Plugin vulnerabilities represent 55.9% of the known entry points for website attacks.
It is an unfortunate reality: the most common entry point for WordPress website attacks is via an out-of-date plugin. Unfortunate because keeping WordPress plugins up to date is a reasonably straightforward, albeit time-consuming exercise.
Therefore the stat above does not just give us a wake-up on the merits of regularly updating our websites plugins but also serves as an opportunity. An opportunity to put in some effort to reap some large security boosting rewards.
But how much effort do we really need to put in?
Automatic Updates
Traditionally, the updating of plugins is done entirely manually. A developer runs the updates and then checks that all is still well on the website from a functional and visual perspective. But this can be very time consuming and if things go wrong (which they do) can leave you with a broken website.
That’s where Smart Plugin Manager comes in.
Smart Plugin Manager (SPM) is a tool released by the web host WP Engine that aims to solve this problem. SPM can run those updates for you, all automatically! Genius! Not only that but SPM visually checks that the plugin updates have not changed anything on the website. If it does notice changes it reverts the website to its pre-update state and lets you know via an email.
On the face of it, SPM seems to be the real deal, keeping your website up to date without the need for you to ever lift a finger.
But as is the case with many things, pros do come with cons, and SPM is no exception.
WP Engine : the provider of SPM are Mogul’s go-to hosting provider
Too Good To Be True?
SPM does what it says it does. It updates plugins automatically. It just doesn’t do it all the time.
Sometimes there are plugins that do not meet SPM’s passing criteria and therefore the automatic updates fail. Advanced Custom Fields, a very popular plugin, is a common culprit for this kind of false-negative result. It fails SPM’s visual checks but upon manual update passes with flying colours.
On the other side of that coin, is the scenario where a plugin update passes SPM’s tests despite some of the plugin’s functionality breaking. Now, this has only happened twice over 6 months or so of testing, so it is certainly not a regular occurrence but one that is definitely worth mentioning.
The Verdict
So with those points in mind, what do I think of SPM? Can I recommend it? Should you use it on your own WP Engine hosted website?
Well, I hate to disappoint you too much but my fence-sitting answer is maybe.
And the reason for that is simple: I cannot trust SPM 100% if left unmonitored. We have already seen that despite all the wonderful things it does, SPM can still make mistakes and plugins can be left on older, more vulnerable versions. That is understandable, it is a reasonably new tool and it deals with updating thousands of plugins, it is very hard to get that right 100% of the time.
But 100% is what we need when maintaining websites. One issue left unfixed or security flaw left open can be all that is needed to cripple a website..
Thankfully, we can bump that maybe up to a fully-fledged ‘yes’ with one small adjustment: Human-initiated updates (when needed) and monitoring.
We have already seen that SPM occasionally fails to update some plugins. However, if we update these ourselves then problem solved. We have also seen that on the rare occasion SPM can pass plugins that actually break some functionality on our website. If we start regularly monitoring the plugin updates ourselves we can bypass this issue too.
Solve these two problems in conjunction with the benefits of using SPM listed earlier, and I can safely say that we should all be using SPM on our websites.
How To Get Started
To start using SPM on your website you will first need to make sure it is hosted on WP Engine since as mentioned already SPM is an add-on of the web host, WP Engine. Most of our own client websites are so chances are if you are a client of ours you pass this first check. Fantastic! If you aren’t currently hosted on WP Engine that’s OK; migrating a WordPress website to WP Engine is simple enough and something we can help you with.
Secondly, is installing and activating SPM on your website. You will need to get in touch with whoever manages your hosting (Mogul if you host with us) and ask them to get in touch with WP Engine on your behalf to purchase and install SPM.
Finally, once SPM has been installed and configured comes the monitoring and manually updating of those plugins (where necessary) that are missed by SPM. SPM sends you an email every time an update is attempted so you will know when to jump in and check things out yourself. A more thorough check and updating of plugins that SPM does not update itself is also recommended. We call this an SLA at Mogul and it is one of the services we offer.
So there it is, SPM has a bright future if used properly and in conjunction with regular updates and monitoring. If this interests you please feel free to get in touch, we would love to discuss how we can use SPM and SLA’s in tandem to keep your website in top shape.
