Smart Plugin Manager (SPM)

Smart Plugin Manager is a WP Engine feature that automatically manages all of your WordPress plugins and themes to keep your environments secure.

Additionally, Smart Plugin Manager will check that the updates are working as expected, and that the update did not cause any visual problems on your site. Read more in our press release.

In the event that a plugin or theme update causes an issue, Smart Plugin Manager will automatically revert the updates and restore your site to its previous state.


About Smart Plugin Manager

Smart Plugin Manager (SPM) runs a script daily to check if there are any updates available for your plugins or themes. Smart Plugin Manager is deployed on individual environments, using one license per install and can be deployed on multisite networks (read more on this here). You can select the time of day you’d like the update service to check for updates from the Settings page.

If your WordPress site fulfills a basic purpose, such as providing marketing information for your business, we recommend enabling Smart Plugin Manager on your Production environment. If you do a lot of custom development or your website utilizes multiple applications (such as an eCommerce site), we recommend using Smart Plugin Manager on your Staging environment first so you can check that the updates don’t cause any issues with custom code or third-party applications. If you’re happy with the results, feel free to enable it on your Production environment.

Atlas Support

Smart Plugin Manager supports WordPress sites connected to Atlas apps. When SPM detects a redirect from WordPress homepage to an Atlas app, then SPM allows WordPress sitemap to include URLs to the Atlas app. After updating WordPress plugins SPM can test both WordPress pages and Atlas app pages listed in the sitemap.

We recommend using the FaustWP plugin with configured front-end site URL and enabled public route redirects.

SPM does not turn on maintenance mode when WordPress is connected to the Atlas app, to not limit access to WordPress data.

Determining a Successful Update

Utilizing a proprietary set of tests and machine learning algorithms, after plugin and theme updates are run, Smart Plugin Manager checks for server response errors, broken code, and visual changes immediately after plugins have been updated. Some example visual errors that will cause a reversion and restoration are missing images and forms, misplaced iconography, PHP errors, and other visual indicators that the plugin updates causes a material change to your site.

Smart Plugin Manager makes a judgement on site functionality based on a set of verification tests. We’re constantly improving the technology and verification mechanisms so false positives/negatives may occur. If an update breaks your site but was passed by Smart Plugin Manager, you can restore using WP Engine’s backup system. Likewise, if Smart Plugin Manager believes the updates broke your site when it seems to be fine, you can still manually update your plugins. If you experience one of these issues, please contact Support.


Visual Regression Testing

Visual regression testing (VRT) refers to the process of visually checking a series of pages before and after updates are performed for discrepancies. This is especially powerful because basics tests only look for error codes, whereas VRT can be used to determine if the website looks incorrect.

Smart Plugin Manager checks the homepage by default. If you add a sitemap (whether through the sitemap setting or a sitemap plugin), it will check and run verification on up to 20 listed pages, including the homepage. If there are more than 20 pages listed in your sitemap, it will do your homepage and a randomized 19 other pages from the entirety of the sitemap. If there is a failure on any page, Smart Plugin Manager will roll back the plugin updates and restore your entire site to its previous state. Additionally, SPM can be told to ignore specific items if necessary. For example, a calendar widget is expected to vary visually but doesn’t indicate an update failure.

If you have particular areas of the site that may naturally look different, like a calendar widget, the CSS can be easily excluded.

NOTE

Visual Regression Testing will only test the desktop version of your website. VRT will not test the mobile version of any pages.

WooCommerce

For websites that have the WooCommerce plugin activated, VRT will automatically check the cart page, checkout page, my account page, up to 3 random category pages, and 13 random product pages. These specific URLs are:

/cart
/checkout
/my-account
/product-category/your-category-name
/product/your-product-name

In the case that you are not utilizing the above product or category URL structure, WooCommerce will be queried first for current URLs using the IDs (EX: domain.com/?product=111.)

If you prefer to override the VRT for these default URLs, this can be done simply by using a custom sitemap.


Multisite

Smart Plugin Manager supports WordPress multisite, although there are some caveats. Additionally, SPM will enable maintenance mode on all subpages when updates are running.

