Version updates and maintenance

Third-party plugins added to sites on the WordPress VIP platform should be kept up to date with their latest available version. It is the responsibility of individual customers and their developer teams to maintain, test, and update the plugins used on their sites.

Identifying available updates

WordPress user roles with the activate_plugins capability will see available updates for third-party plugins displayed in the Plugins dashboard WordPress admin.

WordPress user roles without the  activate_plugins capability can review available updates for third-party plugins by:

• Running the WP-CLI wp plugin list command with VIP-CLI.
• Navigating in the WordPress admin to Tools –> Site Health–> Info.

Updating a plugin

Plugins cannot be updated or installed within the WordPress admin dashboard.

Updated versions of a plugin must be committed to an application’s GitHub repository.

Follow the recommendations to evaluate and test a third-party plugin when updating a plugin:

1. Use PHPCS to scan the updated plugin’s code locally.
2. Commit the updated plugin’s code to the deploying branch of a non-production environment. Test the updated version of the plugin thoroughly before merging to the deploy branch of a production environment to ensure the stability of the production site’s performance and security.

Security fixes

Codebase Manager’s Automated Security Scanning automatically scans third-party plugins in an application’s wpvip GitHub repository. Pull requests that upgrade vulnerable plugins are automatically opened by VIP’s GitHub app bot.