Back in February the WordPress development team launched the 4.9.3 core update that broke the automatic update capability. With the new 4.9.5 maintenance release coming on April 3, we decided to help ManageWP users running 4.9.3 websites.
We will be updating all websites managed by ManageWP, that are on core version 4.9.3. Here’s why.
Why would you update my websites?
We know there will be security fixes coming soon. When that happens, anyone that auto-updated to 4.9.3 and got stuck will not receive them automatically like they had expected. Right now it means nothing to a user that they’re on 4.9.3 rather than 4.9.4, since the versions are basically identical. But once they all become vulnerable to exploits that are in the wild because they were fixed in 4.9.5, things change.
So here’s the question: you entrusted us to maintain your websites, keep your data safe and confidential. Does that give us the right to update a website on your behalf, knowing that we are doing this to make them more secure?
To answer this question, we reached out to 20 users with 4.9.3 websites, asking them why they haven’t updated. Their response was that they either weren’t aware of the update, or that were relying on the (broken) auto update capability.
We also looked at what other teams in the WordPress community were doing. Managed hosts updated the client websites within hours of the release. Other hosts and plugin developers (e.g. VaultPress, Yoast) have either forced the update, or urged the users to do it themselves.
That’s why we decided to wait as long as possible for you to do it on your own, and only auto update a week before 4.9.5.
Can this update break my website?
Aaron Campbell, the WordPress Security Team Lead, walked us through the update.
The 4.9.3 -> 4.9.4 update changes 3 files, and only one of them has a remote chance of being customized:
- wp-admin/about.php – This file is just the about page and holds the list of changes made to the version. No reason for anyone to customize this one.
- wp-includes/version.php – This file holds five version numbers: WordPress, DB, TinyMCE, required PHP, and required MySQL. No reason for anyone to customize this one.
- wp-includes/update.php – This is versions checks, etc for the use in updating core. This is the file that was broken and is in need of updating. There are already plenty of actions and filters for extending this (and all plugins that update from somewhere other than WordPress.org do), so the only time I’ve ever seen this file customized is when a site is hacked and the hack-script modifies it to prevent updates without needing another file to do so. Most more modern scripts that I’ve seen use the actions/filters and modify a plugin or theme file instead since it’s less noticeable (usually modifying a theme file and then preventing theme updates…they actually tend to leave core updates on. I assume it’s to prevent someone else from hacking the site and taking it from them).
The update is not coming near any of the important files that you potentially customized. This means that the failure rate is virtually zero.
When will you update my websites?
We have 23k websites to update. The updates will start on Wednesday, March 28, at 07:00 UTC and last for a couple of hours. This means that most European and North American websites will be updated in the low traffic hours. Each individual update should complete in seconds, so it should not affect the website visitor’s experience.
On an off chance that you have an issue, our Customer Happiness is ready to help. And if you have any additional questions, I’d be happy to answer them in the comments.