WordPress Automatic Updates – No Options For You!

WordPress 3.7 Development ScheduleNow that WordPress 3.7 is out in the wild and has already accumulated over 1.5 million downloads, the complaints are starting to roll in concerning the automatic update feature. On the Make.WordPress.core website where Andrew Nacin published a great guide on the different ways of configuring auto updates, users started questioning why there wasn’t an option in the back-end to either opt-out of auto updates or to configure how they operate.

The answer to that question is simple as pointed out by Andrew Nacin.

For the betterment of the web, we made a conscious decision to avoid a UI option. You’d be out of your mind to consciously avoid updating to fix a critical bug or security issue. We think the vast majority of users (many who don’t even know what PHP is) will celebrate this as a win in usability and security.

We very strongly pride in our core philosophies, including designing for the majority, making WordPress work out of the box with little configuration or setup, choosing decisions instead of adding options, and striving for simplicity. (Incidentally, that last section needs updating to emphasize we’ve now made updates even simpler.)

No Auto Updates For Desktop Software But Enabled For WordPress

I don’t have a single piece of software on my desktop or notebook that has been configured to automatically update itself. Instead, I always make sure I’m notified before any updates are to be installed. I usually review the changelog and then update as needed. With WordPress however, I’m willing to allow auto updates for minor and security releases to be enabled for two reasons. The first is that this site is constantly being backed up by VaultPress. I’m not worried if the site breaks during or after an upgrade. The second, I’ve rarely ever had a problem with WordPress upgrades.

There Are No Guarantees

The same concerns that were brought up when automatic updates were announced are still being voiced. The biggest concern users have is not being able to easily go back to a working version of WordPress should something break. At the crux of this particular concern is that automatic updates prevent people from creating backups immediately before the update process. The update process has failsafe after failsafe to prevent catastrophes from happening but there is no guarantee. By default in WordPress 3.7 and above, the only updates that will happen automatically are minor and security releases. Although they have different names, these releases can sometimes be the same thing. Andrew Nacin explained the differences.

It’s been stressed that these minor and security updates rarely break anything dealing with the core of WordPress. However, sometimes these minor changes cause a plugin or theme to break. Rarely doesn’t mean never. It’s this slight possibility of a site breaking that has prevented people from jumping on board to support the feature.

How To Make Upgrading Less Fearful

The best article I’ve read so far on this topic is from Mika Epstein entitled, Don’t Fear The Auto Update. While she doesn’t dismiss the fact that a site can break during an auto update, she provides a number of great tips that you can use so that upgrading is less of a frightful experience.

Yes, it’s defaulted to “on” because after intensive testing, and careful thought, WordPress core devs are pretty darn sure that these minor updates, which are more often than not security related, will not break a site. I’ll get back to breaking sites in a second. The point is that minor updates were picked specifically because it’s known that major upgrades can often break things.

If every time you upgrade WordPress, your site breaks, please follow her advice and do a plugin/theme audit.

My Thoughts

Normally, I’d be in support of adding an option to allow users to configure how auto updates work. In this case however, I understand the big picture. With WordPress being used on 20% of the web, the team owes it to the web in general to help users as best they can, keep their sites up to date. This tweet by Andrew Nacin is a good example of the big picture.

The concerns raised are warranted and it only takes one experience of an auto update breaking a site to ruin things. Meanwhile, there were over 100,000 auto updates applied during the WordPress 3.7 testing period and not a single one of them failed according to Andrew Nacin.

Many of the terrible scenarios discussed are hypothetical situations. I say we give 3.7 and 3.7.1 some time and let’s see if auto updates do more harm than good. After 3.7.1 is released, WordPress.org will have a lot of useful data which I hope the team shares with everyone.

Update Control Gives You All The Automatic Update Options You Need

If you are looking for a plugin that adds options to the WordPress back-end to easily configure how auto updates work, check out Update Control. This plugin provides all of the auto update options you could ever want! No need to hack WP-Config or use constants.

Auto Update Plugin Options

I can’t wait to revisit this topic after the release of 3.7.1. By then, the core team will have some real world data to analyze.

24 Comments


  1. I don’t have a single piece of software on my desktop or notebook that has been configured to automatically update itself.

