WordPress Poised to Begin Implementing Proposal to Auto-Update Older Sites to 4.7
WordPress contributors from around the world joined in a lively meeting yesterday to continue the discussion regarding the proposal to auto-update old sites to version 4.7 in a controlled rollout. The idea is that sites would gradually update from one major version to the next (not all at once). The discussion was led by WordPress 3.7 release lead Andrew Nacin with help from Ian Dunn and security team lead Jake Spurlock.
Based on the participants’ responses during the meeting, there were a handful of dissenters who are not comfortable with updating old sites without the site owner’s explicit consent, which is difficult to acquire when emails and admin notices will not reach everyone affected.
The majority of contributors are leaning towards finding the best implementation for moving forward with the proposal, which essentially makes a bold decision for regular users who may not know that they are not on the latest version of WordPress and those who have abandoned their sites. Site owners who are actively choosing to hang back on older versions have most likely already opted out of auto-updates, and those decisions will be respected by the update system.
Dunn said his goal for the discussion was to “listen for ideas, and hopefully move closer to some kind of decision.” At the beginning, it kicked off with more of a focus on marketing and implementation details, rather than the matter of whether or not WordPress should auto-update sites to major versions.
“I think that a major marketing push is needed around this,” Spurlock said. “We want to be ahead of any news about WordPress breaking sites, and in a position to frame this update as a major benefit for the millions of sites that are being updated.” After encouragement from WordPress Executive Director Josepha Haden, those eager to discuss the rollout process pulled back to engage the more central matter of the auto updates themselves. Spurlock summarized the three options the security team has for older sites:
1. Abandon security updates for older sites
2. Continue security updates, at great cost
3. Manually update sites, leaving older sites without updates.
“It’s worth pointing out that these site owners have already had up to six years of admin notices,” Nacin said. “The oldest sites likely received north of 30 emails. The way we might communicate a new feature (in say 5.3 or 5.4) to add support for major release auto updates might be drastically different than how we might handle an old site running 3.7 that we’d like to move to 3.8 and higher.”
Contributors Weigh the Consequences of Leaving Older Sites Without Updates
Core contributor Zebulan Stanphill was one of the more vocal opponents of auto-updating to major versions without consent.
“The auto-update feature in 3.7 was not advertised as including major updates, so it seems deceptive in my opinion to suddenly change it to include that,” Stanphill said. “It feels like assuming more control over a website than the owner had originally given to WordPress. I’m fine with auto-major-updates becoming the default in new versions of WordPress, but retroactively applying that to old versions seems wrong to me.”
Gary Pendergast, a full-time sponsored contributor to core, countered that the problem is potentially millions of site owners will not see the notice and will be stuck on old versions that will eventually become insecure. Stanphill argued that it’s not WordPress’ responsibility to update people’s sites for them if they did not give permission.
“It is our responsibility to not lay the groundwork for a botnet of a sizeable portion of the internet,” Pendergast said.
WordPress has a much larger footprint on the web than it did in 2013 when the auto-update system was put in place in 3.7. The platform’s marketshare has grown to 34.5% of the the top 10 million websites as of August 2019. Sites running 3.7 have been informally estimated at around 2 million but a definitive count has not been confirmed.
“If we unwittingly give someone a platform to do real evil, we’re big enough that could have consequences,” Core contributor Mary Baum said.
Lack of explicit consent and the possibility for breakage were the top two concerns for those opposed to the plan. Those in favor believe it can be done without breaking millions of websites. Former security team lead Aaron Campbell highlighted the advantages of a tiered update rollout:
Speaking of starting at 3.7 users as a test base (which is part of the plan Ian proposed), one of the great things we can offer users that they have a hard time doing themselves, is a slow update from version to version. The button in the dashboard of a 3.7 site will update the site to 5.2, which is understandably scary. We’d be updating 3.7->3.8, then 3.8->3.9, etc etc until 4.6->4.7. It’ll offer a smoother path from 3.7 to 4.7 AND give us plenty of places to improve on the process along the way if it’s needed.
