cPanel’s Site Software Addon Disables WordPress Auto Updates

A little more than two months ago, Derek Munson, who goes by the username Drumology2001 published a thread in the support forums. While performing maintenance on several WordPress sites on his virtual private server, Munson discovered a number of them running outdated versions. Versions ranged from 3.9 to 4.1 with at least one site using WordPress 3.9.2.

I’m used to seeing the ‘nag’ at the top of the screen that lets me know there’s a newer version available. I am not seeing that on any of these sites which aren’t on the newest version (4.1.1). When I go to Dashboard > Updates and click ‘Check Again’ to force a manual check, it’s still acting as though everything is up to date when it’s clearly not.

Initially, Munson thought All in One WP Security and Firewall was blocking update notifications. Mbrsolution, the plugin’s main developer, confirmed that it doesn’t block update notifications. After completing a number of troubleshooting techniques suggested by volunteers on the WordPress support forum, Munson installed Wordfence Security, a WordPress security plugin.

One of Wordfence’s noteworthy features is its scanner. It compares clean WordPress core files to those on the server and notifies the user if it detects a difference. Results of the scan shows three files had been changed.


These files were only changed on WordPress sites that were installed using cPanel’s Site Software addon.

WordPress’ update.php file.
function get_core_updates( $options = array() ) { $options = array_merge( array( 'available' => true, 'dismissed' => false ), $options ); $dismissed = get_site_option( 'dismissed_update_core' );

cPanel’s update.php file.
function get_core_updates( $options = array() ) { # cPanel override: Disable all core updates to prevent conflict with cPAddons. return false; $options = array_merge( array( 'available' => true, 'dismissed' => false ), $options );

WordPress’ update-core.php file.
function core_upgrade_preamble() { global $wp_version, $required_php_version, $required_mysql_version; $updates = get_core_updates();

cPanel’s update-core.php file.
function core_upgrade_preamble() { # cPanel override: Do not display the current or the latest version, because we've disabled updates. return; global $wp_version, $required_php_version, $required_mysql_version; $updates = get_core_updates();

WordPress’ class-wp-upgrader.php file.
public function is_disabled() { // Background updates are disabled if you don't want file changes. if ( defined( 'DISALLOW_FILE_MODS' ) && DISALLOW_FILE_MODS ) return true;

cPanel’s class-wp-upgrader.php file.
public function is_disabled() { return true; // Force this functionality to disabled because it is incompatible with cPAddons. // Background updates are disabled if you don't want file changes. if ( defined( 'DISALLOW_FILE_MODS' ) && DISALLOW_FILE_MODS ) return true;

The code added by cPanel disables core WordPress updates, update notifications, and automatic background updates to point releases. Once Munson restored these files to their original version, automatic updates and notifications worked properly.

cPanel and cPAddons

Those who manage dedicated servers or virtual private servers with cPanel have the ability to use cPAddons. According to cPanel documentation, “Addons are applications that work with cPanel to perform functions for your users’ websites. Examples of these applications include bulletin boards, online shopping carts, and blogs.”

Open Dialogue With cPanel

George Stephanis, a WordPress core contributor and lead developer of Jetpack publicly called out cPanel’s actions as a bad practice.

A representative of cPanel saw the tweet and responded that they’d like to receive more information.

Stephanis engaged in a lengthy conversation with cPanel representatives explaining why it’s a bad idea to disable core updates. cPanel disables WordPress’ native update system because it could cause conflicts with cPanel’s Site Software version of WordPress.

We generally release the latest version of WordPress within 1 to 5 days of the latest WordPress update. At a minimum, server administrators are informed each night of all Site Software applications that need updated. It is up to users to configure their notifications within cPanel to receive such updates.

The way our cPAddons tool tracks software is not compatible with the way WordPress updates, hence why we disable the auto-updates so we can track it through cPAddons.

cPanel goes on to explain how updates are handled for software installed using its Site Software cPAddon.

  • Whenever WP releases a maintenance build that addresses security concerns, we react very quickly to get our software updated to be available to customers.
  • By default, we define that software managed/installed through cPAddons is automatically updated when a new update is available.
  • Based on the above information, if the server administrator leaves the defaults enabled, once WP introduces a maintenance release that corrects security concerns and we’ve tested and updated our source for it, customers will receive the release automatically.
  • If the server administrator decides to disable automatic software updates, the end-user and systems administrator will still receive notifications that their installation is out of date accompanied with steps on how to update their application.

By default, software installed by cPanel is configured to update automatically but some of Munson’s sites didn’t update. He also didn’t receive update notifications for those sites. cPanel believes there is something wrong with Munson’s server configuration and pledged to contact him to find out more information.

Based upon what Drumology2001 reported on the forum, it appears something is amiss on that server. We’d love to examine that server to determine why WordPress updates were not available to the user.

Based upon the fuzzy dates used on the forum and compared with our internal records, the 4.1.1 update was available to the Site Software system prior to the initial post. We’ll reach out to him to determine whether there is anything we can do there.

Receptive to Change

The good news is that cPanel is responsive and willing to make any necessary changes to improve the update process. Considering how many webhosting companies offer customers the ability to install WordPress with a one-click installer, it’s important that sites receive updates as soon as possible.

If you installed WordPress through cPanel’s one-click installer, check to make sure your site is running WordPress 4.2.2 which is the latest stable version.


49 responses to “cPanel’s Site Software Addon Disables WordPress Auto Updates”

  1. This could definitely be considered a big deal. I hate one-click installs anyway because I’d rather have complete control over my sites. Often you’ll get host-specific plugins they throw in there that aren’t always desirable.

    • Griffiths idea is so very bad (trying to manage low level processes with high level processes dependent on all the low level processes as was pointed out in the WP Tavern article comments) that hopefully that project won’t get off the ground to cause yet more harm to WordPress hosting.

      • I second this. Worstly, the Griffiths idea is conceived after his distaste with the cPanel UI, but he’s just a web designer and I think he don’t know all the internal concerns of keeping up with a webserver. If he is so unhappy with the design, he should apply for a job with cPanel graphic design team and help improving it from within. Now that would be a good idea. Otherwise, is making us losing time talking about his project.

        • Absolutely, Marcelo.

