23 Comments

  1. Bianca

    Completely agree with the statement of David Anderson. Simply put, it’s not the call for wordpress.org to make. Existing installs should be left alone by anyone except for the site administrator and/or it’s hosting provider, without any explicit consent. Yes, unmaintained WordPress installations are bad. But interfering in this manner is far worse.

    Report

    • Chuck

      The fact that WordPress has the ability to do this could in and of itself be interpreted as a security flaw.

      Report

      • Michael Babker

        The entire auto-update infrastructure is a standing security risk as it allows a third party to inherently install or upgrade software on your system. The risk isn’t limited to the fact WordPress has the capability to roll out a major upgrade to what could be considered an abandonware website.

        Report

  2. PP

    I hope this happens.

    I understand the resistance, but this attitude is what will kill WordPress in the long run. The resistance to updating WordPress, updating PHP versions, Gutenberg, etc. is a problem.

    I get it, WordPress is 15 years old and not exactly a community of early adopters, but we have to be smart enough to see around corners and understand what we need to do to continue moving forward. Believe me, WordPress failing to progress and move forward will cause much more disruption in the long run.

    The status quo is comfortable, but stasis always is. It’s also deadly in the long run.

    Report

  3. Nigel Rodgers

    Hypothetically speaking, what if some of those pre-4.7 branches are actually have custom 3rd party updates.

    “Don’t play nanny” David Anderson, well said.

    Report

  4. Will Stocks

    I’m a proponent for security and the principle behind this action (one of my comments is featured in this article) but what I don’t like is the approach and seemingly “forced”-ness of this action. I personally run things on the bleeding edge wherever possible. I also want to highlight I am a big fan of the recent movements the core team (and the rest of WP) have taken and the direction in which WP is going! But this isn’t right.

    I can’t help but feel that this is pathing the way for something else… this definitely lays the foundation for giving WordPress a LOT of power on the internet. There was a thread where it was mentioned that plugin and theme auto-updates could follow this… really?!

    The distinction between .com and .org needs to be managed here. Just because WP can, doesn’t mean WP should.

    Not doing this in no way kills WordPress, as suggested by “PP”. Why is it WP’s fault if a user remains on an old version? Why is it WP’s vault if a user uses an old PHP version? What next… they define our themes for us? Why can the rest of the internet/world manage this in a more suitable manner, but WP has to take this approach? How is WP going to manage the support for all of the sites/user workflows they break?

    This should 100% be opt-in, NOT opt-out. Simple. Implied consent is not consent.

    Report

  5. Miroslav Glavic

    This will make it worse in the community.

    Admins will get lazy, why bother to do anything when WordPress.org will do it for you?

    WordPress.org, Matt Mullenweg, The plugins authors of all my sites, the theme authors……….STAY OUT OF MY SERVER.

    The hundreds or even thousands of people around the world that help fix hacked sites….might lose some jobs if W.org will do it automatically.

    Part of my maintenance packages, I provide updating.

    Updates can break things from time to time. What if I am on vacation? What if I am at a conference somewhere in a different continent without access to wifi/internet, to fix things.

    Report

    • Ryan Hellyer

      But you presumably don’t have sites that old or you would have upgraded them by now. So this seems somewhat moot in your situation.

      Report

      • Will Stocks

        @Ryan – This won’t just apply to the current situation. It does now, but it’s simply pathing the way for a future process. This will come forwards to all releases and those won’t come with the same warning window/grace period. It has already been stated in the comments by multiple core contributors!! Not only that, but they’re pushing for it to be implemented on plugins and themes in the future… you can’t think that this is ideal surely?

        Report

      • Miroslav Glavic

        @Ryan What if I am on vacation from September 1-10 and an update comes on September 3. I won’t be doing the updates during vacation. But for a week any of my sites could be broken. Hence I don’t want auto-updates. I want to do manual updates. That way if there are issues with the update, I can fix them, instead of (in the example above) wait a week.

        Report

  6. Samuel

    Who wants to have a website should take care of it. Point! If I don’t update my PC for 6+ years, don’t be surprised if the apps/software don’t work anymore. I do not understand the whole discussion…

    Report

    • Bianca

      Basically you are right. Meaning as in, it’s the responsibility of the owner so it should be his or her choice to run the updates or not… and so suffer the consequences of that choice. If that means EOL so it shall be.

      Updates should never be forced other than direct stakeholders in the process (hosting partner e.g.) WordPress.org isn’t one in my opinion. This is where the discussion seems to be about.

