You wouldn’t blame the alarm company when your house is broken into and completely emptied out because you canceled the home monitoring service for your alarm because you didn’t think you needed it anymore so why would you blame a plugin when your web site is exploited because you didn’t keep your WordPress plugins up to date? But WordPress users do.
The issue of users not updating is an issue that WordPress as a project is going to need to focus on sooner rather than later.
Some will say it’s not a WordPress problem, it’s a user problem. Bullshit.
It’s only a matter of time before an exploit in a popular theme or plugin (free or commercial) attracts major media attention on a scale larger than has happened to date due to the sheer number of sites that aren’t up to date. That would not be good for WordPress or it’s ecosystem.
I think WordPress has been lucky that the vast majority of exploits actively used have taken advantage of published vulnerabilities targeting sites running old versions of the code that is vulnerable. This is of course my opinion, but I do have personal firsthand experience with situations like this on a much smaller scale with Gravity Forms.
Jeff Chandler wrote about need for background automatic updates at WPTavern and the backlash from some circles was surprising. Many developers seem to hate the idea. I don’t understand why. Developers more than anyone should understand the importance.
WordPress most definitely needs to move towards background automatic updates for more than just core as standard practice.
But I’m a developer and I don’t like things happening automatically? Fine. Disable it. It’s WordPress. You are a developer.
But for technical reasons which will remain nameless I’m not allowed to let things happen automatically? Fine. You are a developer or power user with an environment unique enough that you likely know enough about what you are doing or have a developer you work with that disabling it will work for you too.
But a plugin may shit the bed when it updates in the background automatically? Great. Plugins that can’t get their shit together and it becomes a recurring issue will ruin their reputations from a user perspective and people will quit using that plugin. That’s a good thing.
This won’t help eliminate zero day exploits on sites that are up to date you say? Of course not. But because WordPress sites aren’t all checking for updates at the exact same time it means zero day exploits could be patched very quickly and limit the damage by patching sites before the vulnerability is exploited on them.
Absolutely nobody has said background automatic updates need to be enabled across the board as the functionality works today. There is no reason why the background automatic update functionality couldn’t be enhanced with additional safeguards if such enhancements were necessary.
WordPress needs to do more to make sure people keep their WordPress sites up to date and background automatic updates will be one of the best ways to solve this issue.
If you don’t like it, that’s fine. But don’t just bitch about it, suggest alternatives that would help solve the problem.