    I used to be like you, but Chrome and later Firefox lessened and then eliminated my fear of auto-updating software. My advice is to embrace auto-updates in (almost) all of your software, and enjoy the extra time in your life.

    Report


  2. As someone who’s worked in IT 20 years, I find the team’s actions extremely cocky in not providing an option – they can’t know everyone’s use case and I’ve yet to meet a bulletproof system. Good luck to us.

    Report


  3. @Chris Finke – That’s a hard habit to break. I guess I should try it one piece of software at a time, starting with FireFox and Thunderbird, see how it goes.

    Report


  4. @Dave – I think anyone who might need an option (that is, anyone who has a legitimate reason to not want auto-updates) is capable of setting the constants or filters that disable updates for their sites.

    Report


  5. @Jeffro – Have you tried the Update Control plugin at all? Does it just rewrite your .htaccess according to your settings or does it handle it another way?

    Report


  6. @Cam – I installed it on my local host Wamp setup to see the options it provided. I did not actually test it. Why would it mess with .htaccess?

    Report


  7. @Jeffro – Sorry. Mental block. I meant wp-config.php. I had .htaccess on my brain because of the other post.

    Report


  8. @Cam – Well, I just checked my localhost’s WP-Config file and I didn’t see any commands in there that were part of the auto updates. I changed some settings and still didn’t see the changes in the config file. So, it must be doing it a different way, perhaps storing them in the database?

    Report


  9. @Cam

    Have you tried the Update Control plugin at all? Does it just rewrite your .htaccess according to your settings or does it handle it another way?

    No – as far as I know, there’s no way for a Plugin to write into wp-config.php – and I would consider it a pretty huge security risk if a Plugin could do so.

    Update Control uses the provided filters to enable/disable the various update options.

    Report


  10. @Jeffro

    So, it must be doing it a different way, perhaps storing them in the database?

    Nope; filters. Specifically:


    if ( 'no' == $options['active'] ) {
    add_filter( 'auto_upgrader_disabled', '__return_true', 1 );
    } else {
    if ( in_array( $options['core'], array( 'dev', 'major', 'minor' ) ) ) {
    add_filter( 'allow_' . $options['core'] . '_auto_core_updates', '__return_true', 1 );
    }
    if ( $options['plugin'] ) {
    add_filter( 'auto_update_plugin', '__return_true', 1 );
    }
    if ( $options['theme'] ) {
    add_filter( 'auto_update_theme', '__return_true', 1 );
    }
    if ( ! $options['translation'] ) {
    add_filter( 'auto_update_translation', '__return_false', 1 );
    }
    }

    (And similar filters for the update emails.)

    Report


  11. @Chip Bennett – Plugins can (and do) write to wp-config.php all the time. See WP Super Cache for the most common one I know of.

    However, wisely, this plugin uses filters :)

    Report


  12. @Ipstenu

    Plugins can (and do) write to wp-config.php all the time. See WP Super Cache for the most common one I know of.

    Huh; learn something new every day!

    Well, let me re-phrase: there’s no way I’m letting anything write to my wp-config.php! Heck, I don’t even keep it in the document root. (I’ll keep an account named “admin”; but nobody’s touching wp-config.php.) :)

    Report


  13. I do receive Chrome updates and although I know it is beneficial and I should embrace it, I would rather Chrome notify me in advance – simply because then I am not left wondering why so much memory/bandwidth hogging is going on during this period for no (initial) apparent reason.

    In two minds about this change: am sure I will come round to it though and love it, going by what the introduction of Dashboard plugin installation/updates has done for everyone.

    Will certainly be checking out the config on the Codex as I think it would be helpful if multisite admins, at least, have more fine-grain control over even minor/security updates.

    Report


  14. Picking up and extending just a bit on this:

    I don’t have a single piece of software on my desktop or notebook that has been configured to automatically update itself.

    For most Linux users, auto-update for security / critical fixes is no stranger in the case of individual apps. For Windows users, there’s Secunia PSI (free, as in ‘free beer’), if you care to look into it. I think it’s a great concept, and recommend it. Non-disclaimer: I’m not affiliated with them, beyond being an appreciative end user.

