Now that WordPress 3.7 is out in the wild and has already accumulated over 1.5 million downloads, the complaints are starting to roll in concerning the automatic update feature. On the Make.WordPress.core website where Andrew Nacin published a great guide on the different ways of configuring auto updates, users started questioning why there wasn’t an option in the back-end to either opt-out of auto updates or to configure how they operate.
The answer to that question is simple as pointed out by Andrew Nacin.
For the betterment of the web, we made a conscious decision to avoid a UI option. You’d be out of your mind to consciously avoid updating to fix a critical bug or security issue. We think the vast majority of users (many who don’t even know what PHP is) will celebrate this as a win in usability and security.
We very strongly pride in our core philosophies, including designing for the majority, making WordPress work out of the box with little configuration or setup, choosing decisions instead of adding options, and striving for simplicity. (Incidentally, that last section needs updating to emphasize we’ve now made updates even simpler.)
No Auto Updates For Desktop Software But Enabled For WordPress
I don’t have a single piece of software on my desktop or notebook that has been configured to automatically update itself. Instead, I always make sure I’m notified before any updates are to be installed. I usually review the changelog and then update as needed. With WordPress however, I’m willing to allow auto updates for minor and security releases to be enabled for two reasons. The first is that this site is constantly being backed up by VaultPress. I’m not worried if the site breaks during or after an upgrade. The second, I’ve rarely ever had a problem with WordPress upgrades.
There Are No Guarantees
The same concerns that were brought up when automatic updates were announced are still being voiced. The biggest concern users have is not being able to easily go back to a working version of WordPress should something break. At the crux of this particular concern is that automatic updates prevent people from creating backups immediately before the update process. The update process has failsafe after failsafe to prevent catastrophes from happening but there is no guarantee. By default in WordPress 3.7 and above, the only updates that will happen automatically are minor and security releases. Although they have different names, these releases can sometimes be the same thing. Andrew Nacin explained the differences.
It’s been stressed that these minor and security updates rarely break anything dealing with the core of WordPress. However, sometimes these minor changes cause a plugin or theme to break. Rarely doesn’t mean never. It’s this slight possibility of a site breaking that has prevented people from jumping on board to support the feature.
How To Make Upgrading Less Fearful
The best article I’ve read so far on this topic is from Mika Epstein entitled, Don’t Fear The Auto Update. While she doesn’t dismiss the fact that a site can break during an auto update, she provides a number of great tips that you can use so that upgrading is less of a frightful experience.
Yes, it’s defaulted to “on” because after intensive testing, and careful thought, WordPress core devs are pretty darn sure that these minor updates, which are more often than not security related, will not break a site. I’ll get back to breaking sites in a second. The point is that minor updates were picked specifically because it’s known that major upgrades can often break things.
If every time you upgrade WordPress, your site breaks, please follow her advice and do a plugin/theme audit.
Normally, I’d be in support of adding an option to allow users to configure how auto updates work. In this case however, I understand the big picture. With WordPress being used on 20% of the web, the team owes it to the web in general to help users as best they can, keep their sites up to date. This tweet by Andrew Nacin is a good example of the big picture.
It will take a while to feel the true effects of WordPress 3.7. # sites running secure versions will go up. # localized installs will go up.
— Andrew Nacin (@nacin) October 24, 2013
The concerns raised are warranted and it only takes one experience of an auto update breaking a site to ruin things. Meanwhile, there were over 100,000 auto updates applied during the WordPress 3.7 testing period and not a single one of them failed according to Andrew Nacin.
We ended the WordPress 3.7 beta cycle with 112,434 automatic background updates attempted and not a single critical failure.
— Andrew Nacin (@nacin) October 25, 2013
Many of the terrible scenarios discussed are hypothetical situations. I say we give 3.7 and 3.7.1 some time and let’s see if auto updates do more harm than good. After 3.7.1 is released, WordPress.org will have a lot of useful data which I hope the team shares with everyone.
Update Control Gives You All The Automatic Update Options You Need
If you are looking for a plugin that adds options to the WordPress back-end to easily configure how auto updates work, check out Update Control. This plugin provides all of the auto update options you could ever want! No need to hack WP-Config or use constants.
I can’t wait to revisit this topic after the release of 3.7.1. By then, the core team will have some real world data to analyze.