          There is space for a WordPress focused hosting stack with its own GUI. That GUI will not necessarily have anything to do with PHP: the control panel should be self-contained and continue working even if the full hosting stack is struggling and none of the WordPress sites it is supposed to control are even working.

          • A couple points:

            1) Dan Griffiths isn’t a designer by any stretch, he’s a developer, and a former Arch Linux core developer. He knows about low level systems.

            2) It sounds like y’all think HostPress is meant to let you manage your hosting account from within the WordPress install hosted in that account — not at all. It’s a separate system that uses WordPress as a ui layer and glorified version of BackPress — making HostPress easier for hosting companies to customize and style.

            Honestly, it’s shocking the assumptions you’re making in order to disparage a project you don’t understand.

          • @George: wait a minute. So, this HostPress is intended to work at low level? Right at the same level as cPanel actually does? Maybe I didn’t read so thoroughly the proposal on Indiegogo, or maybe he didnt explained so briefly but consistent like you.
            From what I’ve readed at Indiegogo I understood this glorified WordPress would work in a special account, but within the /home directory. That’s what caused such opinions.

            Yet, WordPress needs a LAMP platform to work, so he will need to find the workaround to make it work well indpendently of the users wanting to use Apache or nginx, MySQL or Percona or MariaDB, PHP 5.3 or 5.4 or 5.5. He will need to develope a series of plugin to save settings using config files instead storing them in the database to avoid impacting performance of the server. He needs to make this invention to be more platform agnostic in order to make the magic. Sincerely not sure if it is possible with WordPress, or even BackPress. But $150k may be a low budget for something that will have to work into several hundreds of hardware and software combinations.

            Also, cPanel, in example, has a very small memory footprint, lower than 5 MB in RAM. How will he improve that when the WP core load consume at least 32 MB of RAM?

            If using BackPress, what will then happen? It will use the libraries, but it won’t be WordPress as we know it, right? I cannot recall this was explained at Indiegogo, and there’s where the confusion comes from.

            Anyway, every project has pros and cons, and use to have fans and detractors. So may the luck help you deal with it ;-)

        • I’m not going to argue the pros and cons of whether Hostpress is a good idea or not (that’s probably above my pay grade) but I am going to continue to be amused at people calling Dan Griffiths “just a web designer” (one, speaking as one of those “just a web designers” myself, and two actually being familiar with him and his extensive development background).

          • Just thought I’d step in and say thanks to Michelle and George for backing me up. They’re both right, I’m far from a designer. In fact, I rather suck at designing! I’ve been a developer since the eighty’s and, for most of that time, my development work was in the realm of Linux kernel and systems design. :)

            I’m going to leave it at that here (don’t want to hijack a post about something else), but I’ll be posting a more in-depth rebuttal today on the HostPress thread for anyone who has had anything negative to say about it thus far. Hopefully, I’ll be able to at least bring a few around to my side!

  2. “f you installed WordPress through cPanel’s one-click installer, check to make sure your site is running WordPress 4.2.2 which is the latest stable version.”

    I used that process on my very first WordPress website but don’t do it now.

    Well worth creating your own database and installing WordPress via FTP.

    Interesting story Jeff

      • I agree that the solution to disable auto updates could be more elegant and less invasive. Given what a moving target WordPress is, I can still see why cPanel decided to change those core files (those are really not site breaking changes and there are people in cPanel paying attention to WordPress updates).

        I wish WordPress would only do major database/structure breaking updates once/year and not every three months. It’s an extremely rude and unprofessional development schedule. Most of the people running the software want stable websites and security fixes, with annual improvements of functionality.

        WordPress core developers for the most part are almost as aggressively developer centric as new Apple has become. I.e. Apple doesn’t let you downgrade your telephone (even if it cripples your iPhone 4) or your Apple TV (even if it breaks Netflix surround sound for four months). This is just a single concrete example of developer centric behaviour as opposed to user centric behaviour.

        Stability and security two key words missing in the WordPress lexicon. For its part cPanel understands security and stability very well. My experience as a cPanel WHM provider has been light years ahead of my experience as a developer of high end websites on WordPress.

        • Security updates should be pushed soonest. In as far as software updates that should be webmaster centric as perhaps they need try the update since it could potentially break functionality. Sometimes however both are unavoidable. In order to do a security update other updates must occur. Happens with Windows all the time, people dont yell.

          From my short time with WordPress seems to me the developers take ALOT of extra effort to ensure they dont break sites.

          But, this isnt Windows. Instead it has lots of plugins/themes that do things in non-standardized to the application ways. That can cause problems. Those problems are not the fault of WP.Core. But the fault of plugin/theme creators who are cobbling things together and/or not keeping their software up to the dated changes/standards of the software evolution.

          Its not like WP doesnt as I said take obviously huge efforts to maintain stability, clearly they do. Microsoft doesnt. How many pieces of software exist since 2006 that wont work at all on Windows 8? Most of it.

          At Apple, they completely scrapped backward compatibility as they transitioned into Intel and out of Motorola.

          CPanel does whats right for CPanel, that doesnt mean users of WordPress.

          Most webmasters dont care fuddle around with details, they want run their site(s). Thats as it should be.

          “Well they should know more than! To be a good webmaster means learning.”


          That’d mean to be a good Windows user they better know how Windows Update works or how to control a firewall at the port level or how .NET assigns roles and permissions on and on.

          All this is is Plesk’s way of going, “Not our problem. So avoid it.”

          I personally would think it good for WP to have a dashboard window that informs the webmaster about “Update!” Security .vs. Voluntary. If a WP webmaster works more front end or backend, have it pop on both with a “Dismiss” and “Accept”.

          This way they cant say, “I didnt know!”.

          • Very interesting perspective Rick. I’m trying to imagine the situation where it’s necessary to push application updates which change functionality at the same time as security updates. I’m not coming up with one (except the laziness of WordPress core team to maintain secure stable versions).

            WordPress’s success is NOT the core. WordPress’s success is the plugins. Every kind of site (photo, product, application, news, ecommerce) needs a different set. What makes each kind of site’s success are the plugins. Hence the modularity and the ease of creating and implementing plugins are what makes WordPress. If the WP platform is not stable enough to allow developers to support their plugins adequately (without turning plugin maintenance into a full time job), the update/release pace is ill-conceived.

