Version updates for third-party plugins

Third-party plugins added to sites on the WordPress VIP Platform should be kept up to date with their latest available version. It is the responsibility of individual customers and their developer teams to maintain, test, and update the plugins used on their sites.

Limitations

Plugins cannot be updated or installed with CLI or within the WordPress Admin dashboard.

Identify available updates

Multiple methods are available for identifying plugins that have available version updates:

• The Plugins panel in the VIP Dashboard displays a list of plugins that are located in the /plugins directory of an environment’s  wpcomvip GitHub repository branch and scanned by Codebase Manager. Available version updates and any identified security vulnerabilities are displayed where applicable for each plugin.

• WordPress user roles with the activate_plugins capability will see available updates for third-party plugins displayed in the WordPress Admin dashboard Plugins screen.
• WordPress user roles without the  activate_plugins capability can review available updates for third-party plugins by navigating to Tools –> Site Health –> Info.

• Use VIP-CLI to run the WP-CLI command wp plugin list to get a list of plugins for a site and related information for each plugin.

Update a plugin

Update a plugin by committing the newer version to the deploying branch of an environment’s wpcomvip GitHub repository.

When updating a plugin, follow the recommendations to evaluate and test a third-party plugin:

1. Use PHPCS to scan the updated plugin’s code locally.
2. Commit the updated plugin’s code to the deploying branch of a non-production environment. Test the updated version of the plugin thoroughly before merging to the deploy branch of a production environment to ensure the stability of the production site’s performance and security.

Security notices

Codebase Manager automatically scans plugins that are located in the /plugins directory of a WordPress environment’s wpcomvip GitHub repository branch. Identified security vulnerabilities and available version updates for plugins are reported in the VIP Dashboard Plugins panel.

Pull requests that add or update plugins and themes will be scanned by the VIP Code Analysis Bot’s Vulnerability and Update Scan. This applies to plugins and themes located in the /plugins, /client-mu-plugins, and /themes directories in the root of the application’s GitHub repository. The Bot will report if the information retrieved from the WPScan API indicates that the version of a plugin or theme being added or altered in a pull request has known vulnerabilities or available version updates.