      To me a non stakeholder interfering with your installation without an explicit opt-in consent is just wrong.

      Report

  7. Terkuma John

    Would probably prefer to manually do the updates.

    Report

  8. Trishan

    I wholeheartedly understand and support Dunn’s proposal to auto-update the older versions of WordPress since legacy versions could have serious security issues which could prove damaging to the entire WordPress ecosystem.

    In addition, if a site gets attacked or hacked simply because of a backdoor entry through outdated WordPress installs, it gives WordPress for no fault of the developers.

    Report

    • Maxime Jobin

      legacy versions could have serious security issues which could prove damaging to the entire WordPress ecosystem

      Like what? What could damage the entire WordPress ecosystem?

      Report

  9. Bridget M Willard

    We’re talking about almost 2 million sites.

    https://docs.google.com/spreadsheets/d/1euCkU05W6yEHtTg1IElsKwPlEqiMrZmu98Cp0ZwuAao/edit#gid=0

    I left a comment on the core thread, but it’s awaiting approval.

    Report

  10. Sajan Kota

    WordPress.org should not force to upgrade to the newer versions. it is upto the admin of the WordPress website whether to upgrade or not.

    I totally agree with this

    “If someone didn’t update their site, they did so for a reason. Or indifference. Either way, we have no right to go in like this and modify people’s websites.”

    Report

  11. Milan Petrović

    Considering what goes on with the user’s privacy and other rights that EU and some other parts of the world try to protect (with more or less success), I think that auto-updates (even minor version) are currently completely illegal, and are done using implied consent, which is known to be illegal when gathering user data or doing something on users behalf.

    If core team working on updates need something to do, I would suggest making changes to WP installation to ask the user to agree to the updates (select between minor and major), store that in the database and have the option to change it in the plugin settings. That can be considered legal explicit consent to do something on the user’s behalf.

    Sending major updates to outdated WordPress websites is totally unacceptable for so many reasons, and in most cases I am sure, it will end up on the broken website. As few people pointed out already, outdated websites are outdated for a reason: the owner doesn’t care anymore or is stuck with the outdated plugin/theme/customization that will break with the new WP version.

    And the fact that WordPress.org can do this doesn’t give anyone right to do it, we all should be scared with the implications, especially, since updates are even now done without any consent.

    Report

  12. Maxime Jobin

    What is the problem that we’re trying to solve?

    It’s a PITA to support all old versions of WP. Ok, I get it. So why not simply drop the support, period? Microsoft does that, PHP does that… and so should WordPress.

    I have Windows XP (SP 1) with Netscape Navigator and guess what… I got hacked. My problem.

    At SatelliteWP, we do maintenance so we understand exactly the “why” of this. It saddens us to see people not take care of their site. But, at the end of the day, we can’t save people that don’t want to be saved. We simply have to move on.

    Here is the thing that bothers me the most:

    How will you update these old versions to the latest version as the process does not exist now ?

    The answer: adding a “new feature” in a security release. Exactly what was done in WordPress 4.9.6 and explained in the article: Warning: WordPress 4.9.6 Really is a Major Update.

    My take: keep developing this great software and provide patch. Let people and web hosts manage the “when”.

    Report

  13. Dan Neumann

    I don’t think this is an all or nothing issue. The beauty of WordPress is that it allows a great degree of freedom in how people build websites using their platform. However, freedom is and can never be unlimited.

    Automattic is not making everyone adopt blocks and the major changes of version 5.0 yet. They are gradually making, what I feel are reasonable requirements on people who use their platform and that is to make sure their websites are compatible with a version that came out in 2016. I think this is a good balance.

    Report

    • Bianca

      There is a difference between wordpress.org and wordpress.com of which I feel not everyone grasps.

      Automattic is not making everyone adopt blocks and the major changes of version 5.0 yet.

      …on people who use their platform….

      WordPress.com may be owned by Automattic, .org isn’t. Although they contribute a lot to .org as well, the software on .org is open source(GPL).

      And because of this software being open source no one other than the site owner (or server owner) of that particular installation (configuration) is supposed to make this kind of changes to it.

      One of the freedoms is to adapt it and make into whatever you like. If you want to change the core, (although not wise) go ahead. I’ve actually seen developers do this, changing the core. Wise? No! In theirright? Yes! That’s the whole philosophy behind the idea of open source, opposed to proprietary software.

      I think no one is questioning the intention behind the idea of building a safer internet, but stay on track who is the one that makes the shots on existing installations.

      Report

Comments are closed.

%d bloggers like this: