Updated: June 14, 2021

How To Auto-Update Vulnerable Plugins With Patchstack?

Agnes Talalaev
from patchstack

Introducing the Patchstack feature to auto-update vulnerable plugins on the Component page on Patchstack app.

Patchstack is helping web developers and digital agencies protect their whole client portfolio. Our focus on component security is helping agencies and developers feel more confident in offering care plans and keeping all their sites protected.

The auto-update feature available in the Patchstack app helps you to set up automatic updates. If there is a vulnerability in any of the components (plugins, CMS, themes) you use on your sites, you will receive an update.

This will help you to reduce site management time drastically. It gives you peace of mind, that Patchstack protects your sites and auto-updates vulnerable plugins whenever there’s a possible threat.

What are the biggest challenges for freelancers and digital agencies in 2020? Read the Website Security Survey Report 2020 to find out.

What is a component?

A component is a piece of code that makes up your website.

Let’s take a WordPress site as an example. WordPress sites are built or put together using components. Components are for example the CMS (WordPress core), the plugins or themes you use.

Most of the time, components are built by someone else and therefore you rely on their experience, coding skills, and trust that what they have built is safe and secure.

A worrisome fact is that third-party components, such as plugins and themes account for 98% of the security issues in the WordPress ecosystem.

This is why we are focusing a lot of work on fighting the component security problem and helping you to protect your sites with the help of the Patchstack app, Patchstack Red Team, and Patchstack database.

How does the components page help?

The components page allows you to see a quick overview of all outdated and vulnerable plugins and themes on all your sites. It will give you a full overview of all the components you have on your site.

The components page will tell you how many different software you have installed on your sites, which sites are outdated, and which are vulnerable. You will also see how many of the installed plugins or themes are outdated or vulnerable.

Some of the features include the ability to update:

  • Everything on all sites
  • Specific sites
  • Specific components on all sites
  • Only vulnerable or outdated components

The auto-update feature in the Patchstack app also makes it possible for all new updates to be installed on your sites right away without requiring any interaction.

There is also an option to only execute auto-update against plugins that have vulnerabilities.

Note that in order to execute auto-updates or to adjust the auto-update settings you need to update the Patchstack plugin. The installed Patchstack plugin version must be at least 2.0.11.

You can learn how to check which version of the Patchstack plugin you have installed here.

How to use the component management feature?

Once you are logged into the portal you see a new menu item called “Components”. You can see it in the menu on the left side. The component page contains several tabs which are described below. Clicking this will default to the overview tab on this page.


This will show an overview of your WordPress sites and their component statuses. You can see the WordPress version, Patchstack version, number of components, how many are outdated, and how many are vulnerable on each site individually.

Auto-Update vulnerable plugins

There will be buttons at multiple places that you can click to execute specific update actions as described above. 


It displays the status (name, current version, new version, security risk status) of all your sites of the following components: WordPress core, plugins, and themes.

Auto-Update vulnerable plugins

Components page showing plugins used on sites added to the Patchstack app.

There will be buttons at several locations that can be clicked to execute specific actions against these components.


We log all failed and successful update actions for your own records and to determine why an update failed. In case an update failed, this will also show a more detailed error as to why it failed to execute the update.

Auto-Update vulnerable plugins

Note that this will only display updates executed on the component page and not updates that were executed by any other means.

How to auto-update vulnerable plugins?

To perform WordPress auto-update only on vulnerable plugins or the software installed on your websites you need to navigate to the Auto-Update Settings page. This allows you to see the current auto-update settings of your WordPress sites with the ability to update them on all sites individually or globally.

The auto-update feature is executed on the site itself. It means that the current status is retrieved from your sites one at a time. We don’t store the auto-update date settings on our side.

The auto-update status can hold 3 different statuses: disabled, enabled and unknown.

If a site has its status set to unknown, it means that we could not retrieve the settings from the site due to not being able to reach the site, timing out or the site returning an invalid response that we could not parse.

What are components?

A component is a piece of code that makes up your website.

Let’s take a WordPress site for an example. WordPress sites are built or put together using components. Components are for example the CMS (WordPress core), the plugins or themes you use.

How to protect sites from plugin vulnerabilities?

We are focusing a lot of work on fighting the plugin security problem and helping you to protect your sites with the help of the Patchstack Red Team and Patchstack app.

In order to protect your sites from plugin vulnerabilities, you need to monitor updates and vulnerabilities. We send daily automatic updates (virtual patches) to Patchstack to make sure the sites are protected.

How to enable auto-updates on WordPress websites?

Patchstack allows you to auto-update all your WordPress sites from one dashboard. You have the ability to update all sites individually or globally. You can also choose to update only vulnerable sites.

Can I auto-update vulnerable plugins only?

Yes, with Patchstack you have the possibility to update vulnerable plugins automatically.

Start your 7-day free trial and join 50,000+ other developers
Get Patchstack
Share This Article

Start your free 7-day trial and join 50,000+ other businesses

Get started now