Version updates and maintenance

Third-party plugins added to sites on the WordPress VIP Platform should be kept up to date with their latest available version. It is the responsibility of individual customers and their developer teams to maintain, test, and update the plugins used on their sites.

Update a plugin

Update a plugin by committing the newer version to the deploying branch of an environment’s wpcomvip GitHub repository.

Plugins cannot be updated or installed within the WordPress admin dashboard.

When updating a plugin, follow the recommendations to evaluate and test a third-party plugin:

1. Use PHPCS to scan the updated plugin’s code locally.
2. Commit the updated plugin’s code to the deploying branch of a non-production environment. Test the updated version of the plugin thoroughly before merging to the deploy branch of a production environment to ensure the stability of the production site’s performance and security.

Identify available updates

• The Plugins panel in the VIP Dashboard displays a list of plugins that are located in the /plugins directory of an environment’s  wpcomvip GitHub repository branch and scanned by Codebase Manager. Available version updates and any identified security vulnerabilities are displayed where applicable for each plugin.

• WordPress user roles with the activate_plugins capability will see available updates for third-party plugins displayed in the WordPress admin dashboard Plugins screen.
• WordPress user roles without the  activate_plugins capability can review available updates for third-party plugins by navigating to Tools –> Site Health–> Info.

• Use VIP-CLI to run the WP-CLI wp plugin list command to get a list of plugins for a site.

Security fixes

Codebase Manager automatically scans plugins in an application’s wpcomvip GitHub repository that can be downloaded from the WordPress.org Plugin Directory. Pull requests that upgrade vulnerable plugins are automatically opened by VIP’s GitHub app bot.