Smart Plugin Manager (SPM)

Smart Plugin Manager is a WP Engine feature that automatically manages all of your WordPress plugins and themes to keep your environments secure.

Additionally, Smart Plugin Manager will check that the updates are working as expected, and that the update did not cause any visual problems on your site. Read more in our press release.

In the event that a plugin or theme update causes an issue, Smart Plugin Manager will automatically revert the updates and restore your site to its previous state.


About Smart Plugin Manager

Smart Plugin Manager (SPM) runs a script daily to check if there are any updates available for your plugins or themes. Smart Plugin Manager is deployed on individual environments, using one license per install and can be deployed on multisite networks (read more on this here). You can select the time of day you’d like the update service to check for updates from the Settings page.

If your WordPress site fulfills a basic purpose, such as providing marketing information for your business, we recommend enabling Smart Plugin Manager on your Production environment. If you do a lot of custom development or your website utilizes multiple applications (such as an eCommerce site), we recommend using Smart Plugin Manager on your Staging environment first so you can check that the updates don’t cause any issues with custom code or third-party applications. If you’re happy with the results, feel free to enable it on your Production environment.

Determining a Successful Update

Utilizing a proprietary set of tests and machine learning algorithms, after plugin and theme updates are run, Smart Plugin Manager checks for server response errors, broken code, and visual changes immediately after plugins have been updated. Some example visual errors that will cause a reversion and restoration are missing images and forms, misplaced iconography, PHP errors, and other visual indicators that the plugin updates causes a material change to your site.

Smart Plugin Manager makes a judgement on site functionality based on a set of verification tests. We’re constantly improving the technology and verification mechanisms so false positives/negatives may occur. If an update breaks your site but was passed by Smart Plugin Manager, you can restore using WP Engine’s backup system. Likewise, if Smart Plugin Manager believes the updates broke your site when it seems to be fine, you can still manually update your plugins. If you experience one of these issues, please contact Support.


Visual Regression Testing

Visual regression testing (VRT) refers to the process of visually checking a series of pages before and after updates are performed for discrepancies. This is especially powerful because basics tests only look for error codes, whereas VRT can be used to determine if the website looks incorrect.

Smart Plugin Manager checks the homepage by default. If you add a sitemap (whether through the sitemap setting or a sitemap plugin), it will check and run verification on up to 20 listed pages, including the homepage. If there are more than 20 pages listed in your sitemap, it will do your homepage and a randomized 19 other pages from the entirety of the sitemap. If there is a failure on any page, Smart Plugin Manager will roll back the plugin updates and restore your entire site to its previous state. Additionally, SPM can be told to ignore specific items if necessary. For example, a calendar widget is expected to vary visually but doesn’t indicate an update failure.

If you have particular areas of the site that may naturally look different, like a calendar widget, the CSS can be easily excluded.

WooCommerce

For websites that have the WooCommerce plugin activated, VRT will automatically check the cart page, checkout page, my account page, up to 3 random category pages, and 13 random product pages. These specific URLs are:

/cart
/checkout
/my-account
/product-category/your-category-name
/product/your-product-name

In the case that you are not utilizing the above product or category URL structure, WooCommerce will be queried first for current URLs using the IDs (EX: domain.com/?product=111.)

If you prefer to override the VRT for these default URLs, this can be done simply by using a custom sitemap.


Multisite

Smart Plugin Manager supports WordPress multisite, although there are some caveats. Additionally, SPM will enable maintenance mode on all subpages when updates are running.

If you wish to use SPM on a multisite network, we recommend the following configuration:

  • Activate plugins network-wide, or activate all plugins on the main site
  • For private and commercial plugins, enter the license credentials, subscription key, or download key on the main site
  • Use WP Engine’s backups instead of a 3rd-party WordPress plugin for backing up all of your subsites, to avoid keeping the main site for a long time in maintenance mode during SPM updates

Visual Regression Testing functions a little differently when applied to multisite networks. There are two ways pages will be tested for failures:

  • In a multisite network with under 20 sites (19 subsites + main site), VRT will test;
    • The homepage of the main site
    • The homepage of all subsites
    • Custom SPM sitemap
      • Up to 20 URLs in total, including any homepages that will be tested above.
      • Custom sitemap can be for the main site only and URLs only.
  • In a multisite network with over 20 sites (19 subsites + main site), VRT will test;
    • The homepage of the main site
    • The homepage of up to 49 subsites
  • In a multisite network with over 50 sites (49 subsites + main site), VRT will test;
    • The homepage of the main site
    • The homepages of the first 49 subsites created
    • A custom SPM sitemap will be ignored
    • Subsites 51 and greater will not be checked

*The main site is defined as the site ID 1 and uses the wp_options table (as opposed to wp_2_options, etc). This is the first site on the network and the site that cannot have the domain updated in the wp-admin.


Update Failures

If a plugin fails to update, we will stop trying to run the updates and you will receive a notification alerting you to which plugin(s) or theme(s) failed to update so you can investigate. Smart Plugin Manager will attempt updates for three more days.

