Over the weekend, the WordPress plugin directory implemented a major change that better reflects how popular a plugin is. The number of total downloads has been replaced with the number of active installs. While the numbers are not exact, they’re close enough to give people insight into usage.
When it comes to reporting WordPress plugin security vulnerabilities, this is a welcome change. The active install numbers give the media a better idea on how many sites are potentially at risk. In addition to knowing the active installs for a given plugin, we can also see a breakdown of which versions are used.
Using Outdated Versions of Plugins
With Jetpack, we see that nearly 40% of sites use the latest version while the other 60% use an older version.
Yoast SEO is split down the middle with 50% of sites using the latest version and the other combined 50% using an older version.
Only a quarter of the sites using Contact Form 7 are using the most recent version, while nearly 75% combined are using an outdated version.
For other plugins, the trend is the same. A majority of sites are using older versions of plugins. For all of the effort that goes into informing users to keep sites up to date as a bare essential security practice, these are sobering statistics.
Time to Auto Update All The Things
While I realize there isn’t always an immediate need to update a plugin unless it’s a security release, it’s a good idea to keep them updated regardless. These statistics indicate that the only way to keep as many sites as possible updated is to forcefully turn on automatic updates for major releases, minor releases, plugins, and themes.
A move like this would likely generate a lot of push back, especially from those who already don’t like WordPress’ current implementation since there’s not an option in the WordPress backend to configure them. However, the numbers indicate that millions of sites are running outdated code by choice which is unacceptable.
The WordPress development team is in a position to help make the web safer for everyone. If all it takes to get people to support automatic updates for themes, plugins and core, is to add some UI to the WordPress backend to configure them, then so be it. I think it’s a small price to pay to quickly improve the situation and move in the right direction.
While I don’t like having my hand held by software to keep things up to date, it appears as though there is no other choice. Automatic updates to minor releases is a good first step, but it needs to auto update everything because leaving the responsibility up to users is clearly not working.