[wp-trac] [WordPress Trac] #50778: 5.5 auto updates should not be enabled by default for external plugins
WordPress Trac
noreply at wordpress.org
Mon Jul 27 00:42:43 UTC 2020
#50778: 5.5 auto updates should not be enabled by default for external plugins
--------------------------+-----------------------------
Reporter: dennis_f | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: General | Version:
Severity: normal | Keywords:
Focuses: |
--------------------------+-----------------------------
Auto updates can be a security issue when enabled for external plugins by
default.
I myself had a major problem with this feature and my plugin that is not
hosted on WordPress.org. At this point, the plugin hooks into the updates
api, so you can update the plugin manually from the dashboard. With the
automatic updates however I had mixed results - sometimes they worked,
sometimes they didn't.
The worst part is that a few times the plugin's update notification
disappeared completely after the failed automatic update attempt.
Of course I'm going to release an update to somehow handle this situation,
but I am very worried that many people will not install this update before
enabling automatic updates. And when their update notification disappears
after a failed update, they will not know that they are running an
outdated version.
I imagine that my case won't be the only one. Additionally as
@stephencronin raised his concern
[https://make.wordpress.org/core/2020/07/15/controlling-plugin-and-theme-
auto-updates-ui-in-wordpress-5-5/#comment-38986 here], this can also lead
to false sense of security for plugins that don't support dashboard
updates. People will think that their plugins are up to date when they are
not.
Automatic updates should be only enabled for wordpress.org plugins and
those plugins that support it implicitly. Otherwise this could lead to
people using outdated and vulnerable versions of plugins without being
aware of it.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/50778>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list