Vulnerability Concern From the Plugin or From Not Updating the Plugin?

At our company we use a good handful of plugins, most notably WooCommerce. The way that we have things integrated, and the systems built around that, mean that doing wholesale updates are usually going to involve a lot of fixes and debugging. But, in eCommerce, staying up to date with security fixes is a MUST. To that end, we’ve implemented a system of using composer to install our plugins at a fixed version, and then used composer patches to ensure we can continue to port security fixes into our codebase.

See this blog post for a detailed explanation.

A simple guide would be:

  • Add composer-patches to your project
  • Configure your project to use either a list of patches, or a patch list file as detailed in the configuration section
  • Create some patches, we keep ours in a patches folder in the project root
  • Run composer install

You can also use remotely-hosted patches, but we prefer to keep all of ours local to the project.

This system allows us to keep up-to-date with security fixes, and possibly bring in bug fixes (or fix things ourselves) without having to go through the trouble of doing complete version upgrades and possibly spending days fixing things to work.

Related Posts:

  1. Why “Contact Form 7” doesn’t update PHPmailer library?
  2. Why users disable the WordPress update?
  3. Upgrading WordPress 4.0 asks for FTP password
  4. How can we deal with unmaintained plugins with vulnerabilities?
  5. Malware installation during plugin update?
  6. How can I disable new plugin and theme install, but allow updates?
  7. Updates for a private plugin?
  8. What security concerns should I have when setting FS_METHOD to “direct” in wp-config?
  9. What Are Security Best Practices for WordPress Plugins and Themes? [closed]
  10. what is the correct way to update a plugin via tortoise svn to the repository?
  11. An unexpected error occurred. Something may be wrong with WordPress.org or this server’s configuration
  12. Can I upgrade a plugin to a specific version?
  13. Does WordPress contain “default” anti-SQL injection code that responds with a 404 error?
  14. Which files get updated in a plugin update?
  15. What does a security risk in a plugin look like?
  16. WordPress Capabilities: edit_user vs edit_users
  17. Updating WordPress – the best approach (updating wp core, plugins and db)
  18. plugin wants to update to wrong plugin
  19. How to update WordPress plugin readme.txt description page without triggering a plugin update?
  20. How can a plugin run a script after being updated in MultiSite?
  21. How to update plugin without overwrite custom code
  22. What Triggers a Plugin Update Alert
  23. Should I use RIPS tool to test my themes and plugins?
  24. How many security plugins are too many? [closed]
  25. Will WordPress username displayed somewhere in the site?
  26. Plugins won’t update when WordPress says they’re updated
  27. How Restrict access to admin dashboard by specific static ip?
  28. Protecting against malicious code in WordPress plugin updates
  29. Override plugin functions in functions.php
  30. Skip file when plugin updated
  31. How to limit WordPress pages during updates?
  32. rms_unique_wp_mu_pl_fl_nm.php
  33. Security issues with WP sites
  34. Security checking in meta_box save is reluctant?
  35. Function to see how many plugins on a site need updating
  36. Force Plugin Updates: “Update Failed: Plugin update failed.” after update one plugin
  37. Can’t update/install plugins or WordPress
  38. The safest way to automate WordPress backups
  39. wp_create_nonce function doesn’t work inside a plugin?
  40. How to update plugins with database updates if I use svn
  41. Does WordPress validate inputs to all functions? (such as get_user_meta and insert_user_meta)
  42. Display update notification messages like ‘What’s New’
  43. Headers Content-Security-Policy CSP Major Issue
  44. Nonce failing on form submission
  45. `plugins_api()`: why does a commercial plugin changelog link result in a tailing plugins repo check and 500 error? [closed]
  46. After upgrade to php 7 plugin/them updates broke [closed]
  47. Some recent plugin updates have failed “Could not create directory”
  48. How to test ‘upgrader_process_complete’ hook in plugin development?
  49. What happens if I don’t update my plugins?
  50. My homemade plugin is trying to update to someone else’s plugin
  51. Can some vulnerabilities in plugins be exploited even when the plugin is inactive?
  52. Prevent direct access to WordPress plugin assets?
  53. What is a rock solid development and deployment workflow? [closed]
  54. Too many login attempts
  55. Is there any pre-existing plugin to track and block IPs with suspicious activity on my site?
  56. Is there a maximum length to a WordPress Page?
  57. How to execute plugin and theme updates from a web hook / endpoint?
  58. Get site url and updates data, then use them
  59. Custom API plugin to execute 3rd party API to retrieve data
  60. how do I secure my WP website from hackers? [closed]
  61. Updating WordPress across multiple versions
  62. How to add update function to plugin without adding it to https://wordpress.org/plugins/ [closed]
  63. Webservice credential storage [duplicate]
  64. Cannot add edit themes and add plugins after multisite update
  65. Regarding plugin security
  66. Remove updates text on plugin or themes list page
  67. Is this plugin safe to run?
  68. What would make the plugin update process to complete but don’t report as such?
  69. Is the Block Bad Queries Plugin Still Relevant?
  70. Hide plugins and theme from public
  71. Security of a WordPress Plugin
  72. WordPress asks to update a plugin already updated
  73. prevent anonymous access to WordPress site (non-admin site)
  74. Block plugin update possibilities (but not by hiding notifications)
  75. Unable to update plugins or log out
  76. Bing/msn bots is heavily requesting random of my website
  77. Update a previous version of plugin when the new plugin is built from the scratch
  78. Securing a plugin pop-up window
  79. WP core and plugin updates fail AWS
  80. Gutenberg editor in WordPress 5.0.3 /wp-json/wp/v2/pages/4713/autosaves?_locale=user 500 (Internal Server Error)
  81. Website content not displayed anymore after updates
  82. Unmatch plugin from updates?
  83. Update and remove buttons are hidden in plugin’s page
  84. Pause form submissions while upgrading plugins
  85. Why all my wordpress sites keeps telling me that everything is up to date at /wp-admin/update-core.php?
  86. Surviving WordPress and plugin updates
  87. How can i see/log all requests coming from a registration form (not from the UI)?
  88. Write mysql credentials in plugin
  89. Site is continuously accessing by several IPs
  90. SWF in wordpress post
  91. File permissions for wp-minify plugin
  92. What is the recommended way to be notified of security updates to my plugins? [closed]
  93. Manually updating a plugin , is it overriding the previous settings of the plugin?
  94. Plugin update warning
  95. Self-hosted Plugins & Themes store with auto-updates? [closed]
  96. Console errors after WordPress Update 6.1
  97. How to Enfroce Domain Licensing Limits? [closed]
  98. Can WordPress updates take down site functions?
  99. Failed to update a post when I add a taxonomy to it
  100. Stop the user if login from the cookies