If updates are performed successfully but we detect an issue after updating, such as a 4XX/5XX error or a material change to the look of your site using VRT, the system will automatically revert your site back to the state prior to running the updates.

After three days, the system will attempt to update each plugin/theme individually and will skip updating the specific plugin or theme that caused the failure while still updating the other components. You will need to manually update the plugin or theme that causes the failure before it will properly update automatically.

Be sure to also check your website against Smart Plugin Manager’s limitations, detailed in this section.


Git Support

All of Smart Plugin Manager’s features, including the Visual Regression Test, Auto Site Rollback, and Notifications, can be leveraged for a Git-hosted plugin or theme by first connecting your website with Github. This means you can push updates to a custom plugin or theme via GitHub and have those updates download automatically to any website where Smart Plugin Manager is active.

In order to connect your website to the Github repository, we recommend using either the GitHub Updater or Plugin Updates Checker plugin. These tools can automatically make a pending update for your custom plugin or theme visible in the wp-admin area of your site, which will then notify Smart Plugin Manager to initialize that update. Details on how to configure a plugin or theme to sync these tools can be found in their own documentation: Github Updater Setup Guide and Plugin Update Check Getting Started Guide.

Finally, when utilizing Git on a website using Smart Plugin Manager the following should be added to the gitignore file:

# smart plugin manager specific 
wp-content/plugins/*
wp-content/.logs/
autoupdater_maintenance_mode_enabled.tmp

Downloadable gitignore files including these SPM-specific paths can be found in the full Git guide here.


Limitations

Smart Plugin Manager is able to update any WordPress site. SPM can also update websites that are password-protected (HTTP Basic Authentication) only if it was set up in the WP Engine User Portal and not by a 3rd party solution. However, there are a few situations where SPM may run into issues:

Allowlist Smart Plugin Manager

Additional security layers, such as 2FA and WAF, will require Smart Plugin Manager be whitelisted in that service. The SPM IPs that must be allowed are:

  • 35.186.183.60
  • 35.221.41.251
  • 35.236.216.128
  • 35.245.159.253
  • 35.245.210.234
  • 35.245.251.214
  • 35.245.50.252

Caching Services

To ensure maintenance mode can enable and disable correctly, Smart Plugin Manager should be allowed in any additional caching layers (Sucuri, WP Optimize plugin, NitroPack, Cloudflare, etc). More specific instructions are detailed below:

NitroPack

If your website is utilizing the NitroPack optimization plugin you will need to exclude a Smart Plugin Manager cookie to prevent any interruption in our update services.

Cookie name: autoupdater

Cookie value: 1

Learn how to exclude a cookie in NitroPack.

Sucuri

Cloudflare

Ensure the SPM IP addresses are whitelisted in Cloudflare. Learn more on Cloudflare here.

Two-Factor Authentication (2FA)

If your website is utilizing a two-factor authentication plugin or service (2FA) then you must add the SPM IP addresses to the allowed list to ensure SPM can access the WP-Admin.

If you use Duo for WordPress, then configure Authorized Networks > Allow access without 2FA from these networks. Read the full documentation on Duo.

Web Application Firewall (WAF)

If requests to a website from SPM could be denied by a WAF (web application firewall), you may need to add SPM requests to the allowed list. Those requests will contain the header named autoupdater and come from a static set of IP addresses.

Stackpath WAF

Create a custom WAF rule with the WAF rule editor:

  • Under Rule Type, select WAF.
  • Next to IF, select a rule type Header.
  • In the next drop-down menu select — to apply the rule only to the specified header.
  • In the field, enter the header key autoupdater
  • In the next drop-down menu select Contains.
  • In the field, enter the header value . (dot).

Learn more about Stackpath WAF rules.

Cloudflare WAF

Add a rule to allow access by header name:

any(http.request.headers.names[*] == "autoupdater")

Alternatively, add a rule to allow access by URI:

any(http.request.uri.args["autoupdater"][*] == "api") or any(http.request.uri.args.names[*] == "autoupdater_nonce")

Learn more about Cloudflare WAF rules.

Wordfence WAF

In your WP-Admin panel go to Wordfence > Firewall and click “All Firewall Options”.

Next, expand “Advanced Firewall Options” and enter SPM’s IP addresses into the “Allowlisted IP addresses that bypass all rules”.

Be sure to save changes!


Enable Smart Plugin Manager

Customers on shared hosting plans can add Smart Plugin Manager through the Modify Plans page. Customers on dedicated plans, please reach out to your Account Manager through this page.

After purchasing the addon, enable Smart Plugin Manager on the environment of your choice via the User Portal:

  1. Log into the User Portal
  2. Select Tools from the left menu
  3. Click Smart Plugin Manager
  4. Click Add Environments
  1. Select any environments you’d like to enable Smart Plugin Manager on
  2. Click Add to SPM
  1. The “WP Engine Smart Plugin Manager” WordPress plugin will automatically be installed on these environments.

NOTE: The number of remaining licenses will display at the top right of this page.


