On August 7, 2019 a proposal was made on the WordPress Make Core website to Auto-Update Old Versions to 4.7. This proposal has created a great deal of conversation and controversy.
Background
When WordPress 3.7 was released in October 2013 it included a new feature, Background Updates.
Automatic updates for maintenance and security updates.
This was clearly outlined to mean version 3.7
would be automatically updated to versions 3.7.1
, 3.7.2
, etc. (a.k.a. minor releases) as they were released but not updated to 3.8
(the next major version). This policy, minor releases would be automatic but major releases would not, was made clear to be in effect moving forward (i.e. 3.8
would auto-updated to the latest 3.8.x
but not 3.9
and so on for all future versions). It was also mentioned that at some point in the future WordPress would like to extend this policy to automatically upgrade to the latest version regardless of whether it was a major or minor version (in a similar manner to how the Google Chrome browser is always updating to the latest version).
More Work and More Security
Releases then continued on: version 3.7.1
was released (and automatically updated), then 3.8.0
and 3.8.1
. At this point, there were lots of people running 3.7.1
and 3.8.1
(because you could only make the jump to 3.8.x
manually, not automatically).
Then on April 8, 2014 a security vulnerability was discovered and fixed in 3.8.2. Unfortunately, this vulnerability also existed in 3.7.1
. In order to help secure those people running 3.7.1
the same fix was applied to that code (a.k.a. back-ported) and 3.7.2 was released.
While this back-porting made websites more secure, it created more work.
Since then, 27 more back-ported security releases have been made to 3.7.x
. As WordPress continued increasing major versions, this meant more and more previous major versions needed these back-ported security releases (3.8.x
, 3.9.x
, 4.0.0
, …).
At the time of this writing, releasing a security fix today would involve providing back-ported security releases for 11 previous major versions. Clearly, this situation can not go on indefinitely.
Dropping Support for Older Versions
No longer providing security fixes for older versions is standard behavior when you are releasing software. Officially, WordPress only provides support and security updates for the latest version.
Only the latest major version is officially supported and guaranteed to receive security updates.
In reality, WordPress is currently supporting the most recent 12 major versions.
Even though only a small percentage of websites never upgraded from 3.7.x
to 3.8
, due to the popularity of WordPress that small percentage is a lot of websites. If a security issue is discovered and not back-ported to 3.7.x
, all of those sites would be vulnerable. When a website is compromised it is typically done in such a way to negatively impact other websites. All of those 3.7.x
websites being compromised could have a negative impact on lots of other websites and lots of people, not just the owners.
One Step at a Time
By automatically updating those WordPress 3.7.x
websites to the latest 3.8.x
version, the support burden of back-porting fixes to 3.7.x
could be removed. The general proposed plan is to make every reasonable attempt to notify site owners (e.g. emails and notifications in the dashboard of their website) and then automatically update 3.7.x
websites to the latest 3.8.x
version (* unless the site owner has explicitly opted out).
* When automatic updates were introduced in 3.7
, mechanisms were added to allow opting-out of WordPress automatic updates
Website Autonomy
I’ve seen lots of objections that people who accepted the automatic updates of minor versions by installing WordPress 3.7
did not accept automatic updates to major version and turning major version automatic updates on by default is wrong. A counter-argument to this is that these people can now opt-out of automatic updates and that most of the 3.7.x
sites out there are abandoned.
The Greater Good
Dropping support for 3.7.x
and leaving these websites out there will ultimately be a huge negative impact for site owners, other websites, and the WordPress project and its reputation therefore for “the greater good” it is in everyone’s best interest that these sites are upgraded. Whenever I hear the phrase “the greater good”, I’m reminded of the phenomenal movie Hot Fuzz and this scene. This video contains spoilers, so if you haven’t seen the movie, I recommend you go watch it right now and then come back and watch this video clip 😀.
Warning This video clip contains spoilers.
Clearly, I’m not a big fan of changing the default behavior that was explicitly defined for existing websites. As much as I’d like to see these 3.7.x
websites upgraded, I don’t think pushing an automatic update of a major version is the right answer.
My Preferred Solution
Based on the conversation I’ve seen, public outreach is clearly going to be a big part of any move forward and rightly so.
In addition, I would like to see upgrading to the minimum supported version be opt-in. It would be great to see the behavior be easily modifiable programmatically (e.g. with a constant like AUTOMATIC_MINIMUM_SUPPORTED_VERSION
or a WordPress filter). This value could be set by default for all new installations, setting this as a policy moving forward. Additionally, it may be in the interest of individual web hosting companies to set this value for their clients, in order to reduce their own support burden.
There will still be lots of 3.7.x
sites that get compromised after they are no longer supported and while that is unfortunate I see it as the best way forward.
Image Credit
Daryl Sawatzky on flickr
Leave a Reply