I auto-update some plugins. The ones I do not auto-update I check their vulnerability status and verify that owners have not changed before manually updating. Several years ago a well respected plug was sold to less scrupulous 'developers' and the former owner notified their users to only allow updates after checking because apparently there were undesirable changes made to newer versions. Sorry to see it go, but it was replaced by a well respected plugin.

I only use a few plugins so it is not hard to check into the one or two that are manually updated. To lower the risk, I only use plugins from the WP plugins repository because they are kept up to date (or booted) and are curated and reviewed by their users. There is a vulnerability database site linked in the Charter that lets you see the history and current issues of plugins.

Since I run my own dedicated servers for WordPress sites I enable auto updates.I have fine tuned control of all my clients WordPress sites and know what to expect.

If a client is not being hosted on my servers I only enable security WordPress updates. Since, I don't control the server or what to expect when an update goes wrong.

Also, I turn off auto updates if it is a headless WordPress installation because it always goes wrong.

Never. I see no point in updating WordPress or any plugin unless I update server resources to find newly introduced incompatibility. Besides, how is enabling such write permissions ever a good idea?.

Enabling it provides quick security patches that are exposed.

So, many premium plugins have exploits that they need to be patched ASAP.

I would rather deal with an update gone bad then a hacked WordPress site.

Hi Senator94 and welcome to WebmasterWorld [webmasterworld.com]

I agree with you about the importance of updating WordPress and its plugins. Not updating or delaying updating can easily leave your site vulnerable. Updates are put out to improve speed and security. There should be no auto-updates for plugins or themes not available at WP.org where they are curated and reviewed. Updates offer the most recent protection against newly found vulnerabilities.

>I would rather deal with an update gone bad then a hacked WordPress site.

Ditto. It is easier to run a site monitor that alerts you when you site is down (due to a bad auto updated plugin), than having your site down due to a hack.

While at X company we had a this big client who, for some reason insisted all the 3 websites they wanted were built using Wordpress.

This created a long lasting discussion about plugins, updates, security, etc. I was the guy against using Wordpress for security reasons, along rejecting any use of plugins. Long story short, the discussion wasn't over, and suddenly:

1. We HAD to upgrade Wordpress (classic update, new versions, security reasons).
2. One plugin wasn't compatible with the upgrade, so... we would be exposed either way (upgrade or not)
3. Other plugins were abandoned projects, we were on our own for compatibility
4. Auto update broke the site once... and we had to disable the plugins
5. One guy was assigned the painful job of replacing the plugin with in house code... poor guy (me), that wasn't Karma, I was just the most qualified guy for the job despite rejecting Wordpress from the beginning.

Yes, the story stinks, I honestly stay away from WP, it's not personal, I just try to stay away from too-many-moving-parts systems.

1. Proactive security is a must.
2. You can protect a poorly written plugin on the server or site levels.
3. Abandon plugins are common, but there are always replacements. Usually, when we encounter this issue, the owners are too cheap to pay for a premium plugin.
4. If an auto-update breaks the site, it is on the web dev.
5. In-house code is usually the most poorly written code I have ever seen. It is like jumping out of the frying pan and into the fire. If you hate WordPress, it is because your experience with WordPress has been poor. A good web dev would fix any task that is a problem.

Staying away from WordPress is your prerogative.

Since I am a WordPress absolutist, I love that WordPress is constantly evolving, always in-fighting, always plugging security holes, open-sourced, and is used by the most DDos attacked sites on the planet.

The United States of America's White House website is a WordPress site. They are even using Gutenberg and the latest features of WordPress.

NASA has revamped its website, too. They are also using WordPress, along with many US government agencies.

Also, governments around the world hate being locked into proprietary software.

WordPress has embraced Headless, including developers who want to code in the latest language trends.

Good luck out there; it is rough being a web dev, especially those who avoid challenges.

[edited by: not2easy at 7:02 pm (utc) on Oct 24, 2023]
[edit reason] Please see Charter [webmasterworld.com] [/edit]

Some things I find easier to discuss or explain in a conversation than on a thread. It really depends on the case, and quite often the same things happen: things get mixed. That's why I often ask questions (this time I didn't, just shared our past case), but it's absolutely worth it to ask questions to evaluate the scenario. At times when I explain this my comment is taken as "off topic", but most times to be fair, it's welcomed because it's exactly the case, received like "oh yes! that's our case!".

Let me explain, lots of things come down to the client needs, demands and limitations (with very little to do with security).

NASA, yes. White House, yes. But will your client have the same or comparable infrastructure? same budget? same tech team? similar firewall and tons of barriers to protect the site against attacks and intruders? well, most times, while the comparison or example is valid, the final client is far from the same environment. That's why this discussions make sense because comparisons need a grounding point. If the client sure has access to that kind of technology, budget, team and protection, well, yes, absolutely, go for it and the comparison is valid. Some lacking those benefits go the fully Wordpress specialized hosting, not exactly the same but we could say it's comparable.

What I mean regarding "little to do with security" goes like this: many times the selection of the CMS for the client (or because the client demands it), it's based on wanting an intermediate tool (and not an specialized or built from scratch one), this means they want to be able of hiring anyone to continue the maintenance, or gain access to a full market of already trained editors (anyone who knows Wordpress), another factor is being able to hire the developer and end the relationship while continuing with non-specialized developers, or also to have a clever editing platform with multi user management, auto post, etc. The thing is, while Wordpress is free, this transition and conundrum isn't, because there is always some area that needs compensation.

Wordpress is just a tool like any other, with ups and downs, pros and cons, free for people to choose using it or not. However, at developer level, sometimes people get a bit mixed up with the details, when all they need is (at times) basic functionality, like: articles, title, body, cache, and dashboard. Wordpress is a great tool, but it should also be considered the fact that many developers use it because it's easier to have it delivered to the client so they continue the administration. Comparisons are valid, but most clients are not NASA and don't have the same amount of people or technology and security around. So yes, security is valid, but at times it's also valid to discuss other matters of the project because it makes sense for usability, maintenance, or why a tool is being selected.

Never. The best way to do this is by manually. I would rather not deal with auto update because I don't know what waits for me.