            The WordPress release schedule shows a total lack of respect for business people and developer egocentrism. WordPress is successful in spite of itself. With better stewardship, broken sites and the mass hacking of WordPress would quickly become part of history. Once a product meets relative maturity, stability and security are its primary business requirements. Not developer skateboard tricks.

        • I wish WordPress would only do major database/structure breaking updates once/year and not every three months. It’s an extremely rude and unprofessional development schedule. Most of the people running the software want stable websites and security fixes, with annual improvements of functionality.

          1) It’s every four months. Three per year — mid April, August, December.

          2) WordPress ‘Major’ version releases are more akin to ‘minor’ releases on most other projects — we do our absolute utmost to not break anything on any updates. If you take a theme that was properly built using the right core APIs in WordPress 1.0 or 1.5 or whatever, you should be able to upgrade that site directly to 4.2.2 and everything would still work. So where you’re getting the idea that WordPress is shipping breaking updates three times a year, I really don’t know.

          • Hi George,

            Thanks for stopping by to spread the good word. Alas for you, it’s not my first regatta so I’m not buying it. I’ve been listening to the same horse manure about updates for the last eight years and cleaning up broken websites behind the so-called perfect updates.

            It’s exactly this holier-than-art-thou attitude which sticks in my craw:

            a theme that was properly built using the right core APIs in WordPress 1.0 or 1.5 or whatever, you should be able to upgrade that site directly to 4.2.2 and everything would still work

            Not the real world, George. To start with, “the right way” has always been a moving target.

            A recent example: 4.2.2 took down a slew of people’s larger WordPress sites with database issues. Once again it was up to Foliovision to lead the way in helping people fix their broken WordPress sites.

            4.2.2 was supposed to be a minor update. So go and sell your feel good propaganda to someone (with less experience) who is buying.

            WordPress is a terrible choice for business sites as it is not a stable platform and does not offer security updates. Building WordPress business sites is my business, so you can imagine how it pains me to write that. The WordPress update schedule is completely irresponsible, more suitable to high school bbs software than mature business calibre software. Site-breaking updates should happen once year, not more.

            You and Automattic are misleading people deliberately for commercial advantage. It’s the same empty promise of BMW: great engineering and performance. Sure: when your car is running. I feel sick that I’ve sold so many people and small businesses on WordPress over the years and they have to spend so much time and money just to keep their website on the road.

            I thought stability and security would get better one day, but I now see it never will. The same reckless and irresponsible attitude permeates WordPress core now as when many of you were still in school (2007).

          • Being rather Noob to the WP scene I am curious to to Mr. Kinnear’s experiences in as far as the updating issues go. I sense bitterness (ya think!).

            This stuff is’nt rocket surgery in that we are speaking of an abnormally complex application. In fact, quite the opposite. Many a CMS is more complex under the hood but all CMS’s share in common is they are a simple web creation platform. These are not Grand Theft Auto 5 or even MLB 10 on a playstation portable.

            The complexity arises due to third party addon’s. Thats not to say they are to be pointed at as “fault” zone. Just as you can use Windows and download some “my bad” application for it causing you to have much consternation on your PC. Not that long back in PC repair business thrived as “We fixed your PC, but we have to reinstall Window XP” or “WIndows Vista”. Most times, nothing wrong hardware wise with the PC at all. Just something fouled up Windows usually in Dynamic Link Libraries (DLL’s), Root Kits which essentially link into the interrupt service routine vectoring (ISR) though not always. Point being, its not unusal for third party “anything” to screw up “first party anything”. Microsoft took great pains in moving through XP to Win 7. Vista was “transitional”. Windows 10 will be “transitional”. They mitigated “DLL HELL” as it was called though a variety of mechanisms fairly beyond scope of a simple blog message (even mine! I know, Jeff… “Thank the Lord, right” :) ).

            In old Widows an update might replace core DLL(s) be that a software or OS update. All of a sudden, things are becoming unstable. It used to be more you installed on a WIndows PC less stable it tended become over time. Yes… Windows is infinately more complex than WordPress Alex, but the same paradigms are present due to the extensibility.

            When a “core update” happens how does it effect a wide girth of WP installations? Mine goes fine, yours doesnt, why? Is this due to us having the exact same codebase? The exact same database structure? The exact same plugins? Exact same versions being updated? Probably not.

            Thats where complexity enters the fray and this was also true of Windows not too awful long ago. CTRL-ALT-DELETE used to be among the most used keys on a Windows PC in as far as administrating a PC went.

            Microsoft re-invented not only the Update mechanism but the INSTALLATIONS mechanism as well as a TON of core code that loads both shared and restricted assets.

            This includes everything from versioning of applications right down to versioning of libraries managed by the OS and applications. Its like “GIT” and “Source control” in several ways but actually built into the OS and quite a bit more.

            And with such measures what happened? ALOT of legacy software no longer will run. So, Windows “XP” or Virtual machines need be used for that legacy software.

            I can still write a application however in an unmanaged language like say GNU CPP that will make a complete mess of a Windows 8 PC though Windows has made that considerably more difficult.

            Lets go with an example.

            You have three plugins installed, one of them does its own database tables within the WP database.

            Its has several relationships that are dependent upon core data. A WP update due to feature or security matter needs to alter some of that core data. Yet, here sits a plugin relying on it. When the plugin initializes first thing it wants do is get that data for this session. Yet, what it gets is not at all what it expected. It crashes. Webmaster has a hardtime now as he cant even get into the backend because WP crashes. He has to manual like go in, rename the plugin so it doesnt load.

            But the theme is reliant on plugin data, so now it crashes.

            WHICH and where does fault lay?

            For WP to maintain 110% backward compatibility that means any database update changing structure for example requires that it in fact NOT USE that update or lest legacy plugin / theme breaks. This is also true of codebase dependencies (or can be)..

            An “undo function” sounds great but again, its not as simple as it sounds when an update breaks a theme or plugin that is initializing early. The codebase need have something sorta like “Safe mode” in Windows. And with “Safe mode” all forms of services in Windows wont initialize for example. In WordPress, not initializing may mean it cant be pulled up to a reasoned usable session for a webmaster.

            This is just a rather “simple” example.

            But again, the question arises is where does fault lay?