I think there are some benefits to rolling up. One of those is the DB changes, which would be rolled out in chunks the same as they happened over the last 6 years rather than batched all in one update. It seems like it would cause fewer memory and time limit errors as well.
As he has stated in previous P2 discussions, Nacin reiterated that the core team’s plan has always been to bring auto updates for major versions:
I want to share a bit of history and context: Only the latest version of WordPress is, of course, officially supported. Automatic background updates in 3.7 (October 2013) completely changed the calculus—for the first time, we were able to ship security releases to older branches. But we didn’t announce or document these older versions, offer them for regular download, or expose them to the Dashboard → Updates screen. There was no intention—and still isn’t—to change our often stated policy that only the latest version of WordPress is officially supported. What we realized, though, if we are building the ability to quickly push security fixes to older unsupported sites, we’d be out of our mind to not use that feature.
We expected to make quicker progress on automatic updates for major releases, improving the safety and resiliency of those updates. That would have then enabled us to update these older sites, all the way back to 3.7, to more recent versions of WordPress. That was always the plan. We just didn’t expect it’d take us six years to get there.
Eventually, the long term goal is to change the default for major updates to “opt-out,” once they have proven stability. The proposal for auto-updating older versions to 4.7 would be the next step towards gradually moving in that direction. Nacin contends older sites “are already opted-in by virtue of being on an install of WordPress 3.7+.”
At a certain point in the meeting, the discussion surrounding the ethics of auto-updating older sites to 4.7, broke down into analogies involving car maintenance, vaccinations, rotting corpses, and anything contributors could pull from the real world to make their opinions more relatable to the topic at hand.
“It’s hard to talk about ‘autonomy’ for sites that have effectively been abandoned,” Mark Jaquith said. “Like, if you drop dead on the street, society doesn’t just let you rot there because you haven’t consented to burial.”
Core contributor John James Jacoby said he is not entirely comfortable with the implied consent of opt-out vs. opt-in but ultimately agreed that it is “something that needs to happen.”
“But to paraphrase Mark from earlier, I guess I feel like WordPress shouldn’t be cleaning it’s own carcasses from the web unless it includes a big’ol meta-box in the Dashboard that says ‘Hey we had to do this for you and here is why,'” Jacoby said.
Others are more strongly opposed to WordPress changing files on users’ servers, after having originally communicated that 3.7 would only perform automatic security updates unless they decided to opt into major updates.
“I am very much against pushing an unattended major update to any software,” Gabor Javorszky said. “WordPress Core does not have the authority to change code on my server without my explicit ask. I’m okay with it updating itself for minor versions, because that’s what I signed up for, and that’s how the current auto updater works by default. I can change it to allow major updates, and I can change it to not allow any updates at all, but WP overriding that choice is wrong.”
Michael Panaga contended that users would be more willing to understand that their old websites have been hacked, rather than find out that their sites have broken because of an unauthorized automatic update. Opponents of the proposal do not believe that it is WordPress’ responsibility to keep people’s sites from being compromised, even if millions of sites get hacked. They see this as the user’s problem or something hosting companies should handle.
“Reasonable people can and will disagree on this, but our philosophy is that we do not think it is solely the user’s responsibility if their site is hacked,” Nacin said. “We feel that responsibility too, and we’re going to do absolutely everything we can to make sure their site stays updated and they are running the latest and greatest version of WordPress.”
No official decision has been announced but those who have the power to implement the plan are firmly decided and seem to have gained a consensus through yesterday’s meeting.
“At the end of the day there’s only a few people who have the ability to push the change to the auto-update server to make this opt-out instead of opt-in and sounds like their minds are made up, so no point in continuing P2 [discussions], might as well move into the implementation phase and try to minimize the destruction,” WordPress developer Earle Davies said.
