Close

28.01.2021

WordPress Response to Rogue Plugin Updates

WordPress.org issued a statement to plugin developers to respect user decisions on automatic updates. The reminder comes after the publishers of the All in One SEO Plugin turned on automatic updates without asking for permission.

The statement warned that those who violate users express wishes with regard to automatic updates will continue to be flagged by WordPress.org.

WordPress Automatic Updates

Automatic updates are a feature in the WordPress content management system (CMS) that empowers a user to select to allow a plugin to automatically update.

The feature was made easily accessible with the release of WordPress version 5.5.

This feature also allowed publishers to select to not receive automatic updates

Automatic update for plugins has been a hidden feature for many years. Publishers who previously wanted to enable automatic updates had to change code in their configuration files.

What auto updates does is to make it easier for publishers to have the latest version of their plugins. This can be important because some updates contain vulnerability fixes. Failure to update some plugins can result in a site being taken over by a malicious hacker.

The downside of auto updates is when an update goes bad and causes unintended conflicts with other plugins or themes.

This is why many publishers prefer to update their plugins in a controlled manner so that they can become immediately aware of any problems.

All in One SEO Auto Updates

Back in late November 2020, the publishers of All in One SEO plugin updated to version 4 and at some point unilaterally turned on automatic updates for their plugin without asking for user permission.

This happened even for publishers who vigorously insisted they had not turned on automatic updates.

WordPress Issues Warning on Auto Updates

While All in One SEO may not be the only plugin to turn on automatic updates, it may certainly be the most popular plugin maker to do it since WordPress 5.5 was introduced.

WordPress issued a formal statement reminding the plugin software development community that they must not turn on auto updates without express permission from users.

According to WordPress:

“You may offer a feature to auto-update, but it has to honor the core settings. This means if someone has set their site to “Never update any of my plugins or themes” you are not to change those for them unless they opt-in and request it.

The reason for this is that plugins should not over-reach their authority.”

The announcement also stated that automatic updates can cause unexpected outcomes on publisher websites and can affect the trust that publishers have with the plugin developers and with WordPress itself.

In what appears to be a nod to the recent All in One SEO Plugin issue, the WordPress statement called it sad.

“Sadly, this happened recently to a well used plugin, and the fallout has been pretty bad.”

The statement went on to note that there are no plans to make a formal guideline about this issue but that WordPress will continue to “flag” plugins that violate user trust and wishes with regard to automatic updates for plugins.