting their initial investment. While some time is spent in adding tweaks and feature changes, the majority is spent addressing bugs and security vulnerabilities. In short, updates and version releases are more about keeping their work safe than improving upon it.
Other than hackers gaining access to your website due to weak passwords, plugin vulnerabilities are the easiest way for them to get in to your site and gain access to your server. To understand the importance of updates, and the danger of ignoring security vulnerabilities, you need to think like a hacker does. Hackers are always looking for security issues to take advantage of, it’s literally what they do. When a hacker sees a big security patch pushed out for a plugin, it’s like an invitation to quickly learn how to exploit that vulnerability and use it to attack websites that haven’t yet processed the update.
Updates and security patch announcements are a double edged sword in that they are necessary to make the user aware of a security issue and the need for an update, but at the same time they let the hackers know that one exists. That is exactly why you need to keep your plugins updated.
If you would like to read more on this subject, please consider the following companion articles to this one: