1. Dr Gallagher

    “WordPress.org has the ability to turn on auto-updates [ for ] plugins”

    Where is that explained to the average user, and where can it be toggled off?

    While I appreciate the security reasoning behind this functionality, its in essence a hardcoded backdoor. Plugins can be updated against the will of the site owner.


    • Otto
      • Dr Gallagher

        Thanks Otto :)

        I had actually read the documentation not that long ago, which is rare for me brother! Even with a re-read just now, it doesn’t feel like it clearly states what this filters purpose is, when it why/when it would be used.

        There is no distinction between normal updates (major/minor) and security updates.

        Even the filter is just called ‘auto_update_plugin’, which someone might turn off (but would want critical security updates), or leave on for said critical security updates (but worry that plugins will auto update for major/minor releases).

        By default, automatic background updates only happen for plugins and themes in special cases

        It my opinion that ‘special cases’ needs some form of definition. As a site owner, if an external web service wants to update files on my server, I want to know under what circumstances.


    • Otto

      That is true, and I didn’t create this functionality in the first place, however we have used it extremely responsibly and only turned the flag on for very extreme cases, such as this one. But, you can turn it off if you so choose. It’s your site. It defaults to on for security updates only. And we’re really picky about security updates. We even require authors to backport for major versions, the same as WordPress itself does. It’s basically a full release process. Not easy to do, and fully transparent to all release personnel. I can’t sneak in something evil without dozens of people noticing.

      But, if you prefer to do it yourself, then I will happily tell you how to turn it off via filters. It’s documented. It may not be the best documentation, and that is a fair point. Improvements are welcome.


  2. Miroslav Glavic

    Anytime you do an update, there is a risk that the update will screw up the website. It can conflict with the theme you are using or other plugins.

    I am against any FORCED update. I am there to do updates, not any automatic way. So in case there is a screwup/conflict…I am there to fix things.

    I am sorry but there is never a reason for any plugin author, Automattic, the Tooth Fairy or even Santa Claus to essentially tresspass into my property (my website). I usually update within an hour or less whenever there is a core, theme or plugins update.


Comments are closed.

%d bloggers like this: