Plugin Team Draws a Line: Plugins Must Not Change WordPress’ Default Automatic Update Settings

WordPress’ plugin team has published a statement regarding plugins making changes to users’ update services:

Unless your plugin has the purpose of managing updates, you must not change the defaults of WordPress’ update settings.

You may offer a feature to auto-update, but it has to honor the core settings. This means if someone has set their site to “Never update any of my plugins or themes” you are not to change those for them unless they opt-in and request it.

The statement was prompted by plugins overstepping this boundary, which, up until recently, has simply been understood but not explicitly forbidden. Mika Epstein said the practice “destroys the faith users have in you to not break their sites.” It also reflects poorly on WordPress as a whole when plugin authors abuse core features to serve their own interests.

“Sadly, this happened recently to a well used plugin, and the fallout has been pretty bad,” Epstein said.

She did not identify the plugin in question, but one particular incident that happened last month bears a strong likeness to this description. On December 21, 2020, the All in One SEO plugin turned on automatic updates without notifying its users, aside from a short, ambiguous note in the changelog.

All in One SEO was active on more than 2 million WordPress sites when it rolled out this update. Many users were frustrated to discover that their sites had been updated without permission, despite having auto updates turned off for the plugin. The plugin’s developers removed the auto updates wrapper functionality from the plugin earlier this month, in favor of letting WordPress handle updates.

After this incident, those who were affected were left with questions. Should WordPress allow this practice? Should plugin developers be required to place a notice in the dashboard if they are going to flip automatic updates on? While many users are willing to trust WordPress core to do automatic updates in a safe way, some are not willing to extend that trust to plugin developers, whose quality of updates vary widely. The plugin team offering guidance and communication on this matter was absolutely necessary to deter aggressive plugin developers from destroying what is still a fragile trust in automatic updates.

“At this time, we have no plans to spell this out in a guideline,” Epstein said. “We do currently, regularly flag plugins that go outside their dictated (self defined) boundaries, and this is not a change. Please, respect your users.”

6

6 responses to “Plugin Team Draws a Line: Plugins Must Not Change WordPress’ Default Automatic Update Settings”

  1. It’s great to see some action being taken. This is not only a nuisance, it’s also potentially dangerous. Let users decide whether they do or don’t want to automatically update a plugin.

    Report

  2. Snerdey says:

    Smart move by the plugin team! Not everyone understands the importance of keeping a website updated. Indeed, it should be controlled and properly managed by a webmaster in order to keep the site working properly.

    Best is to customize your WordPress website and avoid overuse of plugins.

    Report

  3. Jason says:

    While most plugin developers are professional and are offering something valuable, it only takes a few malicious intent developers to destroy a site that may have taken years to establish. I know I have plugin conflicts and have to patch some files manually here and there, so if a random plugin updated itself and wiped out a hack and brought down a site, well I would fuming mad. It’s hard enough keeping track of known updates and potential issues. I wouldn’t wsnt to lose a day fixing something I never agreed to. With that said though, most of my sites have auto update enabled on everything, but a couple cannot be updated easily due to the potential conflicts from badly implemented codecanyon plugins that I was naively locked into by bad choices on my part.

    Report

  4. Fchaussin says:

    More generally, no plugin should change core options without admin user opt’in

    Report

  5. Brian Ott says:

    I am 100% on-board with this decision by the plugin team. No plugin developer should be able to update a site without the owners express consent. I maintain dozens of WordPress sites ans sometimes the smallest updates can bring great havoc. When I update I check all the sites after doing it to ensure it is good, with an auto update, you might find the site broken days or weeks after the auto update was applied. Not Good.

    Report

  6. Shawna Leigh says:

    Great job WordPress’ plugin team! Amongst others, I manage a great deal of WordPress websites and automatic updates are not something to take lightly. I feel for those millions of users that had potential site breaks and were forced to reach out for help. I try my best to keep my own clients informed about the importance of plugin updates, especially in today’s world. I’m excited that the plugin team has taken notice and action and appreciate the efforts put forth in creating such as wondering platform to work with.

    Report

Newsletter

Subscribe Via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

%d bloggers like this: