36 Comments

  1. Will Stocks

    I had a feeling this would happen… probably 80-90% of the comments from non-core people were against this. Core contributors in the most part are for it… there’s no formal decision yet, but I can already tell which way this will go 😔

    I’m fortunate in that it doesn’t directly affect me, but it’s definitely paving the way for it to. I’m also still wary that no one has actually responded about the potential legal implications, not just within the US, but also within other countries all around the world, as well as how post-update support will be managed for those sites that end up being knocked offline due to the update and have no support resource in place. WP would have to take this up, surely? Would they just roll those people back and EOL them?

    Here’s to hoping that the proposed solution is a much improved one.

    Report

    • Bastian

      I had a feeling this would happen… probably 80-90% of the comments from non-core people were against this. Core contributors in the most part are for it… there’s no formal decision yet, but I can already tell which way this will go 😔

      This is how it always work in WordPress. Some core devs propose a significant change, then they open some discussion channels to make it look like they’re listening to the users, and finally they close them and say thanks to the community for participating but a decision has already been made.

      Report

      • Bianca

        This is how it always work in WordPress. Some core devs propose a significant change, then they open some discussion channels to make it look like they’re listening to the users, and finally they close them and say thanks to the community for participating but a decision has already been made.

        This 100%. We’ve seen this before. It’s is a recurring strategy to push unpopular ideas. Nobody seems to mind that lot’s of WordPress users do not participate at all in the community. And you just cannot make decisions on their behalf.

        Very curious towards a legal point of view.

        Report

      • PP

        This is how it always work in WordPress. Some core devs propose a significant change, then they open some discussion channels to make it look like they’re listening to the users, and finally they close them and say thanks to the community for participating but a decision has already been made.

        Really? “Some core devs” ? Oh, you mean the people who volunteer to create the software that you use for free? The people that spend night and day thinking about how to move WordPress forward to benefit the most people, help WordPress continue to grow and keep WordPress relevant for another 16 years?

        Believe me, those are the people you want making the decisions. The core team has the best long-term perspective. And yes, they don’t make decisions by committee because that’s a losing strategy. Are they perfect? No, but they’re doing the best they can and we need to support them even if we don’t always agree because they probably know more than we do about the decision.

        The alternative is to have the self-interested folks on this thread looking at it through their own myopic lens making the decisions who prioritize their own comfort over the future of WordPress. Imagine that. Wait, you don’t have to—look at the US political system. Believe me, we want the most credible, informed people who’ve demonstrated it for years making the decisions. They won’t always agree and it’s not the perfect process, but at least they’re making decisions that aren’t based on comfort or self-interest.

        If you think these decisions are incorrect, then start contributing to WordPress for years, show us how much you care, then you can make the decisions too. Until then, your actions tell us how much weight we should put on your opinions.

        WordPress doesn’t just get better automatically folks; it takes a team of dedicated people making the right decisions over long periods of time. Let’s trust them.

        Report

      • Bastian

        Are they perfect? No, but they’re doing the best they can and we need to support them even if we don’t always agree because they probably know more than we do about the decision.

        I’m not very much into sycophancy, thanks.

        Report

      • Bianca

        @pp
        There are quite an amount of people who contribute to WordPress in a non technical way. Those may not be core contributors but they do contribute in some way. Basically the WordPress ecosystem is way too diverse to make any kind of conclusion, like claiming people are only self-interested. These people do exist to. There are also a lot of people who act as a bridge between end users and the community.

        In fact I see the opposite happening. The last couple of years big companies are taking over the community and are making the decisions. I’ve seen dedicated contributors for years step back from the community because of the way they’ve been treated by these company folks. This is poison to the community. This also goes for flaming and making assumptions on other people.

        Also no one is questioning the intention behind the idea. It’s the execution of the idea. You cannot say, hey you got this for free (which is often not even the case) so you do not have any rights . There is the GPL , which is a big USP for WordPress. Ommiting an act that goes against this is more harmful for WordPress than to go with an EOL.

