24 Comments


  1. I don’t have a single piece of software on my desktop or notebook that has been configured to automatically update itself.

    I used to be like you, but Chrome and later Firefox lessened and then eliminated my fear of auto-updating software. My advice is to embrace auto-updates in (almost) all of your software, and enjoy the extra time in your life.

    Reply
  2. Dave

    As someone who’s worked in IT 20 years, I find the team’s actions extremely cocky in not providing an option – they can’t know everyone’s use case and I’ve yet to meet a bulletproof system. Good luck to us.

    Reply

  3. @Chris Finke – That’s a hard habit to break. I guess I should try it one piece of software at a time, starting with FireFox and Thunderbird, see how it goes.

    Reply

  4. @Dave – I think anyone who might need an option (that is, anyone who has a legitimate reason to not want auto-updates) is capable of setting the constants or filters that disable updates for their sites.

    Reply

  5. @Jeffro – Have you tried the Update Control plugin at all? Does it just rewrite your .htaccess according to your settings or does it handle it another way?

    Reply

  6. @Cam – I installed it on my local host Wamp setup to see the options it provided. I did not actually test it. Why would it mess with .htaccess?

    Reply

  7. @Jeffro – Sorry. Mental block. I meant wp-config.php. I had .htaccess on my brain because of the other post.

    Reply

  8. @Cam – Well, I just checked my localhost’s WP-Config file and I didn’t see any commands in there that were part of the auto updates. I changed some settings and still didn’t see the changes in the config file. So, it must be doing it a different way, perhaps storing them in the database?

    Reply

  9. @Cam -

    Have you tried the Update Control plugin at all? Does it just rewrite your .htaccess according to your settings or does it handle it another way?

    No – as far as I know, there’s no way for a Plugin to write into wp-config.php – and I would consider it a pretty huge security risk if a Plugin could do so.

    Update Control uses the provided filters to enable/disable the various update options.

    Reply

  10. @Jeffro -

    So, it must be doing it a different way, perhaps storing them in the database?

    Nope; filters. Specifically:


    if ( 'no' == $options['active'] ) {
    add_filter( 'auto_upgrader_disabled', '__return_true', 1 );
    } else {
    if ( in_array( $options['core'], array( 'dev', 'major', 'minor' ) ) ) {
    add_filter( 'allow_' . $options['core'] . '_auto_core_updates', '__return_true', 1 );
    }
    if ( $options['plugin'] ) {
    add_filter( 'auto_update_plugin', '__return_true', 1 );
    }
    if ( $options['theme'] ) {
    add_filter( 'auto_update_theme', '__return_true', 1 );
    }
    if ( ! $options['translation'] ) {
    add_filter( 'auto_update_translation', '__return_false', 1 );
    }
    }

    (And similar filters for the update emails.)

    Reply

  11. @Chip Bennett – Plugins can (and do) write to wp-config.php all the time. See WP Super Cache for the most common one I know of.

    However, wisely, this plugin uses filters :)

    Reply

  12. @Ipstenu -

    Plugins can (and do) write to wp-config.php all the time. See WP Super Cache for the most common one I know of.

    Huh; learn something new every day!

    Well, let me re-phrase: there’s no way I’m letting anything write to my wp-config.php! Heck, I don’t even keep it in the document root. (I’ll keep an account named “admin”; but nobody’s touching wp-config.php.) :)

    Reply
  13. Flick

    I do receive Chrome updates and although I know it is beneficial and I should embrace it, I would rather Chrome notify me in advance – simply because then I am not left wondering why so much memory/bandwidth hogging is going on during this period for no (initial) apparent reason.

    In two minds about this change: am sure I will come round to it though and love it, going by what the introduction of Dashboard plugin installation/updates has done for everyone.

    Will certainly be checking out the config on the Codex as I think it would be helpful if multisite admins, at least, have more fine-grain control over even minor/security updates.

    Reply

  14. Picking up and extending just a bit on this:

    I don’t have a single piece of software on my desktop or notebook that has been configured to automatically update itself.

    For most Linux users, auto-update for security / critical fixes is no stranger in the case of individual apps. For Windows users, there’s Secunia PSI (free, as in ‘free beer’), if you care to look into it. I think it’s a great concept, and recommend it. Non-disclaimer: I’m not affiliated with them, beyond being an appreciative end user.