Nacin thanked contributors for lending their voices to the discussion and said there will be some follow-up posts and possibly a roadmap published to make/core in the coming days, documenting previous decisions back to 2007.
“I’m really glad you all showed up to talk about this topic,” Nacin said. “Even after 10 years, I remain deeply impressed with the WordPress community and how much it cares about its users. The web deserves it.”
36 Comments
I had a feeling this would happen… probably 80-90% of the comments from non-core people were against this. Core contributors in the most part are for it… there’s no formal decision yet, but I can already tell which way this will go 😔
I’m fortunate in that it doesn’t directly affect me, but it’s definitely paving the way for it to. I’m also still wary that no one has actually responded about the potential legal implications, not just within the US, but also within other countries all around the world, as well as how post-update support will be managed for those sites that end up being knocked offline due to the update and have no support resource in place. WP would have to take this up, surely? Would they just roll those people back and EOL them?
Here’s to hoping that the proposed solution is a much improved one.
Report
I had a feeling this would happen… probably 80-90% of the comments from non-core people were against this. Core contributors in the most part are for it… there’s no formal decision yet, but I can already tell which way this will go 😔
This is how it always work in WordPress. Some core devs propose a significant change, then they open some discussion channels to make it look like they’re listening to the users, and finally they close them and say thanks to the community for participating but a decision has already been made.
Report
This 100%. We’ve seen this before. It’s is a recurring strategy to push unpopular ideas. Nobody seems to mind that lot’s of WordPress users do not participate at all in the community. And you just cannot make decisions on their behalf.
Very curious towards a legal point of view.
Report
This is how it always work in WordPress. Some core devs propose a significant change, then they open some discussion channels to make it look like they’re listening to the users, and finally they close them and say thanks to the community for participating but a decision has already been made.
Really? “Some core devs” ? Oh, you mean the people who volunteer to create the software that you use for free? The people that spend night and day thinking about how to move WordPress forward to benefit the most people, help WordPress continue to grow and keep WordPress relevant for another 16 years?
Believe me, those are the people you want making the decisions. The core team has the best long-term perspective. And yes, they don’t make decisions by committee because that’s a losing strategy. Are they perfect? No, but they’re doing the best they can and we need to support them even if we don’t always agree because they probably know more than we do about the decision.
The alternative is to have the self-interested folks on this thread looking at it through their own myopic lens making the decisions who prioritize their own comfort over the future of WordPress. Imagine that. Wait, you don’t have to—look at the US political system. Believe me, we want the most credible, informed people who’ve demonstrated it for years making the decisions. They won’t always agree and it’s not the perfect process, but at least they’re making decisions that aren’t based on comfort or self-interest.
If you think these decisions are incorrect, then start contributing to WordPress for years, show us how much you care, then you can make the decisions too. Until then, your actions tell us how much weight we should put on your opinions.
WordPress doesn’t just get better automatically folks; it takes a team of dedicated people making the right decisions over long periods of time. Let’s trust them.
Report
Are they perfect? No, but they’re doing the best they can and we need to support them even if we don’t always agree because they probably know more than we do about the decision.
I’m not very much into sycophancy, thanks.
Report
@pp
There are quite an amount of people who contribute to WordPress in a non technical way. Those may not be core contributors but they do contribute in some way. Basically the WordPress ecosystem is way too diverse to make any kind of conclusion, like claiming people are only self-interested. These people do exist to. There are also a lot of people who act as a bridge between end users and the community.
In fact I see the opposite happening. The last couple of years big companies are taking over the community and are making the decisions. I’ve seen dedicated contributors for years step back from the community because of the way they’ve been treated by these company folks. This is poison to the community. This also goes for flaming and making assumptions on other people.
Also no one is questioning the intention behind the idea. It’s the execution of the idea. You cannot say, hey you got this for free (which is often not even the case) so you do not have any rights . There is the GPL , which is a big USP for WordPress. Ommiting an act that goes against this is more harmful for WordPress than to go with an EOL.
