Much to the surprise of many, a WordPress security update was released today. With WP 3.9 coming out within weeks, few of us were expecting a patch release for 3.8, however, the discovery of a nasty vulnerability called Heartbleed made it necessary to release this patch sooner rather than later.
Automatic Updates
Many of you, myself included, received notifications that WordPress had automatically updated itself to 3.8.2. This was a bit of a shock to me since the sites I monitor have a plugin called Update Control installed and the setting to disallow automatic updates is set. It’s obvious that the plugin doesn’t do what it’s supposed to do!
I still need to investigate why the plugin apparently failed to do its job. There are at least two possibilities that come to mind: the plugin simply doesn’t work (although it’s worked in the past) or the WordPress development team overrode the do-not-update directive due to the severity of the security flaw. Neither makes me very happy, but at this point, both are speculation on my part.
WordPress Update Policies
The default setting in WordPress allows for so-called minor updates to happen automatically. This means when there’s a patch released, in this case 3.8.1 to 3.8.2, WP will update itself unless told not to, at least in theory. Major updates, i.e. 3.8 to 3.9 can be allowed, but are not by default. This is a good thing, in my opinion, because there is a much greater risk with a major update.
Without detailing them, suffice to say that if one wants to turn off the automatic updates, WP provides ample ways to do so. This is typically an entry in the wp-config.php file which means editing the file and inserting some code that tells WP not to update automatically.
Needless to say this is not user friendly so several plugins have appeared that are supposed to make this easy for the average user. The one I’ve been installing and using, Update Control, is one such plugin and is very highly rated on the WordPress plugin repository. I’m sure you can imagine my disappointment that it’s apparently not living up to the nearly 5-star rating.
Check Your Sites
If you’ve received a notice that your site was updated, please check it and make sure that the WP version is 3.8.2 and that everything on the site is working properly. As I said, there should be minimal risk with this patch update. I’m much more concerned with the failure of the plugin to prevent the automatic updates.
If you are maintaining your own site, please update to WP 3.8.2 immediately. The Heartbleed flaw is serious and potentially very damaging. We want to close this off as soon and as completely as possible.
Protected by WebARX
Roland says
April 9, 2014 at 8:47 amThanks for the information. I’m glad that you’re part of my team!
Roland
John says
April 11, 2014 at 12:25 pmMy pleasure, Roland!
Chris Haines says
April 15, 2014 at 8:20 amHi
Very interested to hear you as we also have Update Control. However not working for 3.8.2 and today neither for 3.8.3. Are GitHub (or whoever) working on this? Or do you know a better simple Plugin (w/o code changes please)/Chris
John says
April 15, 2014 at 10:53 pmHi, Chris, an update has just been released for Update Control. I’m hoping that will fix the plugin so that it does what it’s intended to do. I guess we’ll find out with the next patch release! I’m seriously considering putting the appropriate codes into wp-config.php and eliminating Update Control, but I understand that approach is not suitable for all WP users.