Using old versions of themes and plugins

There have been a few comments recently from people using old versions of plugins (pre-Gutenberg) and just choosing not to update them. On most of my sites I’m now using my own version of the GeneratePress theme that I have modified.

I am wondering about potential issues that may arise from this. Obviously security is the main concern. Are people who are using old versions of themes/plugins actively monitoring developments and checking for security updates? And then what… do they somehow code that into their old version? Should I be concerned about this with my theme?

These are good questions. The main issues are security and support.

In terms of support, most developers will only support back to so-many-versions. If something breaks, it’s probably on you to figure out a solution. For some, this will be a roadblock – for others, not so much. It really depends on “you”.

In terms of security, unless there is still a large userbase on your particular version of the plugin, it likely won’t get any security updates. This means you are responsible to be signed up for all the security site notifications and that you actively monitor them, as well. Also, using an audit log plugin will be an absolute must, just in case, as will be (IMO) daily backups. And, you’ll have to keep up with current developments of the current versions and keep your eyes peeled for any security-related items. In case it’s not clear: it’s a nightmare.

All that said, it’s important not to take this post as a suggestion to apply “better practices on top of bad practices”. The recommendation and best practice will always be:

Always update plugins and themes to their latest versions.

See, if there’s a “feature update”, then it’s not such a big deal to skip the update, but, if it’s a “security update”, then it behooves users to apply it. Unfortunately, as we have seen in the past, some developers have applied security patches without indicating that they were security-related which can cause some folks to think they don’t need the update when, in fact, they really do. On the other hand, I have my doubts that many people bother to read the changelog, anyway – so, generally speaking, users should just always be updating along with the plugin’s releases. For those who choose to run old plugins/themes, they do so at their own risk.

These days I am using https://wordpress.org/plugins/wpscan/ which works quite well for plugins that are installed on the same site.

If you need to keep an older version of a plugin installed, but you don’t want it to nag you about updates in the dashboard, then one thing you can do is update the version number in the main plugin file from e.g. 1.2.3 to 99.0-upstream1.2.3.

However this breaks security notifications from the service I mentioned above.

What other methods/sources do you (and anyone else) have for keeping up to date with plugin/theme vulnerabilities?

I’ve also bumped version numbers to prevent update notifications – and I just keep track for issues with the “real” version number. I also keep up with pluginvulnerabilities.com – while I’m not overly fond of the adversarial nature the disclosures have taken, I think it’s often the first site to expose issues, so, I still go there quite a bit. I should add that I’m “only” using 2 old plugins… and even just 2 is a lot of work to keep up on.

There is this plugin to help you load exactly the version you prefer: https://wordpress.org/plugins/wp-rollback/

And this one to manage updates https://wordpress.org/plugins/stops-core-theme-and-plugin-updates/ like described on https://wordpress.org/support/article/configuring-automatic-background-updates/

And even if they do, Fixed potential XSS vulnerability is unlikely to mean anything to a lot of people.

Plugins to manage plugins. Can we now have a plugin to manage the plugin that manages the plugins?

Joking aside, this does put us in a bit of a quandary. The plugins suggested by @james and @joyously are all helpful in their own way but there will come a point when these too can no longer be updated - unless we can get them to support ClassicPress.