Report
In fact I see the opposite happening. The last couple of years big companies are taking over the community and are making the decisions. I’ve seen dedicated contributors for years step back from the community because of the way they’ve been treated by these company folks. This is poison to the community. This also goes for flaming and making assumptions on other people.
Agreed. Nowadays, it’s devs paid by either Automattic, 10up or Human Made calling the shots in core.
Report
WordPress is provided as is*
* Except we’ll update the code on your site whenever we want to
Because we’re all about providing freedom to the users
🙄
Report
This is going to make many website owners who are still older version of WordPress upset. Its better to keep your WordPress updated as and when possible.
What developers need to keep in mind is to make sure that they should not make changes to the theme without using Child theme. Also Developers should be make sure that the website owners that their WordPress websites should be updated as and when new version is released.
Report
This seems very, very much higher than reality. Where did this number come from?
I would estimate this number at roughly a tenth or even less than that.
Report
Why so small? WordPress powers 30% of the entire web, 2 million sites is nothing.
I see the massive issues auto-updating can present, but I also see another side to the story. WordPress has a bad reputation among a lot of people, outside of the bubble many WordPress developers live in. People find it clunky, people find it a massive security risk, and people find it lacking capability. These perceptions are not my own (I love WordPress), they’re my observations of opinions from others.
That said, putting an end to the massive number of issues revolving around outdated sites and plugins is a must, it’s killing the reputation for the rest of us, which holds us back compared to where we could be. If someone specifically opted out of updates, good for them, leave them be, but if someone set up the site, and doesn’t even remember how to get to their Dashboard to maintain their simple site, too bad, you get updated, for the sake of the rest of us. To me, it’s like car insurance – you don’t get to drive without it. I’ve never needed mine, but I also can’t just claim that and be a liability on the road.
It might not be fair to everyone, and there are certainly non-tech people who will have issues, but a hit now for a better future is worth it compared to where we’re heading.
Report
@Matt Two million sites would be quite a lot for 3.7, actually.
Here’s the thing about the question “how many websites are there?”: It all depends on what you consider a website.
For estimates that consider the number of domains and things, then you’ll generally see an answer in the 1-2 billion range. But then this includes domains that never get anything more than a landing page on them. Not exactly what I would consider to be an active website, or one that would run a CMS or anything of the sort.
A more realistic estimate of what you and I would probably consider to be an active website would be in the 400 million-ish range. Of those, let’s say about a third are estimated to be running WordPress. According to the stats page on w.org, 3.7 is running on 0.137% of those. Even with the most optimistic math, that’s only 200k sites. Even that third number is a bit suspect, and the number from Builtwith says 30k. I suspect the real number to be in the 50k-100k range, at most.
The 2 million reference cited on that make page is the number running 3.7 – 4.6 total, not just 3.7 alone. So, when discussing this proposal, consider that the initial starting set of bumping 3.7 to 3.8 would be for maybe 100k sites, maximum. It’s a very small starting point to work from, not a hugely major undertaking.
Report
Comments on the proposal that cite Builtwith, probably not the most accurate https://make.wordpress.org/core/2019/08/07/proposal-auto-update-old-versions-to-4-7/#comment-36517
Report
Those numbers suggest there are about 30,000 sites on 3.7, not 2 million.
Report
The number 2 millions include all versions up to WP 4.6 (!). Taking into account that the Gutenberg Editor was replacing the classic editor in WP5 it is no wonder that a huge number didn’t take the step to WP5 whereas the number for WordPress 3.7 users is relatively small.
Report
Thank you, WordPress needs this.
I understand the resistance, but this attitude is what will kill WordPress in the long run. The resistance to updating WordPress, updating PHP versions, Gutenberg, etc. is a problem.
I get it, WordPress is 16 years old and not exactly a community of early adopters, but we have to be smart enough to see around corners and understand what we need to do to remain relevant–our market share isn’t guaranteed. Believe me, WordPress failing to progress and move forward will cause much more disruption in the long run.