            I will tell you and this is true of Windows software going back to Windows 3.1 and whats changed today.

            Its the fault of the Plugin author(s) or the Theme Authors. HOW SILLY! NO ITS NOT! Yes it is.

            NO ITS NOT!

            Yes it is! LOL

            OK, WHY!

            Because one of the most dreaded parts of software engineering is making certain that DATA EXPECTED is actually what is received to the application NO MATTER the source of that data be it a user, a database, an XML file, RPC etc. Its been said that a full 60-70% of many applications are handling “exceptions”. Thus, the plugin developer or theme developer should EXPECT bad data from the database or user and usually its quite a bit of code to deal with that. So, they dont. Its not just the checking for such exceptions but MANAGING them when they occur. So instead of “bellying up” the entire installation they gracefully degrade.

            I’ve looked at alot of WP plugin and theme code and well… its just not done. Some just go die(“An error occurred”);

            A plugin author / theme author cannot KNOW that their code in advance will work with a update of WP in advance. They need update their code as core release occurs. So thats chicken and the egg. To mitigate that means that the plugin/theme has to validate what its expecting. That might be as simple as checking the WP version and going, “Oh, we know we are valid through 4.0 but if 4.1 appears, we gracefully “shut off” “. Informing the suer to check for a new plugin update or notes before re-enable.

            Thats the easy way out.

            Now… that said, as I noted. How exactly did Microsoft do away with most “DLL Hell” which is rather similar sorta/kinda.

            Well, its a managed environment at the operating system level. But, WP doesnt have that luxury or nightmare. Linux is not a managed runtime environment to the extent Windows has become. mySQL is not a managed environment as much of MS SQL Server has become. PHP is not a managed language as C# or Visual Basic has become (sorta, PHP does manage many things, hybrid sorta).

            This is more like Adobe Photoshop. People producing addon filters and such.

            Adobe has taken GREAT pains to deal with Plugins, or say Firefox. With Firefox what happens with new updates? If a plugin is available and updated it installs it. If not, that plugin is gone.

            Rollouts test against the “most used” plugins before deployment of new versioning.

            But, thats not to say “Adobe flash grabber” still doesnt botch up. BUT again they are running in a managed environment, not whats common in Linux, Apache/Nginx, mySQL and PHP.



            There is a difference in level of care.

            Microsoft was lambasted for YEARS because of instability, not due to Windows directly but indirectly. “Printshop worked, now there was this update and it crashes”. Its Microsofts fault! Yes. And no. But great pains and just BUCKETS of code have went into Windows now to make sure Windows does NOT give that blue screen of death.

            As a author of plugins or themes just as a good windows programmer did and STILL DOES the developer MUST EXPECT in his codebase that everything and anything CAN and WILL go wrong. Whether thats a user holding the “R” key 5000 times on an input that need be 16 characters or less or something changing in the relied upon code base.

            That means LOTS of extra code. Often MORE than the plugin code itself or perhaps theme code itself.

            Thats called “CARE”. But a free plugin author might not “CARE”. I made this, its of use, so have it free. You expect me jump when it doesnt work? You expect me write 1200 more lines of code to make sure its happy until not? What part of free and of use perhaps didnt we get?

            Lets get even WORSE!

            At Theme Forest we have “Themes” that are more akin with a bucket of bolts. Here’s the actual theme. And here are 140 codebases’ from 120 different developers. Did we make sure those codebases are “CARE”ful? Of course not. We use Bob’s background changer, Judy’s Comment system manager, Gary’s Drag and Drop layout plugin, Christies cache component…. on and on and on… “SEE IT ALL WORKS AND IS’NT IT BEAUTIFUL! (at 5 megabytes per session!). YES IT IS!

            Update. All stops.

            Now we have to find what the offending plugin or theme issue is or sit in frustration awaiting developers (all 140 of em perhaps!) to release an update and hopefully all cobbles back together well.

            But thats no different than a WP site that doesnt come pre-packaged with buckets of other developers codebase.

            If one deosnt use plugins or themes other than those included I am sure updates dont tend result in crash-o-rama.

            But then, whats the point? Its all those nifty things that have people using WP? Right?

            So… WHAT IS THE ANSWER? Dont do auto updates?

            Sure. And lots of sites are now vulnerable.

            DO JUST security updates? Irrelevant as any update can float up or down the codebase of plugins / themes.

            Enforce plugin/theme developers to code based on what commercial standards are as outlined above. Anything can and will happen, write your code based on exceptions anywhere/everywhere. Result: Bloated code, less sessions, more memory per session usage, slower sites.

            Solution: Managed runtime environment. Huh? Means WordPress be a managed framework under the hood. That generally means all access to function happen through STRUCTURED API’s. Things such as “Hooks” go out the window. The entire existing plugin / theme / codebase is also out the window. It means procedural code ends, Object Oriented code is required. Many developers may go, “Done.”.

            Its literally recode the application, “WordPress Part Deux”.

            And even WITH that it doesnt mean plugins or themes dont come apart at the seams.

            I remember being given a codebase for a game. Had all sorts of issues and I was hired by a large publisher to fix them since I was assembly language aware. So, I set out on it. Fixed it all. Was VERY VERY happy with myself. MY brother also a coder comes by. Shown him it, all proud of myself. He says, “So before you ship this back to them as the final you are 110% sure its solid”. “Oh, yea, I’ve spent hours and hours on end beating on it, pounding at the code… this is solid as can be”.

            He takes his hands and just mashes them on the keyboard over and over. Game locks up. “Guess its not as solid as you thought”. I was LIVID.

            Another solution? Move the codebase over to ASP.NET which is a managed environment. But again, even at that, doesnt mean a plugin author or theme author is checking to make sure his code gracefully bellies up.

            For WP.Core its all double edged sword. I dont say that because I am an “Afficiando”, I’m not an affciando of anything. I’ve went through too many beer bottle caps and hair over 35+ years of coding/technology to affciando anything. If they dont do the updates they are deemed irresponsible. If they do the updates and things break as it cascades in the codebases they are called incompetent. If they dont add features to the codebase they get called “lazy” or “stagnant” or rumors start flying around.

            I’ve experienced all of it over 35+ years.

            But truth being truth none can say. Not you, not I until we walk in their shoesies.

            Its like yelling at ones computer monitor. Nothing tends to come back. In fact the day it does I shall retire. LOL.

    • I don’t understand people complaining about WP politics as there are altenatives. I don’t understand the concept of “WP should not evolve as plugins do not evolve”. It’s because WP evolved quickly that gives the opportunity to get more sophisticated plugins. If we look some years ago, there was no custom post, no featured image and these functions are critical for all portfolio/commerce plugins on the market. Who can say WP is “mature” ? “Mature” does not mean “I make my money with this thing, I don’t want it to move because I will lose money and time”.

      The good example is video games with Windows. I never read something like “Windows 3.1.1 is mature and I can play Dune II with it so what’s the use to change Windows” ? If WordPress evolves, it will give more functionalities for plugins and themes. And it won’t be die like the “mature MySpace”.

  3. I’ve had good results with cPanel WP installs but I do Overwrite Everything (including the database) with a New imported WP website using the great plugin Duplicator.

    None of the sites I manage have had any issues with auto updates, so I can only guess this overwriting WP process eliminates this behaviour.

    Some benefits of installing WP with Duplicator are – Initial install is an Opening Soon site – Building Clients websites locally (localhost) is faster and more convenient – Make use of the cPanel auto backup feature…

  4. If you want an insecure, slow, outdated, and way behind everyone else, web site, then by all means use Plesk, cPanel, or any of those types of control panels, whether they are on a web host, or on your own server. Hire someone to setup your web server and web site without a control panel, except perhaps Webmin to do basic tasks, and tell them to make sure automatic updates are enabled for WordPress, plugins, and themes. Then to prevent theme problems, use a child theme.

    • Here they come, the open source messiahs. I assure you Todd that cPanel together with Litespeed (oh no, you have to pay again) matches highly tuned nginx blow for blow. The great thing about the combination is it just works and is compatible with all the legacy and intuitive Apache configuration (a tiny step to the left or a tiny step to the right with optimised nginx and you may no longer be serving at all or serving very inefficiently or your redirects just stop working).

      I concur that removing email from your cPanel server if you are planning to do serious web serving will improve performance significantly.

    • Yeah that’s Great Tod,
      Another example – If anyone wants a Secure and Fast Operating System use Linux without a GUI…
      No wait, that’s also behind the times :(

      (Not wanting to sound trolley) I do honestly see your point to some degree, however…

      GUI (Graphical User Interfaces) are used to help everyone, if it means slightly less resources because of it, then I’m fine with that as I’m sure most users of iphones, osx, windows, touch devices, and gamers (lol, surly nobody still plays those text games such as -> )

  5. I’ve been coding software since 1978 basically, before Windows, before web. Updating software has come A LONG ways.

    There can be several trains of thought in this:

    Incremental updates are usually the most common but these days with more function/Oop based code incremental updates get people even more upset. With part procedural and part OOP code things are more complex again.

    In Windows (.NET) they often WAIT on security updates figuring firewalls or malware tools will catch such holes. Then they push off a slew of updates as those security issues can creep up or down in the Windows codebase. That is to say, low level code security creeps up, high level can creep down, its all about dependencies.

    Windows update is fairly slick but its far more complex than one might think.

    Windows users have saw this over and over. Windows has updates that are instant, then ones as windows shuts down, then as windows starts back up. Its the dependencies that are being dealt with and it can get pretty hairy. In fact, to this day alot of applications wont use it because of the complexity and within those processes there is also incremental updates taking place.

    The largest problem in updates and trying to retain maximum backwards compatibility in “plug enabled (extensible applications)” software is not JUST fixes, its trying to make sure things dont turn into spaghetti code both at source code and the user execution side.

    PC Games up to perhaps the area of 2003 +/- 2 years suffered this. We’d have executable sitting out on peoples computers. So we’d issue patches, fix bugs, security issues are bugs. We’d literally do things as target a point in code, jump or call code thats then affixed to the end of the executable. Patches based on locations in file. Pharlap and other companies provided the software to examine what need be patched and do it in a variety of ways. Was HORRIBLE.

    Point being, functions / classes may need fundamental changes that can cascade up or downward in the program logic.

    Thus with an app like WordPress we have 1. Security Updates / 2. Security Updates that require updates in other areas of the codebase due to dependencies and more and feature updates/changes.


    WordPress success… Well… Is it a sophisticated core? In comparison to what? Grand Theft Auto 5? No. Symfony? No. But, its highly extensible and has very good throughput with a pretty small resource footprint from my testing. Thats good.

    Is it “industry standard” extensible. Depends on the industry, its made its own. Alot of embedded code for example is quite procedural in industry where real-time performance with small footprints are required. There is ALOT to be said for that.

    I was rather shocked (am only an 8 week WP coder or so) to see lots of procedural code. But I didnt go off the “Object oriented deep end” and I am a C++/C# kinda guy.

    Some coders years back used to call me “Art LinkLister” as I’d use linked lists for BUCKETS of code while far more sophisticated mechanisms existed”. But to the client, my code worked, much less resource hungry and literally blew the doors off “the right way” in performance.

    Do plugins and themes make wordpress succeed? Yes. But at the sametime Joomla, this one, that one, on and on, more CMS’s out there than messes these days dont enjoy the marketshare of WordPress. Why? Because the core of WordPress is also easy to use and quite powerful at HOW it does it.

    Cant have one without the other.

    Joomla core is more sophisticated that WordPress but better? Uh uh. I’ve dealt with Joomla for years. Drupal? Been there done that. Uh uh.

    “Better code” is not always “better” because it depends on the task at hand.

    WordPress.Core provides an exceptionally accessible codebase thats highly versatile to beginner and experienced developer alike. Is it a framework with a wrapper. Not really as its pretty tightly bound where as say Nette Framework is not tightly bound to apps written with it. It can be a good thing and a bad thing.

    Usually its good performance/resource wise and bad in extensibility and bugs can creep up or down the logic chains more readily.

    In as far as developers maintaining their code based on the core application. Thats software engineering 101. The ONLY difference is really quite simple. Developers are NOT using (or perhaps unavailable) beta builds. In Windows, Adobe doesnt need wait to find a problem with Windows that impacts Adobe software. They have access to builds to test against.

