WordPress Has An Update Problem

You wouldn’t blame the alarm company when your house is broken into and completely emptied out because you canceled the home monitoring service for your alarm because you didn’t think you needed it anymore so why would you blame a plugin when your web site is exploited because you didn’t keep your WordPress plugins up to date? But WordPress users do.

The issue of users not updating is an issue that WordPress as a project is going to need to focus on sooner rather than later.

Some will say it’s not a WordPress problem, it’s a user problem. Bullshit.

It’s only a matter of time before an exploit in a popular theme or plugin (free or commercial) attracts major media attention on a scale larger than has happened to date due to the sheer number of sites that aren’t up to date. That would not be good for WordPress or it’s ecosystem.

I think WordPress has been lucky that the vast majority of exploits actively used have taken advantage of published vulnerabilities targeting sites running old versions of the code that is vulnerable. This is of course my opinion, but I do have personal firsthand experience with situations like this on a much smaller scale with Gravity Forms.

Jeff Chandler wrote about need for background automatic updates at WPTavern and the backlash from some circles was surprising. Many developers seem to hate the idea. I don’t understand why. Developers more than anyone should understand the importance.

WordPress most definitely needs to move towards background automatic updates for more than just core as standard practice.

But I’m a developer and I don’t like things happening automatically? Fine. Disable it. It’s WordPress. You are a developer.

But for technical reasons which will remain nameless I’m not allowed to let things happen automatically? Fine. You are a developer or power user with an environment unique enough that you likely know enough about what you are doing or have a developer you work with that disabling it will work for you too.

But a plugin may shit the bed when it updates in the background automatically? Great. Plugins that can’t get their shit together and it becomes a recurring issue will ruin their reputations from a user perspective and people will quit using that plugin. That’s a good thing.

This won’t help eliminate zero day exploits on sites that are up to date you say? Of course not. But because WordPress sites aren’t all checking for updates at the exact same time it means zero day exploits could be patched very quickly and limit the damage by patching sites before the vulnerability is exploited on them.

Absolutely nobody has said background automatic updates need to be enabled across the board as the functionality works today. There is no reason why the background automatic update functionality couldn’t be enhanced with additional safeguards if such enhancements were necessary.

WordPress needs to do more to make sure people keep their WordPress sites up to date and background automatic updates will be one of the best ways to solve this issue.

If you don’t like it, that’s fine. But don’t just bitch about it, suggest alternatives that would help solve the problem.

3 thoughts on “WordPress Has An Update Problem”

  1. I think, as you have covered, the benefits and motivation behind expanding use of the feature are clear. My hesitance comes from the implicit trust that must be given to those with control of it, especially plugin developers and shops.

    When you look at it from a positive light automatic (or forced) plugin updates are a force for good, protecting users sites and the WordPress ecosystem as a whole (a little like immunisation). On the negative side it is essentially adding a code injection back door into every WordPress site, which is quite frankly worrying.

    I am content with this situation while those in control of the updates are the WordPress Foundation, and perhaps even some companies like yours. However, the idea that any other developers or plugin shop have keys to that back door does worry me. Not necessarily because I don’t trust them to use the feature responsibly, but if Woothemes can lose customer credit card data, it is only a matter of time until people begin hijacking custom plugin update services.

    A large scale code injection attack via plugin forced updates hijacking would do incredible damage to the reputation of WordPress, it is after all a core feature.

  2. Thanks Carl,

    We need to chip away at this until a good solution is crafted. The WordPress team has done a good job with automatic updates for minor core versions. I remember the apprehension when that was announced. It will take time to get it right, but I agree that it is necessary.

    You make an interesting point about a vocal group of developers who object to the idea of automatic plugin updates. It would be interesting to have a sense of user segmentation. In other words, what percentage of users does this group represent? I suspect that there is a very large segment who would welcome the added security. I would.

  3. I’m completely on your page. I guess the majority is scared about those automatic updates, because they simply do not trust the whole system for 100% – so as I do. There are plenty of plugins available, free and premium. The same goes for themes. Many plugins offer the exact same functionality just with a different approach or at least different naming convention – but still, one gets actively maintained while the other don’t. And it is not always obvious which plugin will work fine with your own configuration and which not – so there it breaks sometimes. And instead of letting it break “automatically” I personally prefer to break it by intentionally. That way I feel to still have control over what is going on, and which plugin is the culprit.

    I too believe WordPress needs to take serious measurments about that, streamlining the whole update process for free themes/plugins but also for themes/plugins which are hosted elsewhere (regardless if premium or not).

    As soon as this whole thing is ready then I would just say that all NEW WordPress Sites should have this enabled by default while having this disabled for already existing sites – regardless of the version being used. I believe this would make the whole thing a bit smoother for everyone.

    So, basically more TRUST must be generated first. People should always have a positive UX during updates to gain that trust, and finally automatic updates can be accessible for everyone.

Comments are closed.