homepage Welcome to WebmasterWorld Guest from
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member
Home / Forums Index / Code, Content, and Presentation / WordPress
Forum Library, Charter, Moderators: lorax & rogerd

WordPress Forum

WordPress v3.7 is here
time to update

 12:21 pm on Oct 25, 2013 (gmt 0)


Big News! Automatic updates!

With WordPress 3.7, you donít have to lift a finger to apply maintenance and security updates. Most sites are now able to automatically apply these updates in the background. The update process also has been made even more reliable and secure, with dozens of new checks and safeguards.



 4:58 pm on Oct 25, 2013 (gmt 0)

And just in case you don't want auto updates, you can disable them. See Andrew Nacin's (@WordPress Lead Developer) post about how here: [make.wordpress.org...]


 9:14 pm on Oct 25, 2013 (gmt 0)

This is dangerous territory IMO. and Andrew Nacin is being too cocky by saying it is "incredibly, incredibly safe".

An autoupdate may be fine today but who knows what plugin will cause a site to break or even open up a security hole in the future?

I totaly lock down my WP sites. You can't login, change things .... unless a switch is thrown. I dread to think what's going to happen if an autoupdate tries to take place at 3am.

For that reason I'm not auto updating. I will carry on looking out for security alerts and updating when I am in a position to roll things back if the update breaks something.


 11:40 pm on Oct 25, 2013 (gmt 0)

I looked in vain for a way to select opt out, then I read the article on the link, they sure aren't making it easy, oh well


 9:30 pm on Oct 28, 2013 (gmt 0)

Automatic update for new version is a stupid thing to do because of plugins and theme compatibility issue.

But it can be done for old(previous) version as they can check if the current plugins and theme are compatible or not.

BTW, I am not updating it now. Actually, I almost never update immediately. I prefer to wait for few weeks.

Those who are updating, don't forget to take backups before doing so.

travelin cat

 9:57 pm on Oct 28, 2013 (gmt 0)

Yeah, I do not like this auto updating at all. I have had compatibility issues a few times with plugins. I always wait about a week after a new version to update and I always make a backup of the root in case something goes horribly wrong.

There should be a simpler way to disable this.


 2:26 am on Oct 29, 2013 (gmt 0)

I think, on balance, this will prove to be a +. Having fewer hacked sites/servers is a +. Being a less appealing target to the mass of hackers will be a +. Having the ability to "be away from a site" (on vacation, etc) and not having to check for updates/hacks is a +.

I agree that some risk for conflict with plugins exists but I do my best to minimize my dependence on plugins.

My opinion will be subject to change with experience . . :-/.


 4:47 am on Oct 29, 2013 (gmt 0)

>> My opinion will be subject to change with experience . . :-/.

I wish you to NEVER get such bad experience. But reality can be different!


 1:49 pm on Oct 29, 2013 (gmt 0)

It's a huge benefit for the community and for you even if indirectly.

A significant number of the 7 million installs of WordPress are security hazards because they are not kept up to date. I've seen plenty that are several versions behind. Ignorance, fear, and technical ineptitude - it doesn't matter, the installs are not kept up to date by people that love the convenience of a WordPress site but fail to keep it up to date. And that puts us all at risk.

For those that don't want the auto update feature, you can disable it. The core developers foresaw the need and accounted for it. A simple switch added to the wp-config.php file:

Read more here: [make.wordpress.org...]

4. Disable only core updates.
The easiest way to manipulate core updates is with the WP_AUTO_UPDATE_CORE constant:

# Disables all core updates:
define( 'WP_AUTO_UPDATE_CORE', false );

# Enables all core updates, including minor and major:
define( 'WP_AUTO_UPDATE_CORE', true );

# Enables core updates for minor releases (default):
define( 'WP_AUTO_UPDATE_CORE', 'minor' );

Auto updates are a great thing for the community because it will reduce the number of zombie sites compromised by hackers and used to launch any number of malicious attacks. It will take a while to filter out the current stock of zombie sites but they will go away eventually. As the security improves, the size of the bullseye will become smaller, and thus your site become less interesting to a would be hacker.

Think forward. The core development team has been working hard to raise the level of quality and reliability of the Plugin development community. This release lays the foundation for a safer and more secure web. From the same article by Andrew Nacin:

Itís worth noting that the ďautomatic updaterĒ controls more than just WordPress core. If the updater finds it canít or shouldnít update, itíll still send site administrator an email. (Want to disable only that? Itís also covered in this post.) The automatic updater also supports themes and plugins on an opt-in basis. And by default, translations (for themes, plugins, and eventually core) are updated automatically. At some point in the future, the WordPress.org plugin security team will be able to suggest that installs automatically update malicious or dangerously insecure plugins. Thatís a huge win for a safer web.