If you wish to use SPM on a multisite network, we recommend the following configuration:

  • Activate plugins network-wide, or activate all plugins on the main site
  • For private and commercial plugins, enter the license credentials, subscription key, or download key on the main site
  • Use WP Engine’s backups instead of a 3rd-party WordPress plugin for backing up all of your subsites, to avoid keeping the main site for a long time in maintenance mode during SPM updates

Visual Regression Testing functions a little differently when applied to multisite networks. There are two ways pages will be tested for failures:

  • In a multisite network with under 20 sites (19 subsites + main site), VRT will test;
    • The homepage of the main site
    • The homepage of all subsites
    • Custom SPM sitemap
      • Up to 20 URLs in total, including any homepages that will be tested above.
      • Custom sitemap can be for the main site only and URLs only.
  • In a multisite network with over 20 sites (19 subsites + main site), VRT will test;
    • The homepage of the main site
    • The homepage of up to 49 subsites
  • In a multisite network with over 50 sites (49 subsites + main site), VRT will test;
    • The homepage of the main site
    • The homepages of the first 49 subsites created
    • A custom SPM sitemap will be ignored
    • Subsites 51 and greater will not be checked

*The main site is defined as the site ID 1 and uses the wp_options table (as opposed to wp_2_options, etc). This is the first site on the network and the site that cannot have the domain updated in the wp-admin.


Update Failures

If a plugin fails to update, we will stop trying to run the updates and you will receive a notification alerting you to which plugin(s) or theme(s) failed to update so you can investigate. Smart Plugin Manager will attempt updates for three more days.

If updates are performed successfully but we detect an issue after updating, such as a 4XX/5XX error or a material change to the look of your site using VRT, the system will automatically revert your site back to the state prior to running the updates.

After three days, the system will attempt to update each plugin/theme individually and will skip updating the specific plugin or theme that caused the failure while still updating the other components. You will need to manually update the plugin or theme that causes the failure before it will properly update automatically.

Be sure to also check your website against Smart Plugin Manager’s limitations, detailed in this section.


Git Support

All of Smart Plugin Manager’s features, including the Visual Regression Test, Auto Site Rollback, and Notifications, can be leveraged for a Git-hosted plugin or theme by first connecting your website with Github. This means you can push updates to a custom plugin or theme via GitHub and have those updates download automatically to any website where Smart Plugin Manager is active.

In order to connect your website to the Github repository, we recommend using either the GitHub Updater or Plugin Updates Checker plugin. These tools can automatically make a pending update for your custom plugin or theme visible in the wp-admin area of your site, which will then notify Smart Plugin Manager to initialize that update. Details on how to configure a plugin or theme to sync these tools can be found in their own documentation: Github Updater Setup Guide and Plugin Update Check Getting Started Guide.

Finally, when utilizing Git on a website using Smart Plugin Manager the following should be added to the gitignore file:

# smart plugin manager specific 
wp-content/plugins/*
wp-content/.logs/
autoupdater_maintenance_mode_enabled.tmp

Downloadable gitignore files including these SPM-specific paths can be found in the full Git guide here.


Limitations

Smart Plugin Manager requires the ability to access and update files. For this reason there are several limitations:

  • Smart Plugin Manager can only update WordPress sites on the WP Engine platform.
  • Transferable installs cannot be updated as we consider these non-billable.
  • Websites that are password-protected (HTTP Basic Authentication) can be updated only if it was set up in the WP Engine User Portal and not by a 3rd party solution.
  • Read-only websites cannot be updated.
  • Smart Plugin Manager may need to be added to the allowlist of any security services to ensure it does not get blocked. Read more here.
  • Additional caching layers may need to allow Smart Plugin Manager to help prevent display issues. Read more here.
  • Sites using 2FA will need to add the SPM IPs to the allowlist. Read more here.
  • Websites utilizing a WAF will need to allow Smart Plugin manager by configuring certain settings within their firewall. Read more here.

Allowlist Smart Plugin Manager

Additional security layers, such as 2FA and WAF, will require Smart Plugin Manager be whitelisted in that service. The SPM IPs that must be allowed are:

  • 35.186.183.60
  • 35.221.41.251
  • 35.236.216.128
  • 35.245.159.253
  • 35.245.210.234
  • 35.245.251.214
  • 35.245.50.252

CleanTalk

If your website is using the plugin CleanTalk our automated tooling will be blocked by default. To get our plugin update software working, we’ll need you to go into your firewall settings and allow the Smart Plugin Manager IP addresses.

In addition to this, you’ll also need you to adjust the following settings through your site’s WP-Admin dashboard: Under the CleanTalk plugin -> Advanced Settings, turn off the Anti-Crawler feature. Next, adjust the Anti-Flood count to 20 pages (CleanTalk assumes our automated tooling is a bot because it opens 20 pages in under a minute to take before and after screenshots for our visual regression testing). Finally, turn Off the selection for Check all posts data.