        Report

      • Bastian

        In fact I see the opposite happening. The last couple of years big companies are taking over the community and are making the decisions. I’ve seen dedicated contributors for years step back from the community because of the way they’ve been treated by these company folks. This is poison to the community. This also goes for flaming and making assumptions on other people.

        Agreed. Nowadays, it’s devs paid by either Automattic, 10up or Human Made calling the shots in core.

        Report

  2. Cameron Jones

    WordPress is provided as is*

    * Except we’ll update the code on your site whenever we want to

    Because we’re all about providing freedom to the users

    🙄

    Report

  3. Sajan Kota

    This is going to make many website owners who are still older version of WordPress upset. Its better to keep your WordPress updated as and when possible.

    What developers need to keep in mind is to make sure that they should not make changes to the theme without using Child theme. Also Developers should be make sure that the website owners that their WordPress websites should be updated as and when new version is released.

    Report

  4. Otto

    Sites running 3.7 have been informally estimated at around 2 million but a definitive count has not been confirmed.

    This seems very, very much higher than reality. Where did this number come from?

    I would estimate this number at roughly a tenth or even less than that.

    Report

    • Matt

      Why so small? WordPress powers 30% of the entire web, 2 million sites is nothing.

      I see the massive issues auto-updating can present, but I also see another side to the story. WordPress has a bad reputation among a lot of people, outside of the bubble many WordPress developers live in. People find it clunky, people find it a massive security risk, and people find it lacking capability. These perceptions are not my own (I love WordPress), they’re my observations of opinions from others.

      That said, putting an end to the massive number of issues revolving around outdated sites and plugins is a must, it’s killing the reputation for the rest of us, which holds us back compared to where we could be. If someone specifically opted out of updates, good for them, leave them be, but if someone set up the site, and doesn’t even remember how to get to their Dashboard to maintain their simple site, too bad, you get updated, for the sake of the rest of us. To me, it’s like car insurance – you don’t get to drive without it. I’ve never needed mine, but I also can’t just claim that and be a liability on the road.

      It might not be fair to everyone, and there are certainly non-tech people who will have issues, but a hit now for a better future is worth it compared to where we’re heading.

      Report

      • Otto

        @Matt Two million sites would be quite a lot for 3.7, actually.

        Here’s the thing about the question “how many websites are there?”: It all depends on what you consider a website.

        For estimates that consider the number of domains and things, then you’ll generally see an answer in the 1-2 billion range. But then this includes domains that never get anything more than a landing page on them. Not exactly what I would consider to be an active website, or one that would run a CMS or anything of the sort.

        A more realistic estimate of what you and I would probably consider to be an active website would be in the 400 million-ish range. Of those, let’s say about a third are estimated to be running WordPress. According to the stats page on w.org, 3.7 is running on 0.137% of those. Even with the most optimistic math, that’s only 200k sites. Even that third number is a bit suspect, and the number from Builtwith says 30k. I suspect the real number to be in the 50k-100k range, at most.

        The 2 million reference cited on that make page is the number running 3.7 – 4.6 total, not just 3.7 alone. So, when discussing this proposal, consider that the initial starting set of bumping 3.7 to 3.8 would be for maybe 100k sites, maximum. It’s a very small starting point to work from, not a hugely major undertaking.

        Report

    • Sarah Gooding

      Comments on the proposal that cite Builtwith, probably not the most accurate https://make.wordpress.org/core/2019/08/07/proposal-auto-update-old-versions-to-4-7/#comment-36517

      Report

  5. PP

    Thank you, WordPress needs this.

    I understand the resistance, but this attitude is what will kill WordPress in the long run. The resistance to updating WordPress, updating PHP versions, Gutenberg, etc. is a problem.

    I get it, WordPress is 16 years old and not exactly a community of early adopters, but we have to be smart enough to see around corners and understand what we need to do to remain relevant–our market share isn’t guaranteed. Believe me, WordPress failing to progress and move forward will cause much more disruption in the long run.