It's a step in the evolution of the platform and entire community of developers - core and plugin. I imagine you will always be able to edit core, theme, and plugins. The point is for those that like the convenience of auto update OR are unable to manage updating their WP installs, WordPress will manage it for them.


 2:26 pm on Oct 29, 2013 (gmt 0)

Despite the fact that auto-updating a production site isn't *normally* a good thing, this is a good thing. There are so many fire-and-forget wordpress installs out there that never get updated... At least if they auto-update and break it'll get people's attention.


 6:01 pm on Oct 29, 2013 (gmt 0)

Despite the fact that auto-updating a production site isn't *normally* a good thing

Never, ever ever ever ever ever a good thing. The ones that rely on freebee software(open-source that is out of their control) probably do deserve to crash and loose SERP to start with.

IMO, any company that switches its user base to "Auto anything" is up-to something.

Do you control the code that is executed on your site? Is there a backdoor that you don't know of?

I've been writing code for over 15 years and the only Automated thing that I know that should be done to the CODE is a BACKUP.


 6:28 pm on Oct 29, 2013 (gmt 0)

I dislike the initiative because I do everything it does myself already, save for sending reports about my site to 3rd parties. I'd like it better if there was a clear, dashboard driven, off button for automatic updates, spying etc.

These features might help the majority of site owners, and make the net safer in general as abandoned sites get patched too, but I don't fit into that category of webmaster unfortunately so where's my choice?


 11:14 pm on Oct 29, 2013 (gmt 0)

>> A significant number of the 7 million installs of WordPress are security hazards because they are not kept up to date.

A significant number of installs are security hazards because of problems in WP and its architecture. Would you then want them to auto-update your site with a new round of problems and bugs?


 12:59 pm on Oct 30, 2013 (gmt 0)

>> A significant number of installs are security hazards because of problems in WP and its architecture.

Prove it. [webmasterworld.com...]

travelin cat

 3:24 pm on Oct 30, 2013 (gmt 0)

Interestingly enough version 3.7.1 came out this morning and the one site I updated to 3.7 was not auto updated. Perhaps it takes a while?


 3:28 pm on Oct 30, 2013 (gmt 0)

I'm guessing that's correct. 2 million installs of 3.7 probably takes a while to chug through. I did see one of our sites get auto updated. Pretty neat IMO.


 3:33 am on Oct 31, 2013 (gmt 0)

Two WP installs that I updated to 3.7 have updated to 3.7.1 today according to an email they sent. I read the Nacin article (while looking for a way to disable autoupdate) and while I agree that there seems to be a good number of WP sites I've seen that are not well maintained, I do not want my sites auto updating. One size does not fit all.

I believe there is good reasoning why they have always stressed that you backup your site before running updates and this totally sidesteps the process of backups unless you backup constantly. I'm not using their themes, and they can't possibly guarantee that an update won't ever break anything supplied by others. They do not standardize plugins, and that is another unknown in the process. I know for myself anyway that I will never run to do a backup after receiving a notification that an automatic update has been installed.

Sorry, but I prefer to schedule updates to account for other things that may be happening when they decide to do their auto update. I will be installing the update control plugin to simplify things as soon as I log in to update the two plugins that the notification tells me I must update. Something I would have done before backing up - or updating.

I don't see how having things done automatically for me allows me to vacation without thinking about site maintenance, this just makes it more urgent and possibly at a time and place where I can't do much about a problem.


 5:16 pm on Nov 1, 2013 (gmt 0)

I'm no coding genius but if "backup before updating" is such a widespread concern I suspect the action can be coded to trigger as a last/next step before the backup occurs. Whether this can/will be coded into the process by WordPress.org or by some third-party is beyond my ken.


 2:39 pm on Nov 2, 2013 (gmt 0)

Backing up is always a good idea. I think an automated back up before update could easily be done and likely we'll see it as added feature to one of the several backup plugins already avaiable.

But if you don't mess with the core code, use child themes (as WP strongly encourages) instead of editing the parent theme directly, and stay with approved plugins (those on the WP site) that still have support and updates you aren't likely to run into any trouble. I've built hundreds of WP sites and manage nearly 60 install of WordPress from small sites to large multisite networks today. I've been using WordPress for clients and my own sites for over 7 years and I've never, NEVER, had an upgrade go wrong. Just sayin - the updater is a pretty solid tool.


 3:27 pm on Nov 4, 2013 (gmt 0)

My host backs up every night anyway, and I have access to those files going back more than a year.

But on principle, I don't so much mind them making the auto-update a default as I do them not putting a switch in the admin to turn it off. 90% of the new client WP sites that get passed to me haven't been updated since Queen Victoria died*. It's a minor miracle I don't see more hacks.

* 1901

Global Options:
 top home search open messages active posts  

Home / Forums Index / Code, Content, and Presentation / WordPress
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved