Sophos Cloud Optix
Automattic have announced the release of WordPress 3.7 “Basie” so if you have a website that runs on WordPress it’s time to upgrade.
We don’t always trumpet software releases on Naked Security but I think WordPress 3.7 is very important.
It’s not important because it fixes any particularly devilish vulnerabilities but because, for the first time, it will automatically update itself with the latest maintenance and security releases – something that could change the security of the whole WordPress ecosystem.
The signature feature of this latest version of the hugely popular blogging platform is automatic background security updates.
Next time WordPress.org issues an urgent security point release – such as the recent version 3.6.1 which came with the exhortation to update your sites immediately – it will be deployed automatically to site owners using 3.7 or above.
We’ve all become quite used to the idea of the software on our desktops, tablets, laptops and smartphones silently patching itself in the background and it’s good to see popular web software catching up – it’s long overdue.
What makes background updates for WordPress such a significant step is the software’s sheer popularity. Nobody is quite sure how many of the world’s websites are running on WordPress but the consensus seems to be that it’s about 15 – 20%.
Needless to say that’s a very, very, very large number of websites – so large that criminals looking to build botnets are prepared to invest in large-scale automated attacks that scan for and target known WordPress vulnerabilities.
The best defence against such attacks and the first rule of WordPress security is always run the latest version of WordPress.
As Andrew Nacin put it on the Make WordPress Core blog:
If you don't keep your site up to date, you are making the web a less safe place for you and everyone who visits your website.
The trouble is that it seems a lot of people don’t bother. Some researchers believe that as many as 73% of the WordPress sites out there are vulnerable to attack purely because they aren’t running the latest version.
So automatic updates for WordPress could do more than simply ensure fewer websites are vulnerable to attacks, it could ultimately provide a kind of ‘herd immunity’ that will make the entire population a less attractive target.
The automatic updater also supports themes and plugins – the software skins and add-ons that allow users to customise their WordPress websites. Some plugins are so widely used that they are popular enough to be targetted in their own right.
Although auto update support for themes and plugins is on an opt-in basis for now I fully expect that to change in future, and to quote Nacin one more time, “That’s a huge win for a safer web”.
The software is available to download from WordPress.org. If you want to know more about what’s in 3.7 take a look at the release announcement on the WordPress blog. There is also a very long and detailed post about disabling automatic updates on the Make WordPress Core blog.
If you’d like to know a more about WordPress security then take a minute or two to read our article on How to avoid being one of the “73%” of WordPress sites vulnerable to attack.
The 'Auto Update' could make for some very fussy bloggers if a plugin, or perhaps a theme, turns out to be for some reason non-compatible with theses auto WordPress updates.
For those that don't require (or just don't like the auto-update feature) this line in the wp-config.php file should take care of it.
define( 'AUTOMATIC_UPDATER_DISABLED', true );
I think it's a great way forward ! 😀
Not sure if it may work on paid theme's . What if the theme breaks after an auto-update ?
I'd rather have the focus on security than to have visually appealing exploits served up. Hopefully the WP community will rally behind this effort and start focusing on issues like you've highlighted to make sure both sides are served.
By default the auto update won't update the theme itself, only the WordPress core. There is a chance that a WordPress core update will change something that a theme relies upon, however…
a) The auto updater is for maintenance and security releases and they tend to be very narrowly focused on fixing specific security holes – the chances of breaking a theme or plugin with one of these updates are very slim.
b) If it does break something it's likely to be a small something that is easily patched by the theme vendor.
c) The upside is that you are much less vulnerable to having your site hacked or your server into a zombie.
My concern is that this functionality opens up a new set of problems. In order to automatically update itself, the web server process requires R/W access to the entire WordPress directory. Does that mean that it's then even more important for the underlying host and web server to be patched? And does that increase the scope of a breach? For some folks patching those may be out of their hands in a shared hosting environment. That being said, each small step forward is a step in the right direction.
Personally, I don't mind auto-updates. I just want an active log of what changes and the possibility to reverse it easily if needed.
Automatically updating sites does not account for all those sites that are "customized" heavily. For example, many users created nice themes or altered the theme they are using only to have a theme make an update and clear all their changes.
Sure you might say use a child theme, but many people have not done that yet. This could easily happen for other issue. Perhaps some users, such as programmers or developers, who are using their own custom code or htaccess directives get those changes overwritten by an auto-update.
Disabling the auto-option to me really ends the overall benefit to having "automatic updates at all".
What I think WordPress is trying to do is to make sure more people actually role out updates. Sure, I agree that the process should be more conducing so that less blogs are sitting around the web using WordPress 2.1, but in the end, Blog security is more then just having the latest wordpress version. There is and can be so much more to it that users need to know that just having the most recent version is not always going to be enough
In short, autho updates or not, people need to maintain their own blogs. They need to take an active role in it's management and to make blogging security a concern instead of just installing and posting without a care for the true nature of what can happen.