Smart Plugin Manager Status

Status by environment can be viewed at a glance from the Sites page of the User Portal.

Statuses shown here are the following, hover for more information: Plugins are up to date (green check), plugins not updated (red x), there was an issue updating plugins (orange exclamation point), next run (black clock icon), activate an SPM license on this environment (purple plus sign).

A more detailed report about the previous Smart Plugin Manager run can be found in the User Portal. This report contains the same information that is sent via email notice when the process completes.

  1. Log in to the User Portal
  2. Select Tools from the left menu
  3. Click Smart Plugin Manager
  4. Locate the environment name
  5. Click the 3 dot menu icon to the right
  6. Select View Status

The status page will show if the updates failed or succeeded and if a rollback was necessary. The page also details which plugins were updated and to which version. This status page only shows the previous round of updates and is not cumulative.

Additionally, SPM statistics for the current billing period can be found on the Billing > Plan Usage page of your User Portal. This includes the number of plugins updated, number of URLs tested, and a cumulative estimate of time saved.

Learn more about the Plan Usage page.


Smart Plugin Manager Settings

There are two ways to access the settings for Smart Plugin Manager in the User Portal. The method you use depends on if you wish to edit the settings for one environment at a time, or multiple.

  1. Log into the User Portal
  2. Select Tools from the left menu
  3. Click Smart Plugin Manager
  4. Check off environment(s) from the list to modify settings
  5. Click Edit Settings

Update Schedule

Select a timeframe to attempt the update process. It’s recommended to choose a low traffic period for your website.

  1. Frequency: Daily or Weekly rate the environment(s) will be checked and updated.
  2. Time of week: Whether the process will check only on weekdays or weekends, or if neither is preferred.

NOTE: The weekend starts at 0:00 UTC on Saturday, and includes Fridays in other time zones.

  1. Time zone: The time zone the update process should refer to. We suggest setting this to match your primary visitor time zone.
  2. Window: The time frame updates will be performed, times will reflect the time zone selected.

Smart Plugin Manager will try to run on the first day within the timeframe selected. For example, if SPM doesn’t start the update on the Saturday in the selected time window, it will be rescheduled for the next day (Sunday) with higher priority at the same time. If that fails, it will reschedule it for next Saturday, unless the settings are updated with a new run time and date.



Notification Emails

Enter email addresses, separated by commas, to receive notifications. Notifications can be sent for successful updates, or only if an update fails.

NOTE: Currently, theme update information is not included in the notification emails. Our developers are working to add this content as soon as possible.


Auto Rollback

Smart Plugin Manager creates a backup using WP Engine’s automated backup and restore system prior to making any changes to the website. SPM will restore to this previous version (“roll-back”) if it determines using visual regression testing or error codes that the updated version may have altered the website.

Choose whether or not the rollback process should be automatic by toggling.


Maintenance Mode

Turn maintenance mode on or off to protect against data loss or missed orders while Smart Plugin Manager is updating plugins.

Site visitors will see a default “Undergoing maintenance” page, temporarily denying any traffic to the site.

If you wish to customize this maintenance page copy the file wp-content/plugins/autoupdater/tmpl/offline.tmpl.php to wp-content/autoupdater/tmpl/offline.tmpl.php
and adjust the styling within it. It is not recommended to use any PHP code in this file.

To ensure maintenance mode can enable and disable correctly, Smart Plugin Manager IPs should be allowed in any additional caching layers (Sucuri, WP Optimize plugin, NitroPack, Cloudflare, etc).


Managed Plugins

Select which plugins Smart Plugin Manager should attempt to update or ignore. By default, Smart Plugin Manager will attempt to update all plugins.

Each list is generated uniquely for each environment. This option is only available when editing the SPM options for a single environment.


Hidden Content

Smart Plugin Manager uses visual regression testing to help determine if an update failed. Use this to hide content that may change regularly, such as ads, recent posts, or calendars.

This field accepts CSS selectors separated using the Enter or Return key.


Managed Themes

Using the same processes and features as plugin updates, Smart Plugin Manager can also update themes. SPM can update themes that are publicly available on the WordPress repo, and cannot update any private themes or themes that require manual updates directly from a developer.

When updating a theme all of its files are typically overwritten, therefore custom content should be placed in a child theme. This is a default function of WordPress and is important to keep in mind when activating SPM managed theme updates.

Managed theme updates are disabled by default. To enable managed theme updates, simply click Activate, then select the themes that should be managed from the list.


Sitemap Override

By default, Smart Plugin Manager will check 20 random pages, always including the homepage, after an update.

To ensure specific pages are always reviewed by Smart Plugin Manager, provide the URL to a custom sitemap you’d like Smart Plugin Manager to choose from instead. This sitemap should be entered into the SPM options as an absolute path.

Sitemap override is only available when editing options for a single environment.


Release License

Releasing an SPM license will disable Smart Plugin Manager on the selected environments. The Smart Plugin Manager plugin will be removed automatically and a license will be freed up for use on another environment. This process may take a few minutes to complete.


NEXT STEP: Learn how to upgrade your PHP version