Joost de Valk who is pretty popular these days, especially after the release of his Yoast SEO Plugin tells us the story of how one of his sites was hacked because a theme containing the TimThumb vulnerability was not updated. If that were not interesting enough, Joost shares a statistic that doesn’t surprise me one bit. According to Joost, after he releases an update to his plugins, he rarely sees more than 20% of the user base upgrade within the first week.
We, as a community, need to get better at that.
I agree. People such as myself have harped on the fact that people need to start upgrading their WordPress installs sooner rather than later once an update has been released. I don’t have the numbers to back it up but I’m willing to bet that thanks to the easier upgrading processes built into WordPress, there is a larger number of people updating within the first week compared to when users had to manually upload the updated files to the server.
As if keeping abreast of updates for WordPress were not enough, users have to be vigilante on knowing when there are updates for both plugins and themes. Despite WooThemes publishing the information on their website regarding the security flaw and the associated fix, Joost still became a victim one month later. It seems as though KNOWING about the update is at least half the battle. Therefor, what do you think is the best way or ways to keep users abreast of updates for plugins and themes, especially as it relates to security releases? As it stands, the only time I know of when a plugin or theme needs to be updated is when I’m at the dashboard screen and I see the notifications. Should there be a built-in function in WordPress that plugins as well as themes can use to send email notifications to administrators when an update is available? Or, do we rely on plugin and theme authors to individually come up with ways to help their user base keep in touch with updates?
I use the WP Updates Notifier plugin and it works wonders. This should be baked in WP core, IMO.