Auto-updates for WordPress themes and plugins were released this year in WordPress version 5.5. They allow WordPress site owners to opt-in to automatically have new versions of plugins and themes installed when they are released, without any intervention from the site owner.
If you use auto-updates, one question might be on your mind:
How long will it take between when the author of a plugin releases a new version and when that new version is installed on your WordPress site?
This question is vital for site owners and managers. Especially in scenarios when new plugin or theme versions contain critical security fixes, time is of the essence to avoid possible unauthorized access to your WordPress site.
To get to the answer, let’s first review how plugin and theme releases happen.
The Plugin and Theme Release Process
When a plugin or theme author is ready to make an update to their software, they upload those changes to the directory on WordPress.org. This is where the code for their theme or plugin is hosted publicly.
Most theme and plugin authors also indicate the release of non-trivial changes by increasing the version number associated with their plugin. Maybe it’s a small “point release” like going from version 1.1 to version 1.2, or maybe it’s a major release like going from version 3.0 to version 4.0. The change in version number lets everyone know that there’s new functionality and fixes available. It’s a convenient way to refer to how software has changed over time.
Once the updated software and version number change is live on WordPress.org, it’s immediately in effect for new installations of that plugin or theme. Anyone downloading and installing a plugin or theme from that directory will now be using the latest code made available by the author.
But what about existing sites that already have that theme or plugin installed? How do they learn about the new changes and new version?
How WordPress Sites Discover Updates
You might think it happens through a “push notification” sent to your site from WordPress.org. But the WordPress.org systems would have to contact thousands or maybe millions of sites to tell them about an update to a single plugin. That’s just not practical.
Instead, WordPress uses a “polling” mechanism. With it, individual WordPress sites reach out to the WordPress.org servers on a regular basis. They ask if any new changes are available for the various bits of software that the site runs. It could be themes, plugins, translation files or the core WordPress software itself.
This update mechanism is turned on as soon as you install and activate a WordPress site. It is set to run every 12 hours for core WordPress updates, plugin updates, and theme updates by default.
You might think this means that update checks run simultaneously for all WordPress sites — say 12 AM midnight and 12 PM noon each day. But the scheduled checks are actually created relative to when your WordPress site is first activated. So if I first install my WordPress site at 10 AM, my next update check will happen at 10 PM, 12 hours later.
That schedule is maintained for the life of the WordPress site unless some action is taken to reset or override that timing, and it’s different for every site. Another WordPress site owner on the same server might have installed their site at 2 PM, and so they would be on a 2 PM and 2 AM update schedule. This also helps make sure that not every WordPress site in the world is checking WordPress.org for updates at the same time every day!
So, if you first installed your WordPress site at 10 AM then your updates are happening at 10 PM and 10 AM from then on. What does that mean for a plugin release getting auto-updated on your site?
Putting aside time zone differences, if the plugin author releases a new version of their software at 9:50 PM, then your WordPress site would theoretically have the new version installed about 10 minutes later. Amazing!
But if the plugin author releases their new version at 10:01 PM, then your site may not have the new version installed until 11 hours and 59 minutes later.
While that may not seem very long, in the case of a security fix, that’s a lifetime!
How Hackers Leverage Updates to Target WordPress Sites
Because WordPress is so widely used for so many things, being able to break into a WordPress site can yield profitable results for a hacker. Maybe it’s using that access as a stepping stone to gain access to other accounts. Maybe it’s accessing ecommerce records and transactions. Maybe it’s altering the content of a site to further some other agenda. Or maybe it’s just to show off their skills.
Whatever their reasons, there are hackers out there constantly monitoring widely used software like WordPress to see if any released changes are security fixes, with the hope that they can create a tool to exploit (for their own benefit) the sites that haven’t installed the fix yet.
Beyond monitoring WordPress core updates, most hackers probably aren’t going to bother to do this for less widely used plugins and themes, but for a plugin that’s installed on millions of sites, you can bet that they’re paying attention.
Interestingly, the WordPress.org security team has the ability to tell WordPress sites to start checking for updates more often, in anticipation of a critical security release to the core WordPress software. About 12 hours before the security update is to be released to the public, they change one part of the API response that each individual WordPress site gets back during an update check that says “hey, check back every hour” instead of every 12 hours. When the WordPress site sees that response, it immediately schedules a new update check (the “wp_version_check” event) for just one hour later and keeps checking every hour until the security release is rolled out.
This is a reasonable way to roll out important security changes to most all WordPress sites on the web. It’s fast enough (about an hour) to head off most of the kinds of security exploits that a hacker could put together as soon as they became aware of the vulnerability that the security release was fixing. But, it does not help with security fixes for themes and plugins.
Additional Factors That Impact Auto-Update Timing
It’s important to note other factors that affect the timing of WordPress auto-updates.
Most commonly, the “cron” schedule of a WordPress site might not run regularly enough to trigger auto-update checks every 12 hours. Cron is the system within WordPress that handles scheduling all kinds of tasks. By default, it is run when someone visits a part of your WordPress site. For lower-traffic sites, a lack of visitors could cause delays in running scheduled tasks.
Let’s revisit the timing scenario above. If your auto-update check is scheduled for 10 PM and a plugin author releases a new version at 8 PM, you’d expect an update to the new version about two hours after it is released. But if your site doesn’t receive any visits between 9 PM and 7 AM, that site could go a full 21 hours in between update checks! Again, that’s a long time for a plugin security fix scenario.
Some WordPress hosts and site managers address this issue by turning off the reliance on site visits for checking and executing scheduled tasks. Instead, they turn on a server-based solution to do that on a regular schedule (say, every 5 minutes).
But this is not the default and site owners need to verify if they have this alternative in place. If you’re not sure which setup you are using on your WordPress site, check with your host about your options.
Another issue is network connectivity. If there’s any interruption in the connection between your WordPress site and the Internet, especially to the WordPress.org API servers, that could delay auto-updates on your site.
Similarly, if your web host or network provider has scheduled maintenance during the time when your WordPress site would normally be checking for an update, it could end up missing an update check, and your site will end up waiting until the next scheduled time.
So How Long Do Auto-Updates Take to Run?
As we’ve seen, it can take up to 12 hours between when a plugin author releases a new version and when your WordPress site tries to install that new version using auto-updates.
In some cases, it might be much faster, even just a few minutes. In other cases, it might be much longer, even a day or two.
To ensure you’re running the latest WordPress software, make sure your site is configured for regular execution of scheduled tasks. Likewise, never underestimate the importance of a solid web host and a reliable Internet connection.
Beyond that, a tool like WP Lookout can help mitigate that waiting period by notifying you soon after a new version of a theme or plugin is released, and giving you some details about how urgent the update really is. This gives you the option of installing the update yourself manually or, if you’re concerned an update needs further testing first, you can have your site hold off on updates until you’re sure it’s ready.
Auto-updates are a valuable tool for WordPress site owners. But some site managers need more timely awareness about the software their WordPress site relies on. Fortunately, you can have the best of both worlds with a combination of auto-updates and using solutions like WP Lookout to stay on top of WordPress theme and plugin updates.