    Bottom line, auto-updates should be common, not exceptional. Certainly for WP I think it’s pure win.

    Reply

  15. I don’t have a single piece of software on my desktop or notebook that has been configured to automatically update itself.

    I don’t think I have a single piece of software on any my laptops that has not been configured to automatically update itself.

    Reply

  16. Gotta agree with Ryan on this one. I configure everything to auto-update whenever possible. Too many pieces of software nowadays to be monitoring the interactions of all of them by hand. Ain’t nobody got time for that.

    Reply

  17. Hey folks,

    A couple of people mentioned it here, and in a few other places so we decided to put in a simple configuration for WordPress automatic updates. Even if you don’t use any of the rest of the plugin, you could use this section, as the plugin only loads the parts that are enabled.

    The WordPress Simple Firewall ( http://wordpress.org/plugins/wp-simple-firewall/ ) now has an automatic updates section so you can tweak as you need. It retains the WordPress default settings when activated of course, but you can quickly and easily modify setting as you need.

    Happy to hear what you think.
    Cheers,
    Paul.

    Reply

  18. I find it appalling that WP now UPDATES ITSELF AUTOMATICALLY and doesn’t offer a “Do you want auto-updates turned on or off?” pop-up or something when you first install wordpress!

    Lacking that, it should be DISABLED by default, not the other way around!

    I want to start a petition about this and strongly suggest WP to change it to what we the CLIENTS WANT, not what WP has decided for us!

    Remember, WordPress:
    This is the kind of behavior of big companies (Google, Microsoft to name two) that we the people DESPISE. So okay, for NOW you are the Big Dog and can get away with dictating to us (much like AT&T of old – remember the Lily Tomlin bit on Saturday Night Live: “We don’t care. We’re the phone company. We don’t have to!” – and we all know what happened to “the phone company”!), but eventually some other platform will come along – maybe one that listens to the desires of their clients – and WordPress will go the way of AT&T, MySpace, etc. YOU ARE NEVER TOO BIG TO FAIL DUE TO NOT GIVING YOUR CLIENTS WHAT THEY WANT!

    Reply

    • I wanted to add that the reason many of us do not want to auto-update is that we use plug-ins or themes that may BREAK if they have not been also updated to accommodate the latest WP version. So I would go to my plug-in or theme author first to see that it works well with the latest WP update BEFORE I update WP. I could also try the plug-in on a WordPress Domain that I keep just for this purpose, to see if it will work okay with the latest update .

      Another method would be to at least wait a month or so before updating just to give the plug-in and theme folks plenty of time to update their products.

      Reply

      • WordPress should, imo, dictate the defaults based on what is best for the ecosystem. And what is best for the ecosystem is a more secure WordPress.

        Do you remember the browser market before auto-update? Do you know how happy the web is now that legacy browsers are slowly becoming a thing of the past and we can take advantage of new features more quickly? Do you know how hard it is to fix security issues promptly when auto-update is not enabled?

        So with WordPress there was always an issue with updates breaking plugins and themes. That hasn’t changed, auto-update or not. The best plugins and themes are supported in such a way that these issues are minimized (good thing for devs to make their work stand out is, btw). It forces the developers to keep up to date and that’s a good thing too because that means more diligence is paid to keeping code bases maintained so they are secure & robust.

        It would be really bad to not set auto-update as the default because that encourages people to run outdated code. Vulnerabilities can have huge implications on a number of levels, not the least of which WP general reputation (on which now thousands of people rely on for their bread and butter).

        Of course you always have the ability to modify and disable auto-updates. The freedom is there to be used at anyone’s discretion.

        If you are running an ecommerce store, I bet it would be better to test before doing updates instead of having a store potentially crash on the chance that a conflict occurs.

        And it’s just a fact of life, the web is fast moving and requires continual vigilance, it’s a pain but unavoidable. Anybody running SSL and has had to reconfigure everything the past week knows it.

        There are tools out there & tools yet to be created that can help manage the pain of updating. Rolling back if an update is resulting in problems is a useful thing. Having a proactive backup policy. Easier ways of testing and moving things from a staging site to production. Those are all things that can mitigate the pain of updating. Definitely for commercial sites an investment must be made in these kind of tools.

        Reply

Leave a Reply