    I presume WordPress has varied builds as well. Its work. But thats part of software engineering. WordPress.Core clearly makes a significant effort to stay compatible and have no doubts about it, that also impacts what can be implemented. Its a constraint when it comes to advancing the application at a more rapid pace.


    Should WordPress be re-written to avoid such matters in its future? As thats really the deal. Either a program is procedural or Object Oriented. Mixing can provide the best of both worlds but does so at the expense of rapid feature growth and USUALLY backward compatibility, hence, the efforts they take.

    If WP were coded Object Oriented, its performance will go down and resource footprint go up. It will loose ALOT of developers in the process. PHP does NOT excel at all in object orientation. Objects are all mapped to Array Buckets which chows memory and is far slower than a native language that is based in complex data types (C# or Java or C++).


    Security, I tend agree and I am sure the WP.Core does as well. The codebase is mature enough that such things should not be creeping in. But they do. Windows codebase is mature, .NET very mature, but it still happens. These are BUGS and thats how they need be viewed by developers and users. Unfortunate ones, but bugs nonetheless. The LAST people that want it happen is WP.Core. But, WordPress being so widely used is a natural target. Remember when MSIE was “The Web Browser” most folks used? It was having security hiccup after security hiccup and had an entire monster corporation scurrying around like ants trying protect the brand.

    WordPress clearly takes the issue very serious as they should as their security fixes releases happen fast and have to.


    I am not privilege to how WP.Core, the various volunteer teams operate. For example I do not know if a theme or plugin is vetted by a single person or a group. I have been critical of several things and as I have also learned more went, oh, guess what, I am wrong.

    Without knowing the internal eco-system its easy to be critical. I have done this and actually its wrong of me to do so and I apologize for that. From the outside looking in or “trying to” people jump to conclusions .vs. actually seeking out information.

    Over the past week, when Sarah put up the one video of Mr. Nacin speaking I went, “Hmmm… Know what, this doesnt sound like Joomla” when things were appearing similar from the outside looking in. Since then, I have sought some more information.

    Where I believe there are issues rotate around “product” and disconnection in varied areas. Core is doing this, Theme’s doing that, plug-in doing this, Envato doing that, developers all scrambling about.

    Where-as cohesion can make a significant difference. Thats between units and between all parties in those units and that is something that is always variable but needs to be brought as close to a constant as human personalities/skills allow.

    “Personal opinions” are valueless in as far as personal opinions go. But within them often are opportunities. Conflict can be viewed several ways. Its often viewed negative. In the Video Games industry conflict is sought. It makes for ideas, it makes for advancement, its not viewed in a negative context but instead one of opportunity.

    It becomes a REAL problem when the conflicts internalize amongst parties. Thats why its not allowed to go that far. Instead, conflict stays structured as thats how team managers can siphon off the opportunity and use it.

    In games it happens right from word go with storyboards all the way through code, rendering, the works. Parties are not allowed to have “heated discussion” to and fro. Instead, as those things rear their heads its time for a “sit down” to siphon out opportunity and all parties walk away with a better spirit.

    See… its like this. All human beings. Human beings are multi-faceted. All ranges of emotions/personalities/belief systems all interacting in them. Dealing with others compartmentalized in who they are. No matter what the engineering project it lives in a defined box. The people dont. Thus conflict is expected. But conflict does not need to be a “Lets agree to disagree and place all on hold, come back to it later when people are less “spirited”. Thats actually the BEST time when they are “spirited” to not only find opportunity but done “right” can even help those parties grow as people.

    Bing Gordon who used to be CEO of Electronic Arts taught me a TON.

    • We’ve used a number of different control panels and hosting stacks over the years, including Virtualmin with an nginx stack. High performance certainly but a real pain in the neck on which to do admin work. In performance terms, no better than commercial Litespeed with cPanel.

      Rolling one’s own is lovely. We wrote all kinds of plugins for WordPress to do basic issues, even like forms (actually John Godley coded it but mostly when working at Foliovision). The forms plugin is called Filled In. It’s enormously powerful. It’s not particularly easy to use for non-technical people. We’ve just made the move over to NinjaForms as it’s so much easier for our clients to make attractive forms with reasonable validation.

      The point is that rolling one’s own is a hobby if there are better commercial solutions out there.

      We tried to move away from cPanel (and mostly did). Performance was about equal between our optimised nginx Virtualmin stack and Litespeed/cPanel. When I did the accounting on hours vs costs of Litespeed plus cPanel, Litespeed/cPanel was ahead by dozens of hours every month.

      Basically rolling one’s own/open source ROI was negative in this case, while commercial software saved us a huge number of unbillable hours which could then be used on billable work.

      In most cases, rolling one’s own is like making your own wine or building your own car: hugely inefficient. That’s my lesson from the trenches anyway.

  6. I use cPanel since 2006 and as a sysadmin, I can tell I’ve never would switch to another Control Panel software, BUT… I’d never use the cpaddons. Ever. I REALLY LOVE CPANEL and am supportive and collaborate with them in the forums, but the cpaddons are open gates to third party software, which is always a hairy matter.

    cPanel have screwed it several years ago with their alliance with Attracta, which I personally leaded the motion to demonize it because it’s a very bad idea, and finally they gave up on this.

    cPanel is doing it really well now, with a good new theme and a good API, but cpAddons are the only feature I wouldn’t trust (cpAddons and the brand new OWASP modsec rules which default configuration also break WordPress sites). cpAddons wants to be its own mini Softaculous/Fantastico/Instalatron, and like with the Griffiths idea, i say: if cPanel really wants to provide scripts from the server administration, they should buy one of those companies (Softaculous/Fantastico/Instalatron) and integrate it within its core.

    So, only trust your website to Softaculous/Fantastico/Instalatron/cpAddons if you are unable to pay a webmaster or sysadmin to keep up with those updates. Otherwise, read, learn, and DIY, since that’s the best way to avoid glitches.

    If you want something done well you have to do it yourself … or hire somebody capable of.

    • In fairness, Marcelo, I’ve only experienced the cPanel upgrade notices from Softaculous I think, from third party hosting we use from some small legacy sites. They worked well.

      We don’t use either cpAddons or Softaculous or Fanastico (we don’t want people installing any other scripts). I would like to thank you for taking the time to post in-depth the background information about the limitations of cpAddons.

