The automatic background updates feature might be the most important feature of all in 3.7. Hopefully this goes a long way to plug some of the rampant security issues that plague the CMS because of failure to update to a later version. The new date querying features are also a welcome addition as it has been notoriously hacky in prior versions querying advanced date values in Wordpress and finally we search has been given a little love and is no longer so horrible that it requires a third party plugin to fill the void. Best version of Wordpress to date by far, wonder how they can top this list in 3.8.
Ugh. I'm extremely skeptical of auto-updates. My servers don't auto-update, my workstation doesn't auto-update..nothing I own, auto-updates if it's capable of it.
Can anyone tell me if it can be turned off? All I'm seeing is this:
For developers there are lots of options around how to control the new updates feature, including allowing it to handle major upgrades as well as minor ones, more sophisticated date query support, and multisite improvements.
I've been burned one too many times. I see a MASSIVE WP failure in the near future where an update gets pushed out and takes millions of Wordpress sites offline...
It's happened with Bitdefender. It's happened with AVG. It's happened with Windows 8.1 RT.
As long as there's a switch to turn it off, you'll be just fine. Meanwhile millions of poorly monitored sites will be less vulnerable to attack at the cost of what I suspect will be relatively infrequent update snafus. All security is a tradeoff and this is a good one.
There's a constant so that you can turn it off. In the linked article, the first paragraph in the section about auto-updates links to the wordpress wiki page about it, the constant is basically point 1a on that page.
@nacin responded to me on Twitter saying the auto-updates are automatically disabled if WP detects that it's being run from within some source control repositories. I asked if it's smart enough to know if it lives deeper within a repository and haven't yet received an answer.
There are filters to turn off auto-updates easily. Also keep in mind it's currently for minor updates only, which basically never break a site. And in beta and RC testing, there were no hard failures, only some instances where the update stopped because it detected a potential issue. It's a pretty clean setup, and overall really good for the security of millions of websites.
By default it only updates minor releases, which are only used to fix security issues and regressions. So it's only automating the the safest updates, and I think the good it will do by keeping sites secure outweighs the risk.
Yes, we've (http://wpengine.com) decided to disable the auto-updates as we want to perform our client account-specific tests before upgrading future versions BUT I welcome the addition of auto-updates given that the majority of WordPress installs do not live at Managed WordPress Hosts.
Likewise for the Genesis/WordPress project. It's great and will probably be enabled for local development, but changes to plugins, themes, and the core will need deployment. Besides, updating WP within the GUI seems to skip/ignore certain files compared to downloading the latest release and merging.
Auto-update? It shouldn't be able to auto-update. It shouldn't have write-privileges to the folders running code!
Granted, I generally don't do php, and cerainly not wordpress -- but with all these php projects having a run-once-magically-write-a-config-php-thingy -- they also generally throw a warning if that config is writable after initial setup.
Do the chgrp-dance when installing/upgrading: chgrp www-data -R php-dir;chmod g+rwX -R php-dir;#set up via web installer;chmod g-w -R php-dir;chgrp not-the-web-server -R php-dir; #fix permissions on any upload-folders
This is effective but unfortunately there is already malware that plants itself inside the database. If you are able to execute code remotely you can also almost always write to /tmp
Yes, but code being written to data areas (or rather, written/stored in such a way that it can/will be executed later) generally is a bug. Allowing a server to overwrite itself is just a bad idea (hence the NX bit for memory).
To me Wordpress is one of the most important things to happen to the internet, Not Facebook, not Twitter. Wordpress has democratized creating a site and helped millions of people create an online business, community, blog, helping bring in massive amounts of revenue for small business owners.
I've got 4 sites running wordpress: my portfolio, my online store, a design database for items under $50, and a magazine cutout marketplace. (See my profile for links) Those last two I mentioned took less than a week to tweak and hack together thanks to the speed and ease of setting up wordpress sites.
It's sad that Matt Mullenweg never got the same recognition that Jack Dorsey or Mark Zuckerberg got. He definitely deserves it. We've got to stop only celebrating and worshiping people who make money. I think Matt empowered people just as much if not more.
I admire Matt a lot. I think Matt would be the first to point out that WordPress is the culmination of a community, from the hundreds and hundreds of contributing developers over the years to the beginner users and everyone in between. I'll bet he has zero fucks to give about how much recognition he personally gets and rightfully so. Or, he might point out that Mike Little co-founded WP.
Besides, the recognition the Dorsey's, Zuckerbergs and even the Jobs of the world get tend to be overstated in comparison to the actual confluence of factors going into their companies successes. By idolizing individuals reality is distorted.
I for one am very excited about all of the new functions and classes available. http://codex.wordpress.org/Version_3.7 - things like wp_extract_urls() and a WP_Http_Streams class look really exciting.
Not so excited about auto updates, but every site I build is in some kind of version control anyway.
I agree on that! I also like the new look of WordPress but the auto update option is not effective for all sites. Specially for developers who don't want to get clear the coding mess after every update.
28 comments
[ 3.3 ms ] story [ 68.2 ms ] threadCan anyone tell me if it can be turned off? All I'm seeing is this:
For developers there are lots of options around how to control the new updates feature, including allowing it to handle major upgrades as well as minor ones, more sophisticated date query support, and multisite improvements.
I've been burned one too many times. I see a MASSIVE WP failure in the near future where an update gets pushed out and takes millions of Wordpress sites offline...
It's happened with Bitdefender. It's happened with AVG. It's happened with Windows 8.1 RT.
> The simplest way to disable it is to add define( 'AUTOMATIC_UPDATER_DISABLED', true ); to your wp-config.php file
Granted, I generally don't do php, and cerainly not wordpress -- but with all these php projects having a run-once-magically-write-a-config-php-thingy -- they also generally throw a warning if that config is writable after initial setup.
Do the chgrp-dance when installing/upgrading: chgrp www-data -R php-dir;chmod g+rwX -R php-dir;#set up via web installer;chmod g-w -R php-dir;chgrp not-the-web-server -R php-dir; #fix permissions on any upload-folders
This is not a security concern with client apps like browsers because they don't run on a publicly listening server. Wordpress does.
I've got 4 sites running wordpress: my portfolio, my online store, a design database for items under $50, and a magazine cutout marketplace. (See my profile for links) Those last two I mentioned took less than a week to tweak and hack together thanks to the speed and ease of setting up wordpress sites.
It's sad that Matt Mullenweg never got the same recognition that Jack Dorsey or Mark Zuckerberg got. He definitely deserves it. We've got to stop only celebrating and worshiping people who make money. I think Matt empowered people just as much if not more.
http://finance.fortune.cnn.com/2013/05/24/automattic-nears-t...
Besides, the recognition the Dorsey's, Zuckerbergs and even the Jobs of the world get tend to be overstated in comparison to the actual confluence of factors going into their companies successes. By idolizing individuals reality is distorted.
Great, now my plugins and themes can break automatically!
Not so excited about auto updates, but every site I build is in some kind of version control anyway.