WordPress’ plugin team has published a statement regarding plugins making changes to users’ update services:
Unless your plugin has the purpose of managing updates, you must not change the defaults of WordPress’ update settings.
You may offer a feature to auto-update, but it has to honor the core settings. This means if someone has set their site to “Never update any of my plugins or themes” you are not to change those for them unless they opt-in and request it.
The statement was prompted by plugins overstepping this boundary, which, up until recently, has simply been understood but not explicitly forbidden. Mika Epstein said the practice “destroys the faith users have in you to not break their sites.” It also reflects poorly on WordPress as a whole when plugin authors abuse core features to serve their own interests.
“Sadly, this happened recently to a well used plugin, and the fallout has been pretty bad,” Epstein said.
She did not identify the plugin in question, but one particular incident that happened last month bears a strong likeness to this description. On December 21, 2020, the All in One SEO plugin turned on automatic updates without notifying its users, aside from a short, ambiguous note in the changelog.
All in One SEO was active on more than 2 million WordPress sites when it rolled out this update. Many users were frustrated to discover that their sites had been updated without permission, despite having auto updates turned off for the plugin. The plugin’s developers removed the auto updates wrapper functionality from the plugin earlier this month, in favor of letting WordPress handle updates.
After this incident, those who were affected were left with questions. Should WordPress allow this practice? Should plugin developers be required to place a notice in the dashboard if they are going to flip automatic updates on? While many users are willing to trust WordPress core to do automatic updates in a safe way, some are not willing to extend that trust to plugin developers, whose quality of updates vary widely. The plugin team offering guidance and communication on this matter was absolutely necessary to deter aggressive plugin developers from destroying what is still a fragile trust in automatic updates.
“At this time, we have no plans to spell this out in a guideline,” Epstein said. “We do currently, regularly flag plugins that go outside their dictated (self defined) boundaries, and this is not a change. Please, respect your users.”
It’s great to see some action being taken. This is not only a nuisance, it’s also potentially dangerous. Let users decide whether they do or don’t want to automatically update a plugin.