The last major WordPress Toolkit release in 2021 — v5.9.0 — is now officially available for Plesk. This quick release adds more site vulnerability goodness with a number of important bug fixes. As there have already been major developments in the 5.8 release, this newest update is building on those existing features:
Site Vulnerability: Policies
It’s hugely beneficial that you can now update or disable vulnerable WordPress assets in WordPress Toolkit once you learn that they’re vulnerable. However, you must log in and perform these actions manually, even if it’s not a convenient time for you. To make life easier for site admins, we have added advanced auto-update policies that allow site admins to make sure that vulnerabilities that can be fixed by installing updates are addressed by WordPress Toolkit automatically. In the case of plugins, site admins can also opt to deactivate them instead of updating (before you ask, we can’t do the same with themes, since there must always be an active theme on a site).

Security updates for vulnerabilities are installed immediately after these vulnerabilities are found; there is no ~24 hour wait period. Also, there is no special auto-update policy for WordPress core, since minor WordPress auto-updates already handle this case.
Finally, if you’re a server admin, keep an eye on future release as we’re planning to introduce auto-update defaults specifically to suit your needs. This should help keep the servers secure even when some customers forget to look after their sites.
Site Vulnerability: Email Notifications
As we’ve mentioned, you can easily learn if you have vulnerabilities when you visit WordPress Toolkit. But this could cause you to miss this information because you don’t visit your control panel that much. To address this, we have added email notifications about security vulnerabilities found by WordPress Toolkit:



These notifications differ from our usual email notifications — they are sent immediately after WordPress Toolkit finds a vulnerability, without any delay. Once a notification about a particular vulnerability on a particular site is sent, we will not repeat it to avoid spamming.