WooCommerce Updates and Vulnerabilities
Updated 11 April 2024tl;dr
We have found that updating WooCommerce websites immediately, when updates are released, often causes problems on websites.
Problems can occur from updates to WordPress core, WooCommerce plugins, WordPress plugins and WooCommerce and/or WordPress themes.
For this reason, and others, we certainly do not recommend enabling automatic updates for any areas of your website.
When implementing updates always test thoroughly on a staging website first. Then take a full backup of your live website files and database so you can roll back and restore your live website quickly if there is any issue.
So, does my website have to be always updated? The short answer is no, it does not need to be always updated.
If your website is working correctly, the performance is great, your website security is in place and you have all the features you need then why introduce potential issues and vulnerabilities by always updating.
Why Should Automatic Updates in WordPress be Disabled?
Allowing updates to occur without checking and testing first can cause serious problems. While automatic updates may seem like a quick fix for your website management, automatic updates can also wreak havoc. Here are some of the scenarios you should be aware of.
Your Website Can Be Stuck in Maintenance Mode
If a WordPress core, theme, or plugin update fails it can leave your website in maintenance mode. When an incomplete update occurs your site is unavailable, stuck in maintenance mode, and it will stay that way. Firstly, until someone notices the site is in maintenance mode, and secondly until the issue is found and resolved.
You Could Encounter the White Screen of Death
Your website displays nothing but a white screen (of death). If you’re experiencing this, one of the updates applied may have caused a fatal error, crashed your WordPress site and made it unavailable.
There is No Guarantee You Have the Latest Version or Latest Security Updates
Many plugins and themes do not have the facility for them to automatically update. This means some plugins, themes, etc. will be on the latest version while others will only be on the latest version when you update manually. So don't believe that your website and security is always up-to-date with automatic updates turned on. It will never be completely up-to-date without manual intervention.
Your Website Does Not Work as Intended
Sometimes these problems are not immediately noticeable. They could be missing features, there could be modified (bad) layouts, responsive layout problems on different devices and obscure errors. These are the hardest to find and troubleshoot as your website is usually still operational. Additionally, there could be several automatic updates of WordPress core, themes or plugins that have taken place before you have detected a problem. At this point, locating the cause of the issue can be even more complicated. Thorough user testing of updates on a staging website will only find these issues before you update your live website.
WordPress Acknowledges Issues with Updates
Posted by Automattic (company behind WooCommerce, JetPack, WordPress, etc.) recently on their JetPack blog:
"WordPress has a lot of moving parts. Any time WordPress core, a theme, a plugin, or even the PHP version that the software is operating on is updated, there’s a small chance for some conflict. If you find your site unresponsive, doing any kind of strange "looping" behavior, or with broken functionality, ask yourself if you’ve performed any updates recently."
from WordPress/JetPack blog (22/9/2023)
Does This Mean You Should Never Update Your Website?
Absolutely not, but be aware that it is likely you will encounter problems at some stage when updating WordPress core, themes, plugins and PHP versions. Therefore, when undertaking updates ensure you have tested thoroughly on a staging website prior to implementing on your live website.
Does My Website Have to Be Always Updated?
The short answer is no, it does not need to be always updated. If your website is working correctly, the performance is great, your website security is in place and you have all the features you need then why introduce potential issues through always updating.
However, the disclaimer on this statement is, you must check the changelog whenever an update becomes available to determine if there is a security, vulnerability or bug fix and you must also regularly check the vulnerability database to confirm if there are updates that need to be completed.
Why Do Theme and Plugin Vendors Promote Continual Updates?
There is no surprise that those who have the most to gain from promoting the continual updating of your website are the vendors of plugins and themes. They have a vested interest in you paying their ongoing annual subscriptions so you can receive these updates.
The promoters of continuous updates to WordPress websites like to say things like:
- Updating is vital for the security, performance, and functions of your website.
- Updates provide security patches and protect against hacking attempts.
- Updates boost speed, fix bugs, and ensure compatibility with themes and plugins.
- By updating you are protecting your site from potential threats.
- Updating means security gaps are closed, making it difficult for hackers to access your site.
To these statements we can provide so many examples, especially in the last couple of years, where updates have introduced security issues, created bugs, caused incompatibilities with themes and plugins, slowed down websites, introduced threats and given access to hackers.
Why Are There Often Problems with Updates?
Even if you buy your themes and plugins from only trusted developers, the chances of bad code cannot be discounted. Faulty code could go unnoticed for weeks and when you the problems start it could take you considerable time to find the exact update that caused the issue.