Caching Services

To ensure maintenance mode can enable and disable correctly, Smart Plugin Manager should be allowed in any additional caching layers (Sucuri, WP Optimize plugin, NitroPack, Cloudflare, etc). More specific instructions are detailed below:

NitroPack

NitroPack is compatible with SPM as long as NitroPack is on version 1.5.8. If your website is utilizing the NitroPack optimization plugin on an earlier version you will need to exclude a Smart Plugin Manager cookie to prevent any interruption in our update services.

Cookie name: autoupdater

Cookie value: 1

Learn how to exclude a cookie in NitroPack.

Sucuri

Cloudflare

Ensure the SPM IP addresses are whitelisted in Cloudflare. Learn more on Cloudflare here.

Two-Factor Authentication (2FA)

If your website is utilizing a two-factor authentication plugin or service (2FA) then you must add the SPM IP addresses to the allowed list to ensure SPM can access the WP-Admin.

If you use Duo for WordPress, then configure Authorized Networks > Allow access without 2FA from these networks. Read the full documentation on Duo.

Web Application Firewall (WAF)

If requests to a website from SPM could be denied by a WAF (web application firewall), you may need to add SPM requests to the allowed list. Those requests will contain the header named autoupdater and come from a static set of IP addresses.

Stackpath WAF

Create a custom WAF rule with the WAF rule editor:

  • Under Rule Type, select WAF.
  • Next to IF, select a rule type Header.
  • In the next drop-down menu select — to apply the rule only to the specified header.
  • In the field, enter the header key autoupdater
  • In the next drop-down menu select Contains.
  • In the field, enter the header value . (dot).

Learn more about Stackpath WAF rules.

Cloudflare WAF

Add a rule to allow access by header name:

any(http.request.headers.names[*] == "autoupdater")

Alternatively, add a rule to allow access by URI:

any(http.request.uri.args["autoupdater"][*] == "api") or any(http.request.uri.args.names[*] == "autoupdater_nonce")

Learn more about Cloudflare WAF rules.

Wordfence WAF

In your WP-Admin panel go to Wordfence > Firewall and click “All Firewall Options”.

Next, expand “Advanced Firewall Options” and enter SPM’s IP addresses into the “Allowlisted IP addresses that bypass all rules”.

Be sure to save changes!


Enable Smart Plugin Manager

Customers on shared WP Engine plans can add Smart Plugin Manager through the Modify Plans page. Customers on Premium plans, please reach out to your Account Manager through this page.

After purchasing the addon, enable Smart Plugin Manager on the environment of your choice via the User Portal:

  1. Log into the User Portal
  2. Select Add-ons from the main menu
  3. Locate Smart Plugin Manager then click Manage
  1. Click Add Environments

NOTE

The number of remaining licenses will display at the top left of this page.

  1. Select any environments you’d like to enable Smart Plugin Manager on
  2. Click Add to SPM
  3. The “WP Engine Smart Plugin Manager” WordPress plugin will automatically be installed on these environments.

Smart Plugin Manager Status

Status by environment can be viewed at a glance from the Site Monitoring page in the User Portal.

  1. Log in to the User Portal
  2. Select Add-ons from the left menu
  3. Locate Smart Plugin Manager then click Manage
  4. Locate the environment name

Statuses shown here are the following:

  • ✅ (Green check mark) – Plugins are up to date
  • ❌ (Red x) – Plugins not updated
  • ⚠️ (Orange exclamation point) – There was an issue updating plugins
  • 🕒 (Black clock icon) – Next run soon
  • ➕ (Purple plus sign) – Activate an SPM license on this environment

A more detailed report about the previous Smart Plugin Manager run can be found by accessing the menu for a specific environment. This report contains the same information that is sent via email notice when the process completes.

  1. Click the 3 dot menu icon to the right
  2. Select Open lastest update to see the most recent process details, or select Open update history to see a list of previous updates.

The status page will show if the updates failed or succeeded and if a rollback was necessary. The page also details which plugins were updated and to which version. This status page only shows the previous round of updates and is not cumulative.

Click any section to expand and view more information.

Additionally, SPM statistics for the current billing period can be found on the Billing > Plan Usage page of your User Portal. This includes the number of plugins updated, number of URLs tested, and a cumulative estimate of time saved.

Learn more about the Plan Usage page.


Smart Plugin Manager Settings

There are two ways to access the settings for Smart Plugin Manager in the User Portal. The method you use depends on if you wish to edit the settings for one environment at a time, or multiple.

