According to WPScan Vulnerability Database statistics , plugin vulnerabilities account for almost 25% of WordPress vulnerabilities.
Source: WPScan Vulnerability Database
By default, WordPress doesn’t update plugins automatically. Updates availability is reported with a red dot either on the dashboard “Updates” page or under “Plugin” menu.
Reporting is carried out by a cron job (wp_update_plugins) that is triggered twice a day (every 12 hours), that checks for each installed plugin, if there’s an updated version available.
If you have a single site to manage and you often connect to the administration dashboard, plugin update can be done manually directly by the site administrator.
On the other hand, if you manage several or even hundreds of websites, manual updating can be a very time-consuming task!
How can I protect my website?
As you may have guessed, there are a few plugins that allow setting automatic updates of installed plugins, without any intervention from website’s administrator.
The most popular plugins in terms of number of downloads and positive reviews are:
Plugin’s configuration is very easy and it does its job very well. You can set automatic updates of plugins and also WordPress core files, themes and language translations of every system’s component.
For an explanation about plugin’s configuration, watch the following video provided by developer:
Companion Auto Update is another popular plugin, very easy to configure and as the previous plugin, it allows to update WordPress core files, plugins, themes and translations as well.
Keeping your plugins up to date is quite a simple task. The major drawback of this automated approach is that updating a plugin may break your site, often because of a conflict between your updated plugin and website’s code.
In this case the best approach, in order to avoid any website breaking, is to perform plugin updating on a site’s replica (“staging site”) where plugins can be installed and fully tested.
Once they have been tested, installation can be performed in the main site (“live or production site”).
However, keeping your site’s plugins up to date is just a small piece of the whole WordPress securing process.
Securing WordPress is a very demanding task, that’s why we strongly advice to look only for information security experts to help you keeping your website running and secured.