Lack of Testing in Development
Developers often do not undertake a thorough testing process before rolling out updates to their themes and plugins. Have a look around any support forum and it won't take long to find so many examples of version releases causing problems and then customers waiting for a patch to fix the issue. However, in their defense, as WordPress is used on millions of sites the testing of new updates even across a significant sample of websites is difficult.
Compatibility Issues Between Plugins, Themes and WordPress Versions
On a WordPress/WooCommerce website there are so many moving parts and so many different vendors all writing code and creating features. It is no surprise, no matter how thorough the developers' testing process, that they could never test for all the different scenarios and installations on a WordPress website.
Managing Updates Successfully
Implementing a managed updates process and policy provides a good balance between staying up-to-date and the mayhem of updates gone wrong.
What Do Managed Updates Look Like?
This is an update process where updates are performed on a duplicate of your live website (staging website) at regular intervals such as monthly. The plugin/theme/core changelog should be checked to see what the reasons for an update are. If they are not bug or security fixes, and not features you need, then it may be safer to not update at this time.
Check the WordPress Vulnerability Database Regularly
You should regularly check the Wordfence Intelligence Vulnerability Database for any notices about critical security problems with your plugins and themes. If you find anything related to your installation on this database then act immediately to implement your update process.
Examples of Major Problems Caused by "Trusted" Developers' Updates
Just because a vendor or developer seems to be experienced, trusted and well-promoted do not make the assumption their products can be installed and updated without problems being introduced either immediately or in the future.
Usually, the products from these vendors are very good, but they are not immune from causing you major headaches if you do not test their changes thoroughly before installing on your live websites.
Here are some examples of recent issues we have had to deal with when updates were released from well-known vendors and developers within the WordPress and WooCommerce space.
WooCommerce (Automattic)
One day after a major release, version 8.0, WooCommerce announces, only on their release notes website, ”…a critical issue that has been identified in WooCommerce version 8.0. As a result, we are releasing an update to 8.0 to ensure the stability and reliability of your WooCommerce-powered websites.”
This was a major release, this is after so-called testing through various beta and release candidate versions, and yet a critical error on WooCommerce websites occurred,
WooCommerce PayPal Payments (Automattic)
An update to the WooCommerce PayPal Payments plugin caused disastrous customer order problems. The updated caused customer details to be removed from their orders and then create a new order with nothing in it.
This was an horrendous error and Automattic did nothing to let merchants know of this problem.
A problem was posted on the plugin website and this was the response:
Apologies for the inconvenience. The update 2.2.0 introduced a feature that creates WooCommerce orders upon receiving a payment confirmation webhook from PayPal. However, under certain circumstances (for instance, when using specific checkout customizations), the order creation may have been inadvertently triggered without containing all relevant buyer details.
It took at least a couple of weeks before the plugin was fixed and in the meantime all website owners could do was rollback to an earlier version of the plugin and wait until a new version was released.
Elementor Pro (Elementor)
An incredibly dangerous problem was caused by Elementor in their Elementor Pro plugin that allowed a customer to change their access to WordPress admin and take control of a WooCommerce website. The security, privacy and data vulnerability ramifications were disastrous as hackers were able to gain complete administrator access to websites.
Elementor sent a notification to plugin license holders about the vulnerability when it was too late.
To compound the problem Elementor did not provide critical information that the vulnerability fix did not stop hackers that were already in a website and how the damage could be alleviated. If they had provided this information we could have known if they were already in the websites as updating the plugin to fix the vulnerability did not retrospectively fix the problem.
Additionally, the update that was supposed to fix the vulnerability also broke WooCommerce websites and the Elementor Pro plugin had to be rolled back to a previous version that did not have the introduced vulnerability.
Astra Theme and Astra Pro Plugin (Brainstorm Force)
Brainstorm Force promote their Astra theme with statements like "Today, Astra is the only non-default WordPress theme that powers 1 million+ websites and has the highest 5 star ratings on the WordPress repository...", however there should be a prominent warning about the problems that are likely to introduce with their many updates.
So many times we have found problems caused by their updates, we let them know about the issue, we usually provide them with a staging website that replicates the problem, and yet even after all of this they have great difficulty in rectifying the problems they created.
Recently an update to the Astra Pro plugin caused a fatal error and websites were not recoverable without logging in to the file system and replacing the problem version of the plugin. We let Brainstorm Force know of the problem, we provided them with the actual scenario that created the fatal error, we also provided the minor code change that would fix the issue, and yet they did not fix it. We had to implement our own workaround.
Conclusion
If your website is currently stable, performing well and there are no vulnerability notifications on the Wordfence Intelligence Vulnerability Database, rushing updates may introduce unforeseen bugs or glitches.
Over the years we have found there have been no problems when WordPress core, WordPress plugins and WordPress themes are only updated for security and vulnerability fixes.