    Bottom line, auto-updates should be common, not exceptional. Certainly for WP I think it’s pure win.

    Report


  15. I don’t have a single piece of software on my desktop or notebook that has been configured to automatically update itself.

    I don’t think I have a single piece of software on any my laptops that has not been configured to automatically update itself.

    Report


  16. Gotta agree with Ryan on this one. I configure everything to auto-update whenever possible. Too many pieces of software nowadays to be monitoring the interactions of all of them by hand. Ain’t nobody got time for that.

    Report


  17. Hey folks,

    A couple of people mentioned it here, and in a few other places so we decided to put in a simple configuration for WordPress automatic updates. Even if you don’t use any of the rest of the plugin, you could use this section, as the plugin only loads the parts that are enabled.

    The WordPress Simple Firewall ( http://wordpress.org/plugins/wp-simple-firewall/ ) now has an automatic updates section so you can tweak as you need. It retains the WordPress default settings when activated of course, but you can quickly and easily modify setting as you need.

    Happy to hear what you think.
    Cheers,
    Paul.

    Report


  18. I find it appalling that WP now UPDATES ITSELF AUTOMATICALLY and doesn’t offer a “Do you want auto-updates turned on or off?” pop-up or something when you first install wordpress!

    Lacking that, it should be DISABLED by default, not the other way around!

    I want to start a petition about this and strongly suggest WP to change it to what we the CLIENTS WANT, not what WP has decided for us!

    Remember, WordPress:
    This is the kind of behavior of big companies (Google, Microsoft to name two) that we the people DESPISE. So okay, for NOW you are the Big Dog and can get away with dictating to us (much like AT&T of old – remember the Lily Tomlin bit on Saturday Night Live: “We don’t care. We’re the phone company. We don’t have to!” – and we all know what happened to “the phone company”!), but eventually some other platform will come along – maybe one that listens to the desires of their clients – and WordPress will go the way of AT&T, MySpace, etc. YOU ARE NEVER TOO BIG TO FAIL DUE TO NOT GIVING YOUR CLIENTS WHAT THEY WANT!

    Report


    1. I wanted to add that the reason many of us do not want to auto-update is that we use plug-ins or themes that may BREAK if they have not been also updated to accommodate the latest WP version. So I would go to my plug-in or theme author first to see that it works well with the latest WP update BEFORE I update WP. I could also try the plug-in on a WordPress Domain that I keep just for this purpose, to see if it will work okay with the latest update .

      Another method would be to at least wait a month or so before updating just to give the plug-in and theme folks plenty of time to update their products.

      Report


      1. WordPress should, imo, dictate the defaults based on what is best for the ecosystem. And what is best for the ecosystem is a more secure WordPress.

        Do you remember the browser market before auto-update? Do you know how happy the web is now that legacy browsers are slowly becoming a thing of the past and we can take advantage of new features more quickly? Do you know how hard it is to fix security issues promptly when auto-update is not enabled?

        So with WordPress there was always an issue with updates breaking plugins and themes. That hasn’t changed, auto-update or not. The best plugins and themes are supported in such a way that these issues are minimized (good thing for devs to make their work stand out is, btw). It forces the developers to keep up to date and that’s a good thing too because that means more diligence is paid to keeping code bases maintained so they are secure & robust.

        It would be really bad to not set auto-update as the default because that encourages people to run outdated code. Vulnerabilities can have huge implications on a number of levels, not the least of which WP general reputation (on which now thousands of people rely on for their bread and butter).

        Of course you always have the ability to modify and disable auto-updates. The freedom is there to be used at anyone’s discretion.

        If you are running an ecommerce store, I bet it would be better to test before doing updates instead of having a store potentially crash on the chance that a conflict occurs.

        And it’s just a fact of life, the web is fast moving and requires continual vigilance, it’s a pain but unavoidable. Anybody running SSL and has had to reconfigure everything the past week knows it.

        There are tools out there & tools yet to be created that can help manage the pain of updating. Rolling back if an update is resulting in problems is a useful thing. Having a proactive backup policy. Easier ways of testing and moving things from a staging site to production. Those are all things that can mitigate the pain of updating. Definitely for commercial sites an investment must be made in these kind of tools.

        Report

Comments are closed.