Plugin Updating – Recommendations

If you keep a close eye on plugin updates, you may have noticed that new releases take longer to appear in your dashboard than they used to. On 5 June, WordPress.org announced Protect the Shire, a security initiative under which every new plugin and theme release now waits up to 24 hours before being distributed through the WordPress update system. During that window, an AI-assisted review tool (fittingly named Gandalf) scans each release alongside the existing human review process.

In practical terms: when we publish a new version of Events Manager, your site will not offer it straight away. The files are published on WordPress.org immediately, but the update notification on your Plugins and Updates pages is held back, whether you update manually or automatically, until the hold lifts.

We support the change. It also has a side effect worth explaining, and a new option in Events Manager to go with it.

Why we support it

Any effort to make the WordPress.org plugin repository more secure is welcome, and this is a sound plan. AI is making it easier for bad actors to inject malicious code into legitimate releases, and a review window before an update is distributed to hundreds of thousands of sites makes total sense.

For us, though, the upside that matters most is closer to home: the hold can slow the mass rollout of an update containing a serious bug, giving the developer time to fix it before most sites receive it. Automatic updates are dangerous on many levels in the context of complex plugins like Events Manager, and we have never been particular fans of them (for Events Manager); we prefer site owners to update manually, with someone watching in case something goes wrong.

The catch

That upside only works if site owners are notified and can update manually the moment a fix is released. Currently, they cannot. The hold delays the update notification for everyone, manual and automatic alike, and it applies to the fix as much as to the bug. So when a legitimate security issue or a major bug needs fixing quickly, we are bound to the full 24 hours. The plugins team is quick to react and do a great job; every experience we have had with them has been a good one. However, time zone differences and working with a team that is understandably busy handling 73k plugins can make this a tricky affair.

We felt this recently. An update caused PHP fatal errors when listing events, but only for sites with a specific combination of settings. Events Manager has a lot of options, and however much we expand our test coverage, it is these edge-case combinations rather than universal failures that produce most fatal errors. Our usual response is a same-day fix, which historically meant most sites never saw the faulty version at all. Under the hold, reports only began arriving as the update gradually reached sites up to a day later, at a time we could not predict, and any fix we publish then waits out its own 24 hours.

Our solution in 7.3.7.4.2

Events Manager has let you opt in to checking for development versions for many years. We have now extended that same mechanism to stable releases.

Enable Always check the latest stable version? and Events Manager will ask WordPress.org directly for the latest published stable release, showing it on your Plugins and Updates pages the moment we release it, ready for you to install with the usual update button. For a one-off check, the Re-Check Updates button now does the same thing once.

Deliberately, this never touches automatic updates:

  • Versions found this way are explicitly excluded from the WordPress automatic update system.
  • The check only runs while an administrator is using the admin area, never during the scheduled background checks that automatic updates rely on.
  • Automatic updates continue to follow WordPress.org’s own schedule, 24-hour hold included.

For those who want the opposite extreme, Events Manager 7.9 will add an EM_AUTO_UPDATES constant: define it as true in wp-config.php and these early releases will be applied by automatic updates as well. It is not something we would necessarily recommend, at least not now, but again, the point is giving you options.

You will find the new settings under Events > Settings > General, in the Admin Tools (Advanced) section. If you manage updates yourself, we recommend turning the stable check on: the updates you get fastest are exactly the ones you want fastest, the point releases that fix problems in the version before. If your site updates unattended, leave it off (the default) and the full review window still protects you.

A fair balance

We think this offers the best of both worlds: the review window stays fully intact for unattended updates, while informed site owners keep the freedom to update the moment a release is out. The announcement notes the window “could be reduced to minutes as the process evolves”, which we would welcome. If the core or plugin review teams see a flaw in our approach, we would welcome that conversation too. Until then, the choice is yours, which is rather the point.

Leave a Reply

Your email address will not be published. Required fields are marked *