Much to the surprise of many, a WordPress security update was released today. With WP 3.9 coming out within weeks, few of us were expecting a patch release for 3.8, however, the discovery of a nasty vulnerability called Heartbleed made it necessary to release this patch sooner rather than later.
Many of you, myself included, received notifications that WordPress had automatically updated itself to 3.8.2. This was a bit of a shock to me since the sites I monitor have a plugin called Update Control installed and the setting to disallow automatic updates is set. It’s obvious that the plugin doesn’t do what it’s supposed to do!
I still need to investigate why the plugin apparently failed to do its job. There are at least two possibilities that come to mind: the plugin simply doesn’t work (although it’s worked in the past) or the WordPress development team overrode the do-not-update directive due to the severity of the security flaw. Neither makes me very happy, but at this point, both are speculation on my part.
WordPress Update Policies
The default setting in WordPress allows for so-called minor updates to happen automatically. This means when there’s a patch released, in this case 3.8.1 to 3.8.2, WP will update itself unless told not to, at least in theory. Major updates, i.e. 3.8 to 3.9 can be allowed, but are not by default. This is a good thing, in my opinion, because there is a much greater risk with a major update.
Without detailing them, suffice to say that if one wants to turn off the automatic updates, WP provides ample ways to do so. This is typically an entry in the wp-config.php file which means editing the file and inserting some code that tells WP not to update automatically.
Needless to say this is not user friendly so several plugins have appeared that are supposed to make this easy for the average user. The one I’ve been installing and using, Update Control, is one such plugin and is very highly rated on the WordPress plugin repository. I’m sure you can imagine my disappointment that it’s apparently not living up to the nearly 5-star rating.
Check Your Sites
If you’ve received a notice that your site was updated, please check it and make sure that the WP version is 3.8.2 and that everything on the site is working properly. As I said, there should be minimal risk with this patch update. I’m much more concerned with the failure of the plugin to prevent the automatic updates.
If you are maintaining your own site, please update to WP 3.8.2 immediately. The Heartbleed flaw is serious and potentially very damaging. We want to close this off as soon and as completely as possible.