Third-party plugins added to sites on the WordPress VIP platform should be kept up to date with their latest available version. It is the responsibility of individual customers and their developer teams to maintain, test, and update the plugins used on their sites.
Identifying available updates
WordPress user roles with the
activate_plugins capability will see available updates for third-party plugins displayed in the Plugins dashboard WordPress admin.
WordPress user roles without the
activate_plugins capability can review available updates for third-party plugins by:
- Running the WP-CLI
wp plugin listcommand with VIP-CLI.
- Navigating in the WordPress admin to Tools –> Site Health–> Info.
Updating a plugin
Plugins cannot be updated or installed within the WordPress admin dashboard.
Updated versions of a plugin must be committed to an application’s GitHub repository.
Follow the recommendations to evaluate and test a third-party plugin when updating a plugin:
- Use PHPCS to scan the updated plugin’s code locally.
- Commit the updated plugin’s code to the deploying branch of a non-production environment. Test the updated version of the plugin thoroughly before merging to the deploy branch of a production environment to ensure the stability of the production site’s performance and security.
Codebase Manager’s Automated Security Scanning automatically scans third-party plugins in an application’s
wpvip GitHub repository. Pull requests that upgrade vulnerable plugins are automatically opened by VIP’s GitHub app bot.