NOTE

Only full and owner level users can adjust SPM settings.

  1. Log into the User Portal
  2. Select Add-ons from the left menu
  3. Click Smart Plugin Manager
  4. Check off environment(s) from the list to modify settings
  5. Click Edit Settings

The available Smart Plugin Manager settings are:

* Only available when selecting a single environment.


Update Schedule

Select a timeframe to attempt the update process. It’s recommended to choose a low traffic period for your website.

  1. Frequency: Daily or Weekly rate the environment(s) will be checked and updated.
  2. Time of week: Whether the process will check only on weekdays or weekends, or if neither is preferred.

NOTE

The “weekend” starts at 0:00 UTC on Saturday, and therefore includes Fridays in some time zones.

  1. Time zone: The time zone the update process should refer to. We suggest setting this to match your primary visitor time zone.
  2. Window: The time frame updates will be performed, times will reflect the time zone selected.

Smart Plugin Manager will try to run on the first day within the timeframe selected. For example, if SPM doesn’t start the update on the Saturday in the selected time window, it will be rescheduled for the next day (Sunday) with higher priority at the same time. If that fails, it will reschedule it for next Saturday, unless the settings are updated with a new run time and date.



Notification Emails

Enter email addresses, separated by commas, to receive notifications. Notifications can be sent for successful updates, or only if an update fails.


Auto Rollback

Smart Plugin Manager creates a backup using WP Engine’s automated backup and restore system prior to making any changes to the website. SPM will restore to this previous version (“roll-back”) if it determines using visual regression testing or error codes that the updated version may have altered the website.

Choose whether or not the rollback process should be automatic by toggling.


Maintenance Mode

Turn maintenance mode on or off to protect against data loss or missed orders while Smart Plugin Manager is updating plugins.

Site visitors will see a default “Undergoing maintenance” page, temporarily denying any traffic to the site.

If you wish to customize this maintenance page copy the file wp-content/plugins/autoupdater/tmpl/offline.tmpl.php to wp-content/autoupdater/tmpl/offline.tmpl.php
and adjust the styling within it. It is not recommended to use any PHP code in this file.

To ensure maintenance mode can enable and disable correctly, Smart Plugin Manager IPs should be allowed in any additional caching layers (Sucuri, WP Optimize plugin, NitroPack, Cloudflare, etc).


Managed Plugins

Select which plugins Smart Plugin Manager should attempt to update or ignore. By default, Smart Plugin Manager will attempt to update all plugins. If you have selected multiple environments then all plugins will display, however only those plugins actually installed on an environment will be impacted by changing this setting.


Hidden Content

Smart Plugin Manager uses visual regression testing to help determine if an update failed. Use this to hide content that may change regularly, such as ads, recent posts, or calendars.

This field accepts CSS selectors separated using the Enter or Return key.


Managed Themes

Using the same processes and features as plugin updates, Smart Plugin Manager can also update themes. SPM can update themes that are publicly available on the WordPress repo, and cannot update any private themes or themes that require manual updates directly from a developer.

When updating a theme all of its files are typically overwritten, therefore custom content should be placed in a child theme. This is a default function of WordPress and is important to keep in mind when activating SPM managed theme updates.

Managed theme updates are disabled by default. To enable managed theme updates, simply click Activate, then select the themes that should be managed from the list.


Sitemap Override

By default, Smart Plugin Manager will check 20 random pages, always including the homepage, after an update.

To ensure specific pages are always reviewed by Smart Plugin Manager, provide the URL to a custom sitemap you’d like Smart Plugin Manager to choose from instead. This sitemap should be entered into the SPM options as an absolute path.

Sitemap override is only available when editing options for a single environment.


Release SPM License

Releasing an SPM license will disable Smart Plugin Manager on the selected environments. The Smart Plugin Manager plugin will be removed automatically and a license will be freed up for use on another environment. This process may take a few minutes to complete.

You can release a single environment’s license by selecting the option from the three dot menu:

Or, you can release multiple licenses by checking each of the environments and clicking Edit Settings. From the settings page scroll down and select Release Licenses.

Pause SPM Updates

If you’d like to simply pause updates, without removing Smart Plugin Manager or the SPM plugin you can choose to pause updates. Updates will remain paused until enabled again.


NEXT STEP: Learn how to upgrade your PHP version

Still need help? Contact support!

We offer support 24 hours a day, 7 days a week, 365 days a year. Log in to your account to get expert one-on-one help.

The best in WordPress hosting.

See why more customers prefer WP Engine over the competition.

Chat with us!