    Yes, the status quo is comfortable, but stasis always is. It’s also deadly in the long run.

    Report

  6. Cavalary

    Again, just no. For no reason whatsoever, no way, not ever! Letting people stay on their version of choice AND knowing they’ll get security updates for it is a huge plus for WordPress, and with the other changes in recent years may be the only major one left.
    Regarding the choice, those three options there, I’ll always prioritize maintaining old versions, that most actual users – the people who just want to use the software to get something done, be it personal or business – are content and familiar with, over new stuff, which mainly just the developers particularly care for, plus a small number of users who want to be on the bleeding edge, often more to test and/or show off than for present needs and actual practical use.
    And regarding auto updates themselves, again, no, no way, not ever. Period. This is the developer taking over the reins of the site from the user, or whoever the user designated as their site admin. It’s what MS is doing with Windows 10 for crying out loud, and if that’s not a model of what NOT to do, what should never be acceptable for anyone, anywhere, I don’t know what is. And, as I see it was pointed out, finding themselves with a different version may well lead some users to believe that they’ve been hacked. And there’s no amount of warning and explaining that can make that right.

    Report

  7. Matt Porter

    Letting people stay on their version of choice AND knowing they’ll get security updates for it is a huge plus for WordPress

    That’s just not how software works, at all. It’s SO much work to do this. “Security Updates” aren’t this magical, modular side piece of code that you simply update, the security updates ARE the platform, it’s ALL the code. If it was that simple, hell yes, but it’s not, and it’s so detrimental to keep investing so much time and effort into dated code that needs to just die with the times.

    Report

  8. Gary Taylor

    Instead of forcibly updating sites, could they be forcibly expired?

    People have their reasons for not upgrading (assuming they’re still in control of those sites, or not dead) in the same way people have their reasons for not wanting to use the block editor.

    So if we’re going to forcibly update them, why not do it to a cut-down, restricted version of WordPress (say, based on 4.7), with no access to plugins or themes, cut-down Dashboard, no hijackable backend functionality… WordPress, in name only, but with an upgrade option should site owners wish to opt back in to a more modern WordPress experience.

    Not the easy option, I know…

    Report

  9. Heather Burns

    @Bianca

    By my reading, this proposal is completely incompatible with the latest draft of the ePrivacy Regulation. (For the non-policy types, that means “potentially completely illegal”.)

    There are certainly valid concerns about whether this would violate certain longstanding U.S. laws on computer misuse as well.

    A privacy impact assessment documentation process would have identified these issues,l privately, but introducing a PIA process into project development was literally laughed down last year when the core-privacy team tried to raise it.

    Report

    • Bianca

      Thanks you Heather for your detailed reply. Was hoping (and kind of expecting) this to be the case. At least it’s how I see it, but I’m not an legal expert.

      It’s a shame to read that your PIA efforts were laughed down. Not a first (coughs accessibility) if I’m not mistaking.

      Report

  10. Heather Burns

    It says a lot about the priorities of the WordPress project at this point in its existence that not only has user consent been ruled out of this plan, but the separate proposal to build a means for users to grant their consent over updates and other data transfers is gathering dust and crickets.

    Report

  11. Maxime Jobin

    We feel that responsibility too, and we’re going to do absolutely everything we can to make sure their site stays updated and they are running the latest and greatest version of WordPress.

    Is WordPress acting as a big brother or as Big Brother?

    Report

  12. Pete Shaw

    This is possibly illegal and definitely unethical.

    Website owners installed WordPress in the expectation that would NOT be getting major upgrades. Changing this without the expressed consent of the owners is high handed, sets a terrible precedent, and breaks major trust

    Report

    • PP

      @Pete Shaw

      How do you draw that conclusion? Why would anyone think WordPress wouldn’t get upgrades? WordPress updates are quite obvious in core, plugins and themes.

      For that matter, what software never gets upgraded and continues to function properly long-term?

      Report

      • Bianca

        Well for starters, if someone only gives consent for minor updates it does not expect major updates to be included with that. There IS a legal difference.