      While I like cPanel a lot, we do everything we can to keep cPanel lean for fast serving (turning off as many services as we can).

  7. I’ve not had any issues with CPanel. The question here is more of what Hosting providers are allowing.

    The customer is paying for a service. The customer may not own the service but does own the website. What gives the Host Firm the authority to have software they are utilizing modify what is not theirs to modify.

    The customer need IMHO simply call the host firm, ask for someone in management. Explain the matter accordingly. If management states “That is our policy” you say, “Ok. So your policy is for your company to modify other peoples web interests without any prior notification or approval?”

    “There are myriads of hosting firms out there, I am sure this will go well with Hosting Review forums, tech sites I attend as well as our State Attorney General and Visa, Mastercard, Amex and Discover.

    Wait for the silence.

    You will probably hear, “Well its Plesk CPanel doing this”. So respond with, “So? Your telling me you allow a third party software company external of your hosting firm blatantly modify applications hosted by your company? In fact, modify the software preventing or interfering with updates procedures that deal with everything from security to application updates?. I guess perhaps I was wrong. I may need to contact your State Attorney General and congressional representatives and show they need investigate this matter deeper and perhaps seek injunction. How many WordPress websites are hosted with your company? How many of them may be compromised due to this decision by your company to block critical updates?”

    “Maam’ its not us, its Cpanel”.

    “My site(s) are not hosted at Cpanel. I pay your firm for a service, no more, no less. I presume that your company takes that service seriously. I presume that your service in hosting Internet web sites and services is completely aware of how imperative security and keeping software up to date is? Apparently some other influence is occurring for your firm to allow a third party software package that administrates web space and hosting features to not only interfere with websites but also modify the applications directly. Whats next? Plesk stealing peoples credit card information?”

    “This clearly warrants investigation by proper entities. Perhaps as well the WordPress community needs to set up a website of hosts approved that will not block features, remove the capabilities of updates thus keeping their blog sites, ECOMMERCE sites and all forms of WordPress websites secure. This way, your firm and those like it wont need to worry about WordPress security since the well connected WordPress community can simply utilize web hosting firms that have that community and users best interests at hand.”

    “I will be encouraging all webmasters we are in contact with to do just as I have outlined beginning with their State Attorney Generals and Congressional representatives. This may effect countless hundreds of millions of peoples personal security and certainly many millions of websites.”

    “We will apparently all need seek hosting firms that do not allow third party software developers to set down policy or blatantly modify what amounts to personal property or business property without any notice, warning, correspondence or permission from those owners to do so. Then it will need be explained to Visa/Mastercard, American Express and other financial entities since they too have interests at stake. That of their clients who are billed for services as well as those users on the Internet whom may have identity matters exposed due to firms such as yours blocking what can amount to critical security updates. I am also certain some attorneys will see this as an opportunity seek damages. Perhaps some legislators as well as to why they need tighten the reigns on what hosting firms are allowed and disallowed to do and ultimately whats best for the public interest”


    • And what about big companies like GoDaddy, Bluehost, Hostgator, that provide modified/customized/enhanced cPanel versions with tons of ads, useless services and features that don’t come natively within cPanel? And what about WP Engine and the like, also modifying the WordPress deployment and way of work? While the software is under GPL they can do WHATEVER they want, WHENEVER they want, and there is nothing to do. If you don’t like it, just don’t purchase from them. It’s a free world.

      The problem reported in the article IS NOT really the modification per se, is just the lack of evident notification to the users.

      That’s why I don’t recommend using cPAddons. Use it only if you are unable to pay an expert to deploy a WP install in your account, and to keep it up to date. Hosting companies won’t take charge, they simply have no time, they have bigger problems to keep under control.

      Also, if you just want to test this things out, test it in a staging account, not right in your production website…

      Take care :-)

      • Right on the nail, Marcelo. No one is obliged to use these companies services. These companies are not obliged to WordPress in any way. It’s free GPL software.

        I laughed out loud when I read Rick’s absurd comment. Then I got very sad for a moment when I realised that this kind of holier-than-art-thou WordPress afficiando mentality is really widespread.

        Hosting companies must respect what WordPress says and wants.

        Says who? If WordPress would offer security updates to stable versions, hosting companies wouldn’t be obliged to lock out autoupdate.

        I remember the days when Microsofties used to run around and tell people that they had to use their (bought) Windows computers the way Bill Gates said. Then we have the Apple fanbois proclaiming every kind of update hell practiced by Apple as some stroke of genius. Now we have to deal with the WordPress true believers, proclaiming the one true faith of their church.

        This kind of fanatcism is what led to the St Bartholem’s Day’s Massacres in France. If you’d like to see just how bloody intolerance can get, don’t miss La Reine Margot with a scintillating Isabelle Adjiani in the lead.

        • I am far from a WordPress affciando as can be shown by my deletion record.

          No, hosting companies need not respect what WordPress says and wants. Hosting companies must respect what their clients want and be forthright in informing them of such things as, “Your CPanel or WP installation will not automatically update”. Thats just common responsible thing to do. People run eCommerce via WordPress. A security issue not updated might afford access to the Database. While they might not mean card data it does mean order data, ship addresses and more. ALL of that is confidential. You cant call Amazon and say, “Hey, My Neighbor Joe Joelson at 222 Bob Ave received a big box from you guys. What did he order? How much was it? Is his phone number on file? Can I have it?” That all falls into libel areas in the USA.

          I got screetched at for saying, “I’d never set up eCommerce with any open CMS”.

          Cant argue the Microsoft / Apple deal. Part of market / product is to obtain and control marketshare. Just because this or that claims Open Source, Free, do as you please does not erase that paradigm.

          I am far from a WP fanatic, I wish I kinda were… be alot more help to me, LOL.

          I developed commercial games for years. EA, EMI, Sierra, Atari, Dynamix, SSI and others. I burned out on it.

          Wanna really know “pressure” give that commercial industry a whirl.

          I learned Joomla core upside down did quite a bit there.

          Latest project is actually all ASP.NET C# Enterprise level commerce application worth oodles and oodles and oodles of revenue as we transition from Web 2.0 to Unified Internet. It needs a CMS in support. Joomla couldnt handle load. Not even close to whats expected. WordPress, still working at it. If it cant, well, then I will be off to the races having to code a fast .NET CMS. Base CMS wouldnt bother me to code. Heck, in .NET most of its already there its just piecing it together. But its the capabilities thats the flush. WP we could do anything with.