Yes, the status quo is comfortable, but stasis always is. It’s also deadly in the long run.
Report
Again, just no. For no reason whatsoever, no way, not ever! Letting people stay on their version of choice AND knowing they’ll get security updates for it is a huge plus for WordPress, and with the other changes in recent years may be the only major one left.
Regarding the choice, those three options there, I’ll always prioritize maintaining old versions, that most actual users – the people who just want to use the software to get something done, be it personal or business – are content and familiar with, over new stuff, which mainly just the developers particularly care for, plus a small number of users who want to be on the bleeding edge, often more to test and/or show off than for present needs and actual practical use.
And regarding auto updates themselves, again, no, no way, not ever. Period. This is the developer taking over the reins of the site from the user, or whoever the user designated as their site admin. It’s what MS is doing with Windows 10 for crying out loud, and if that’s not a model of what NOT to do, what should never be acceptable for anyone, anywhere, I don’t know what is. And, as I see it was pointed out, finding themselves with a different version may well lead some users to believe that they’ve been hacked. And there’s no amount of warning and explaining that can make that right.
Report
Letting people stay on their version of choice AND knowing they’ll get security updates for it is a huge plus for WordPress
That’s just not how software works, at all. It’s SO much work to do this. “Security Updates” aren’t this magical, modular side piece of code that you simply update, the security updates ARE the platform, it’s ALL the code. If it was that simple, hell yes, but it’s not, and it’s so detrimental to keep investing so much time and effort into dated code that needs to just die with the times.
Report
Instead of forcibly updating sites, could they be forcibly expired?
People have their reasons for not upgrading (assuming they’re still in control of those sites, or not dead) in the same way people have their reasons for not wanting to use the block editor.
So if we’re going to forcibly update them, why not do it to a cut-down, restricted version of WordPress (say, based on 4.7), with no access to plugins or themes, cut-down Dashboard, no hijackable backend functionality… WordPress, in name only, but with an upgrade option should site owners wish to opt back in to a more modern WordPress experience.
Not the easy option, I know…
Report
@Bianca
By my reading, this proposal is completely incompatible with the latest draft of the ePrivacy Regulation. (For the non-policy types, that means “potentially completely illegal”.)
There are certainly valid concerns about whether this would violate certain longstanding U.S. laws on computer misuse as well.
A privacy impact assessment documentation process would have identified these issues,l privately, but introducing a PIA process into project development was literally laughed down last year when the core-privacy team tried to raise it.
Report
Thanks you Heather for your detailed reply. Was hoping (and kind of expecting) this to be the case. At least it’s how I see it, but I’m not an legal expert.
It’s a shame to read that your PIA efforts were laughed down. Not a first (coughs accessibility) if I’m not mistaking.
Report
It says a lot about the priorities of the WordPress project at this point in its existence that not only has user consent been ruled out of this plan, but the separate proposal to build a means for users to grant their consent over updates and other data transfers is gathering dust and crickets.
Report
Is WordPress acting as a big brother or as Big Brother?
Report
This is possibly illegal and definitely unethical.
Website owners installed WordPress in the expectation that would NOT be getting major upgrades. Changing this without the expressed consent of the owners is high handed, sets a terrible precedent, and breaks major trust
Report
@Pete Shaw
How do you draw that conclusion? Why would anyone think WordPress wouldn’t get upgrades? WordPress updates are quite obvious in core, plugins and themes.
For that matter, what software never gets upgraded and continues to function properly long-term?
Report
Well for starters, if someone only gives consent for minor updates it does not expect major updates to be included with that. There IS a legal difference.
Report
@Bianca Nobody ever have consent for minor updates. Where is this consent screen? Where did you give consent, exactly?
WordPress updates itself, and it has done so for six years. It never asked for your consent to do so.