        Report

      • Otto

        @Bianca Nobody ever have consent for minor updates. Where is this consent screen? Where did you give consent, exactly?

        WordPress updates itself, and it has done so for six years. It never asked for your consent to do so.

        And if you turn it off, then it’s off. The power of auto update is entirely in your control and has been since the beginning. There is no override for “off”.

        Report

      • Bianca

        Hi @otto, You have a point there.
        I have mis-phrased a little in my reply to PP. What I meant, if the site has been set up/configured to only get the minor security updates but not the major updates (frankly a standard installation) that person does not expect major updates to happen on his/her website.

        Please keep in mind that there are a lot of WordPress users who haven’t set up their websites by themselves but hired a freelancer or agency to do so. Expectations are often set by them. Not all developers honor WordPress standards and in here lies a problem (how sad this may be, it’s in their right).

        WordPress provided the software package as is (without warranty). The build installation / configuration and communication is done by the hired developer. The communication where: setup criteria are being set(briefing), instructions are given and expectations are being discussed. Also there might be a legal document to be signed off where updates amongst other things are explained.

        A legal difference is partly applied by law (in my case EU law) and partly within the GPL (make it into whatever you want). For security updates you do not need an explicit consent (in draft as Heather pointed out) but major updates are legally different .

        Let me reiterate that I do get the sentiment behind the idea, but like many others already pointed out, the proposed approach is not the way to do it.

        Report

  13. Grant Price

    I believe that we may be leaving out the hosting companies themselves. They are also at risk because many of these outdated sites are running on their platforms. How about working with them to find a way to mitigate attacks on these older sites? They can either create a policy stating that WordPress has to be within a certain version OR possibly shut down sites that show issues.

    Unfortunately that is the only way that some of these sites will ever be updated. That is not illegal because site owners have to adhere to the hosting company’s policy or they can move their site. I do find it hard to believe that another hosting company would welcome an outdated site. I don’t believe we need to force an upgrade, but if the hosting companies can get involved, they can get the attention of the end user.

    Report

    • Otto

      For the most part, hosting companies that care have started force upgrading WordPress sites themselves. Many of the larger hosting companies go through their systems and use scripts and processes to update WordPress for everybody running it on them when new releases come out. And for the most part, they force major updates too.

      Report

  14. Sarah Gooding

    @nacin – It looks like she is referencing Builtwith stats for sites running on 3.7 – 4.6: https://drive.google.com/file/d/1KRj5yu35r3YeH0vfGBYDgZOdvK11CG6A/view

    Report

  15. Jean-Francois Arseneault

    I would like to add my voice to the people in strong disagreement of forcing major version updates using an Opt-Out mechanism, instead of an explicit consent with an Opt-In. Has the core team even checked if this is legal in every jurisdiction around the globe?

    While I do understand the security implications of running outdated software, I certainly do NOT understand how WordPress.org plans to grant itself the right to change client websites without their explicit permission on hosting they’re paying for, not WordPress.

    There may be business or technical reasons why a client’s website has not been updated.

    And there may be cases where a forced update will break a site (White Screen Of Death) or break certain functionalities from plugin / theme incompatibility, or other aspects that an automated rollback mechanism cannot detect as a failure.

    What happens if these forced updates break a site and cause financial losses to a client? Or public relations issues? Or customer dissatisfaction? Will WordPress be held legally liable? If not, why? … why could there be action without consequence from WordPress when without their action, the issue would not have materialized?

    In the end, I don’t think the “solution” of force-upgrading 3.7-4.6 sites is solving a big enough problem, that it warrants potentially creating an even bigger problem by running the risk of breaking sites and impacting WP’s reputation… what will we have gained, as a platform?

    Report

  16. Sammy

    This is possibly illegal and definitely unethical.

    Website owners installed WordPress in the expectation that would NOT be getting major upgrades. Changing this without the expressed consent of the owners is high handed, sets a terrible precedent, and breaks major trust

    Report

Comments are closed.

%d bloggers like this: