Version updates for third-party plugins

All third-party plugins that are added to a site on the WordPress VIP Platform should be kept up to date with their latest available version. It is the responsibility of the customer and their developer teams to maintain, test, and update the plugins installed on their sites.

Notices for available version updates for plugins can be reviewed in multiple locations.

VIP Dashboard

The Plugins panel in the VIP Dashboard displays a list of the plugins that are located in the /plugins directory of an environment’s GitHub repository branch. Codebase Manager scans the /plugins directory for third-party plugins with available version updates. An updated version that is available for a plugin is displayed in the column labeled “Version” where applicable.

Codebase Manager also automatically scans the /plugins directory of a WordPress environment’s GitHub repository branch for security vulnerabilities and reports any identified vulnerabilities in the VIP Dashboard Plugins panel.

A pull request to update the plugin’s version can be created from within the Plugins panel.

WordPress Admin dashboard

In the WordPress Admin dashboard Plugins screen, a notice is displayed within a listed third-party plugin if an updated version is available. The notice is only accessible to WordPress users that have a role with the activate_plugins capability.

All users with any roles and capabilities can review available updates for third-party plugins in the WP Admin by navigating to Tools –> Site Health –> Info.

Plugins cannot be updated or installed from within a site’s WP Admin dashboard.

WP-CLI

The WP-CLI command wp plugin list can be run with VIP-CLI to retrieve a default set of information about all plugins installed on a site. The retrieved information includes a column labeled update which indicates if an updated version is available for a plugin and a column labeled update_version which displays the version number of the available update.

Example output for retrieving information about the plugins installed on the develop environment of the “example-app” application with the command wp plugin list:

$ vip @example-app.develop -- wp plugin list
+------------------+----------+-----------+---------+----------------+-------------+
| name             | status   | update    | version | update_version | auto_update |
+------------------+----------+-----------+---------+----------------+-------------+
| example-plugin-1 | inactive | none      | 1.0.0   |                | off         |
| example-plugin-2 | active   | available | 1.3.4   | 1.4.1          | off         |
| example-plugin-3 | active   | none      | 1.0.0   |                | off         |
+------------------+----------+-----------+---------+----------------+-------------+

Plugins cannot be updated or installed with WP-CLI for a VIP Platform environment.

Update a plugin

A third-party plugin can be updated by committing the newer plugin version to the deploying branch of a VIP Platform environment.

To ensure the stability of a production site’s performance and security the newer version of the plugin should be thoroughly tested. Begin by locally scanning the updated version of the plugin with PHPCS and testing the plugin on a local development environment.

Test the updated version of the plugin on a non-production VIP Platform environment before creating a pull request against the branch deploying to the production environment.

Pull requests that add or update plugins and themes will be scanned by the VIP Code Analysis Bot’s Vulnerability and Update Scan. This applies to plugins and themes located in the /plugins, /client-mu-plugins, and /themes directories in the root of the application’s GitHub repository. The Bot will report if the information retrieved from the WPScan API indicates that the version of a plugin or theme being added or altered in a pull request has known vulnerabilities.