When a critical security vulnerability was discovered in Yoast’s SEO plugin this week, WordPress.org took the initiative to automatically update users’ sites with the patched version of the plugin. Many users were taken by surprise, given that the WordPress codex clearly stated that automatic plugin and theme updates are disabled by default.
Shortly after the automatic update rolled out, the codex page was updated to reflect the fact that in rare instances WordPress.org will automatically update your plugins and themes unless you opt to turn this feature off entirely. Many users are not comfortable with forced automatic updates, but the good news is that there is a filter to turn them off, including the WordPress.org security updates for popular plugins:
[php light=”true”]add_filter( ‘auto_update_plugin’, ‘__return_false’ );[/php]
Prior to this security issue, users were not aware that they had to opt out of these forced updates. On one side of the fence there are those who think it’s no big deal and are thankful that WordPress.org is proactive on behalf of user security.
On the other hand, there are those who are wary of forced updates from plugin authors who are notorious for pushing out problematic updates. The support forum for Yoast’s SEO plugin contains many threads regarding fatal errors following updates issued in the past.
In this particular case, Nick Haskins summarizes why he was not comfortable with WordPress.org’s forced update:
The plugin in question is Yoast WordPress SEO. If you’re not familiar with his plugins, the history of updates is awful. In the last two weeks, I’ve updated twice, and both times have resulted in fatal PHP errors which require FTP’ing into the site, to manually remove the plugin. Both cases were due to not checking if a file exists before loading it.
Those who are not comfortable with WordPress.org’s forced update policy have the option to turn updates off for particular plugins or for all plugins. If you opt to go the route of turning automatic updates off, there are alternative ways that you can stay up-to-date on plugin releases.
Get Email Notices When Core, Plugin, and Theme Updates are Available
No site admin can realistically be expected to log into his site(s) and check for update every day, let alone follow all the news surrounding plugin and theme security issues. The WP Updates Notifier plugin will monitor your WordPress installation for updates and will send you an email as they become available. It includes the following features:
- Set the interval of how often to check for updates; hourly, twice daily or daily.
- Sets WordPress to check for updates more often meaning you get to know about updates sooner.
- Get emailed about core, plugin and theme updates.
- Chose if you want to be notified about active only themes and plugins updates.
- Remove upgrade nag message to non-admin users.
- For advanced users there are a number of filters and actions you can use.
It would be truly awesome if WP Updates Notifier was also able to scan a plugin’s changelog for the word “Security” and tack it onto the email if it is applicable.
WP Updates Notifier can be useful even if you’re comfortable allowing WordPress.org to perform occasional forced updates to themes and plugins for security. You may be using a plugin that is not nearly popular enough meet the criteria for a forced automatic update. Regardless, it may be useful for you to know as soon as there is an update available.
The important thing is to stay in the loop about potential security issues and get patches as soon as they are available. WP Updates Notifier lets you do that without having to allow any third party update core, plugins, or themes on your server. The plugin is most useful when you have only a handful of sites or fewer. Otherwise, it’s probably better to utilize a central dashboard service where you check in regularly to see updates across all of your sites at once.
Your other alternative is to ditch plugins created by authors who you cannot trust to issue clean updates. That will put you in a better position to leave automatic background updates on, which is recommended for the vast majority of WordPress users.
It should be noted that forced security updates come from the WordPress Security Team and are tested by them, not from the plugin author. It isn’t Yoast pushing an update. :)