The WordPress developer team is working on adding an auto-update mechanism to themes and plugins, a common source of website hacks, primarily because site owners usually install themes and plugins, and then forget to update them.
Work on this feature began months ago.
Currently, the auto-update feature is already implemented for plugins, and work is underway on adding it to WordPress’ themes feature.
Once the auto-update option rolls out for the stable versions of the WordPress content management system (CMS), site owners will be able to configure themes and plugins to update themselves by checking an option in their site’s admin panels.
Below are screenshots of how these new auto-update options will look like, once development ends.
WordPress site owners who would like to test the new themes and plugins auto-update feature can install this plugin on their sites.
Code was present in WP source since 2013
The code behind this new feature was already present in the WordPress source code since version 3.7, released in October 2013, when the WordPress team added a background auto-update mechanism for the WordPress core.
Since v3.7, all WordPress installations are configured to install minor security updates automatically. User action is still required for updating between major versions (such as from v4 to v5); however, minor updates (such as from v4.3.1 to v4.3.2) are installed automatically.
When this background auto-update mechanism was added in v3.7 in 2013, WordPress developers anticipated they would eventually need to perform more than core updates. The code for performing background updates for themes and plugins was also added, but never enabled by default.
For the past seven years, some website owners have found the code and have been hacking their own WordPress configuration files (wp-config.php) to enable the auto-udpates for themes and plugins, and not just WordPress core files.
In addition, some plugin authors [1, 2] also found and tapped into the same code to create (free or commercial) plugins to support the customization of the WordPress auto-update feature, letting users enable auto-updates for themes and plugins via the push of a button.
Now, the WordPress development team is finally activating this code for the stable branch.
The work being done right now is for adding a user interface (UI) for controlling theme and plugin auto-updates via the WordPress admin panel instead of having to rely on site owners customizing their wp-config.php files.
Cyber-security firms like Sucuri, Wordfence, WebARX, and NinTechNet have often pointed out that a vast majority of today’s hacked WordPress sites are being compromised after hackers exploit vulnerabilities in out-of-date plugins and themes.
This feature is expected to reduce the number of hacked WordPress sites, once it rolls out with the upcoming WordPress5.4 release.