And if you turn it off, then it’s off. The power of auto update is entirely in your control and has been since the beginning. There is no override for “off”.
Report
Hi @otto, You have a point there.
I have mis-phrased a little in my reply to PP. What I meant, if the site has been set up/configured to only get the minor security updates but not the major updates (frankly a standard installation) that person does not expect major updates to happen on his/her website.
Please keep in mind that there are a lot of WordPress users who haven’t set up their websites by themselves but hired a freelancer or agency to do so. Expectations are often set by them. Not all developers honor WordPress standards and in here lies a problem (how sad this may be, it’s in their right).
WordPress provided the software package as is (without warranty). The build installation / configuration and communication is done by the hired developer. The communication where: setup criteria are being set(briefing), instructions are given and expectations are being discussed. Also there might be a legal document to be signed off where updates amongst other things are explained.
A legal difference is partly applied by law (in my case EU law) and partly within the GPL (make it into whatever you want). For security updates you do not need an explicit consent (in draft as Heather pointed out) but major updates are legally different .
Let me reiterate that I do get the sentiment behind the idea, but like many others already pointed out, the proposed approach is not the way to do it.
Report
I believe that we may be leaving out the hosting companies themselves. They are also at risk because many of these outdated sites are running on their platforms. How about working with them to find a way to mitigate attacks on these older sites? They can either create a policy stating that WordPress has to be within a certain version OR possibly shut down sites that show issues.
Unfortunately that is the only way that some of these sites will ever be updated. That is not illegal because site owners have to adhere to the hosting company’s policy or they can move their site. I do find it hard to believe that another hosting company would welcome an outdated site. I don’t believe we need to force an upgrade, but if the hosting companies can get involved, they can get the attention of the end user.
Report
For the most part, hosting companies that care have started force upgrading WordPress sites themselves. Many of the larger hosting companies go through their systems and use scripts and processes to update WordPress for everybody running it on them when new releases come out. And for the most part, they force major updates too.
Report
Otto,
That may be case with managed hosting but it is NOT the case with shared hosting (and this is the majority, I think)
Pete
Report
@Pete This is not entirely true. Patchman for instance is a solution patches vulnerabilities.
Report
@Pete Nope. Shared hosting has done it too. Some companies have even released scripts they wrote to find WordPress installs and force update them on their servers.
I have heard the please “Update. Or find a new host.” I agree with this phrase.
Report
@nacin – It looks like she is referencing Builtwith stats for sites running on 3.7 – 4.6: https://drive.google.com/file/d/1KRj5yu35r3YeH0vfGBYDgZOdvK11CG6A/view
Report
I would like to add my voice to the people in strong disagreement of forcing major version updates using an Opt-Out mechanism, instead of an explicit consent with an Opt-In. Has the core team even checked if this is legal in every jurisdiction around the globe?
While I do understand the security implications of running outdated software, I certainly do NOT understand how WordPress.org plans to grant itself the right to change client websites without their explicit permission on hosting they’re paying for, not WordPress.
There may be business or technical reasons why a client’s website has not been updated.
And there may be cases where a forced update will break a site (White Screen Of Death) or break certain functionalities from plugin / theme incompatibility, or other aspects that an automated rollback mechanism cannot detect as a failure.
What happens if these forced updates break a site and cause financial losses to a client? Or public relations issues? Or customer dissatisfaction? Will WordPress be held legally liable? If not, why? … why could there be action without consequence from WordPress when without their action, the issue would not have materialized?
In the end, I don’t think the “solution” of force-upgrading 3.7-4.6 sites is solving a big enough problem, that it warrants potentially creating an even bigger problem by running the risk of breaking sites and impacting WP’s reputation… what will we have gained, as a platform?
Report
This is possibly illegal and definitely unethical.
Website owners installed WordPress in the expectation that would NOT be getting major upgrades. Changing this without the expressed consent of the owners is high handed, sets a terrible precedent, and breaks major trust
Report
Comments are closed.