WordPress plugins pose one of the biggest threats to website security, if they are not updated and many site owners usually install themes and plugins and then forget to update them.
The WordPress development team is already working on adding an auto-update mechanism to themes and plugins, a common source of website hacks.
It is a long-awaited security improvement for WordPress’s ecosystem given that most of the incidents involving WP websites flow from vulnerable and outdated third-party code. I would, however, be cautiously optimistic unless this feature is enabled by default, as otherwise a considerable number of website owners will unwittingly or purposely ignore it, being anxious that automated updates can accidentally break something.
Moreover, one should bear in mind that many critical security flaws affecting the plugins, ranging from RCE to SQL injections, are commonly and aggressively exploited in the wild, while plugin developers are working on a security patch. Most of the plugin developers do not have a dedicated security team and release updates with a substantial delay, when most of the publicly exposed WP websites are already hacked and backdoored for further resale on the Dark Web market places.
That being said, maintaining a basic set of web security hardening options, ranging from WP security plugins to properly configured CSP and WAF, are indispensable to preserve your WordPress website from a data breach.