          My fiance’ actually suggested maybe I contact Automattic to see if they want “in” on what I am doing as what I am doing actually cant really fail at least conceptually and its readily worth as much as is.

          • My point is when a person states “aficionado and fanaticism” they are making a broad band statement without engaging in actually looking at whom they are speaking to or making statement of.

            I am not an aficionado per se and far from a fanatic (at least in anything to do with technology). I have never really been a “this is better than that” person especially in software oh my gosh. I understand the thinking:

            Three sided fence. “I Love WordPress” – “I Dont Like WordPress” – “I wish they did this WordPress”.

            I am none of the above. I dont prescribe to fences.

            The “Point is” it is irresponsible for a hosting firm to not scream at Plesk about CPanel when in fact “automatic updates” are important to security of internet users using said websites and webmasters who may well stand at point of libel as a result.

            Irregardless if WP has the best or worst update mechanism on the planet.

            This is not a minor application like “Ricks Craft Beers CMS”. It is said to encompass 20%+ of Internet websites. Those websites are hosted at firms. Those firms get paid for a service. No place in that service does it say, when your signing up, “If you plan on using WordPress we block mandated updates on the software”.

            The host firms are paid for the service they provide. If they care step out of that via CPanel or not at the VERY least inform their clients and at the VERY most be upfront about it.

            Instead, now there sits a situation where who knows how many WP installs new or old may not get a critical security patch issued a day from now resulting in who knows how much commotion.

            Thats just not right.

            If something is serious awry with Host Providers and WordPress update mechanism then take the time, get it all resolved.

            Again…. WHY did Plesk do this? Thats the question.

  8. The larger question is of course WHY is Cpanel doing this?

    I cant imagine its “well updates take resources”.

    I CAN imagine them responding to host firms requesting it due to updates breaking sites and owners calling host firms to go “Help me!” and the host firms trying deal/keep customers.

    Either way, should not be there or at the very least a toggle, allow update or not.

    OR? Is this strictly for WP installs directly from Plesk? Not uploaded by Webmasters?

  9. I am with Marcelo on this. I always do manual installation myself, but if a person does not have the technical skills to do themselves, then they can use cPanel to do it, just be aware the limitations.

    @Rick, I am sure all hosting companies’ TOS specifies something like this regarding how they do business, including using cPanel or other tool to do modifications. If a customer doesn’t like the way they do business, then they should not have checked that box when they signed up the service.

  10. Thank you Cpanel! The WP auto update feature is a function that has sideswiped more websites on more hosts then I care to count. A well intended disaster from beginning to end.

    As a rule, we disable the auto update for both themes and plugins via 2 lines in the wp config on every site we build.

    Of course we know it is incumbent upon us on any sites we manage to keep everything up to date – don’t even bother going there in this discussion. If after design the site is turned over to the customer to manage, they are advised and given a choice.

    I have seen to many sites which have either malfunctioned or crashed after the auto update (more of the former then latter thankfully).

    I will write to cpanel and urge them to change nothing, or at least make the auto update feature optional.

  11. The reason why cPanel block WordPress updates it’s because they cannot dedicate resources to support third party apps. They are already very busy attending to customer support about internal bugs and fixing things asap. In fact, they have an awesome support team.

    cpAddons is a feature that they could be probably planning to drop, since the UI itself haven’t been upgraded since ages, and it dont uses the new look and feel and UI changes that their WHM panel does. I can then argue that could a possible future for this feature. Hopefully.

    • We host through Codero on a dedicated server so I am really not exposed much to other firms. We have a server at 1&1 and no issues there.

      I presume WordPress is just FTP’n things?

      I’ve not looked at the update code.

      This was sorta discussed scant weeks back when the security issues occurred in context of manual .vs. automatic updates.

      I am more for a manual update but can certainly understand those not wanting that. I am a .NET coder and would loath the concept of doing Win updates by hand. Kinda funny when ya thing about it. A persons PC is far more at risk than a website security wise yet when it comes to a secure config of say Windows, webmasters will mostly be lost. Lots of ports, lots of manual firewall to configure. Kinda silly yet not, paradoxical. My firewall gets banged at about 1200-1500 times a day. But in all my years only once did I have issue. Was earlier in ASP.NET days. Was coding, went to go on the net and nuthin’. Call Time Warner. Told me my IP had sent out over 12,000 emails. I look and sure as little apples someone crawled in through IIs best I could figure.

      I’d be more in favor as noted in another thread of a notification in the Dashboard BIG AND BOLD about anything security update. And if the primary admin even comes in and does most administration from the front getting a security info popup, pop in… pop something.

      My only REAL concern as far as interests go is ongoing security. Since as I noted we are using WP in support (CMS support shell as is the plan) around another application done in .NET we dont want see whammy’s that bring things spiraling down on the CMS side. The codebase’s are completely independent, so the CMS getting hacked would not impact the ASP.NET app in the least. It doesnt even know its there.

      WordPress was the next place to go after Joomla.

  12. I turned auto-updates off for ALL updates. I call it: being a responsible admin/owner and logging in on my websites and checking the updates option on my dashboards.

    I am subscribed to WPTavern & WordPress twitter accounts, I am also subcribed to over 50 members of th WordPress community, along some of the people who actually work on core. Also Bob Dunn.

    When I update on my own personal site JetPack, TAC, Akismet and other plugins that ALL my sites have then I just log in the first site and that will tell me.

    I log in and check every morning for non-common plugins.

  13. Just a note. cPanel is STILL doing this. I’ve now disabled cPAddons and use Softaculous for software installs for my company. Starting to be able to count on cPanel less and less each year now. They are starting to just blame everyone else for everything, and most of their software is so far behind. Like why are you not supporting HTTP2 yet? Funny how our internal staff panel we build runs it no problem. But some how cPanel can’t? They’re getting super lazy.

    Just to get my google search terms out there for others I’ll copy paste it here for SEO sake (Must’ve read 10 other sites before I found this solution here. Which WordFence worked awesomely I might add): no option to update wordpress only plugins and themes will update


Subscribe Via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

%d bloggers like this: