WordPress Team Working on Daring Plan To Forcibly Update Old Websites (zdnet.com) 112
The developers behind the WordPress open-source content management system (CMS) are working on a plan to forcibly auto-update older versions of the CMS to more recent releases. From a report: The goal of this plan is to improve the security of the WordPress ecosystem, and the internet as a whole, since WordPress installations account for more than 34% of all internet websites. Officially supported versions include only the last six WordPress major releases, which currently are all the versions between v4.7 and v5.2. The plan is to slowly auto-update old WordPress sites, starting with v3.7, to the current minimum supported version, which is the v4.7 release.
The WordPress team said it plans to monitor this tiered forced auto-update process for errors and site breakage. If there's something massively wrong, then auto-update can be stopped altogether. If only a few individual sites break, than those site will be rolled back to their previous versions and the owner will be notified via email.
The WordPress team said it plans to monitor this tiered forced auto-update process for errors and site breakage. If there's something massively wrong, then auto-update can be stopped altogether. If only a few individual sites break, than those site will be rolled back to their previous versions and the owner will be notified via email.
P-H-P (Score:5, Insightful)
Re: (Score:1)
CentOS 7 in particular does not have a version of PHP more recent than 5.4. I broke all kinds of stuff yanking that out and adding a repo with PHP 7 in it.
Re: (Score:2)
Did the breakage happen because the new repo updated packages other than php? Because if so, you can restrict which packages a repo actually affects.
But I'm moving away from CentOS soon...
Re: (Score:3)
Too many.
I have several support tickets with various hosting companies asking them to provide an option of newer version of PHP via cpanel or something else, I've only be responded to positively by one.
Re:P-H-P (Score:5, Insightful)
Wordpress reports “PHP needs to be updated” on fully patched Red Hat and CentOS 7 systems, since it obviously just checks the version number while Red Hat backports security fixes to their chosen baseline version of most packages.
This isn’t exactly an unusual server configuration, and I think it’s a good example of why people should be very wary of Wordpress’ plan to “fix” out of date installations. I realize they’re not talking about forcibly patching PHP... yet, anyway. But it shows what can happen when developers get myopic and possibly arrogant.
Re: (Score:2)
They want you using the scl packages...at least until rh 8 comes out. It will also finally come with vim 8.
Re: (Score:1)
I predicted this would happen back in '97.
That's why all of my sites are CGI based and I've
never had a problem...
CAP === 'capstan', yeah sure -- tell me about it now...
Re: (Score:3, Interesting)
WordPress is a cancer on the Internet. A horrendously buggy, insecure, pile of crap that is a constant source of problems. It can't die soon enough.
And, their "plan" is completely insane.
it plans to monitor this tiered forced auto-update process for errors and site breakage.
Does anyone believe that WordPress, who has already demonstrated that they are incapable of producing anything other than shit, can really do this without massively fucking it up??
Re: (Score:1)
I for one, look forward to the class action lawsuit that this will cause which will hopefully destroy them.
Re: (Score:2)
The EULA/TOS probably mandates arbitration.
Re: (Score:2)
Wordpress is GPL, so there cannot be an enforced ToS or EULA.
I'm kind of curious how they would even accomplish this though... as I have WP sites with
egress filtering measures that don't even have the permission to self-update their own files without FTP'ing to localhost and
me entering a set of credentials when prompted, for example.
Re: (Score:3)
Re: (Score:1)
How is that different from any other software in widespread use? Indifferent users, pointy-haired bosses, and/or arrogant near-monopolies turn everything into crap eventually.
Re: (Score:1)
Re: Insanity (Score:1)
Act as a beach head into a wider network is worse than ddos imo.
Re: Insanity (Score:1)
Re: (Score:3)
Not only is Wordpress a gigantic pile of crap, but PHP is just as bad, with massive breakage incompatibilities from one version to another. If WordPress actually goes through with their "daring plan" it is 99.99% guaranteed to be a clusterfuck of epic proportions.
Which might actually be a good thing. If every WordPress-based website goes away the, nothing of value will be lost and the internet will be a much better place.
Re: (Score:1, Funny)
Yeah, except that /. runs on WP, you blockhead! Oh wait, I see....
CAP === 'dearer'
Wordpress Backdoor? (Score:5, Interesting)
How is forcing WP update even possible,, WP has a built in Back-Door??
This is a much bigger security concern than stale software packages!
Re: (Score:3, Funny)
probably just using one of the existing remote execution exploits, no big deal.
Re: (Score:3, Informative)
By releasing a "point" release that enables auto-updates across major versions instead of just point releases. Most installs probably still have that "point release" auto-update enabled so they can probably get some signficant mileage out of it. I doubt they're going to try updating anything from before the point release auto-update scheme was rolled out.
Re: (Score:1)
If they don't update, it's almost guaranteed that their site will be hacked eventually," said Ian Dunn, a member of the WordPress dev team.
That's a threat.
Re: (Score:3)
No, that's a promise. "We will hack you and 'upgrade' your installation!"
Re: (Score:2)
How is forcing WP update even possible,, WP has a built in Back-Door??
Wordpress has been auto-updating security patches for a really REALLY long time now. The problem is that it only patches bugs. Major wordpress versions have fundamentally changed the underlying system to make it more secure and those old versions are being exploited without a way to fix it in a security update.
This is a much bigger security concern than stale software packages!
Holy shit are you off the mark. Wordpress installations today are the 2010s equivalent of the Windows XP Blaster worm. They are a major security issue not only to the system itself but to the internet
Software freedom is the key difference. (Score:2)
Any automatic acceptance of updates is indistinguishable from a universal backdoor. Microsoft Windows' universal backdoor [gnu.org] allows Microsoft to run anything they want on that system. Naturally, this includes remotely deleting apps [computerworld.com].
The difference between WordPress and proprietary software (such as Microsoft Windows) is that WordPress is free software [gnu.org]—software that respects a user's freedom to run, inspect, share, and modify the softwar
a page from Microsoft (Score:2, Insightful)
So they're going to be like Microsoft and force an update. What if they push out code that turns out to be bad for 10% or more of use cases? Do they realize the legal implications of knocking businesses that use WordPress offline? Idealistic goody-goodies who cause problems are not welcome in the real world.
Re: (Score:2)
Did you see the part of the summary that said they'd be monitoring the effects, and sites that break can be rolled back?
Re: (Score:2)
Yes I did see that, changes nothing. My point stands, and you are one of the goody-goodies that cause problems in the real world if you think that is fine and/or sufficient. Breaking a site without owners permission, assuming that is fine if it's done for a while, *assuming* rollback would work, assuming enough would be functional afterwards to allow rollback if databases or modules corrupted, only someone with their head jammed firmly up their ass would think that's a good idea.
Re: (Score:2)
Re: (Score:2)
Nope, reality is there are corporations with tens of millions yearly revenue and up but yet with old wordpress sites. I know of quite a few. They have deep enough pockets to sue with good lawyers. Best not poke those sleeping bears.
Re: (Score:2)
And Wordpress I'm sure does NOT have the "deep pockets" that MS has, to handle any lawsuits arising from their forced upgrades of Wordpress sites. I use Wordpress for several sites I manage BUT I monitor them closely and upgrade the systems as needed. I'll go out on a limb and bet a LOT of WP sites do NOT get updated nor does the owner bother to even CHECK if there is an upgrade...
"If only a few individual sites break, than those (Score:4, Insightful)
"If only a few individual sites break, than those site will be rolled back to their previous versions and the owner will be notified via email."
And this is the issue raised by everyone so far, if it could be updated, most users would have updated... Between PHP, hosting file permissions, and general errors, it's pointless to do this. Those broken and getting rolled back means nothing is changed. Nothing. There will still be out of date sites.
Unless they think a 10% increase in compliance is worth this. Feh.
Re: (Score:1)
if it could be updated, most users would have updated.
Most site owners don't update their Web CMS simply because they don't know why they should -- if they ever bother looking! Most people are truly under the impression that whatever they're using is "good enough" and "just fine" (until something bad happens to them THAT THEY NOTICE).
Re: (Score:3)
"Most site owners don't update their Web CMS "
I wonder if this is accurate. Or is it that most owners that don't update don't think of it... A difference.
Re: (Score:2)
Re: "If only a few individual sites break, than th (Score:2)
First, will this fix enough sites to make a difference?
Second, how many unfixable sites are there, really?
Re: (Score:3)
Most site owners don't update their Web CMS simply because they don't know why they should -- if they ever bother looking!
The unstated assumption here seems to be that most of the world’s Wordpress sites are standalone installs managed by individuals. I think you need to document that, since it seems far more likely the vast majority of Wordpress sites are running on deployments managed by hosting companies, where the user couldn’t touch they OS even if they wanted to.
Force updates? *Rant* (Score:5, Insightful)
I'm sorry. This kind of thing is just out of hand in the industry in general and I don' t care if it is with the BEST of intentions and motives. Don't mess with other peoples stuff !!!. If I want it updated _I_ will update it because I have no idea if I even LIKE the new _whatever it is you built_ and want to evaluate it and possibly even switch products instead of upgrading if I don't like the changes YOU make.
One of the first things I do with any product I install is shut off auto update and install. Not to say I don't update frequently , I actually do, but it is done on my scheduled and when something breaks I know why and if it is important to me I read they feature changes and decide if I like them, before I upgrade.
This brings up another concern. Security updates should always be kept separate from feature updates.
What if I hate you new interface and want nothing to do with it? What if I just don't want to spend the resources to learn it? Don't force me to upgrade or I will start by evaluating your competitors because if I have to be put through the pain anyway I might as well make an informed decision.
Re: (Score:2)
There's only so much time to update old versions. It takes away from new development. That said, if wordpress were BACKWARD COMPATIBLE it wouldn't be such an issue to update.
Re: (Score:3)
Agreed but your second statement is really the a larger part of my point.
Rather then saying 'we aren't supporting our old stuff but will force you to take on something new because we know what is good for you better then you do and assume you are just lazy or uninformed'. They should be saying "Why don't people WANT to upgrade". Is upgrading too hard? Too time consuming? Do people hate our changes? Why are people keeping what they have? making the decision to risk security flaws, go without new features,
Re: (Score:2)
I agree with that part of your point. I just get frustrated as an open source developer that users expect us to support old versions forever when we do the work for free. I'm a strong believer in getting user consent before doing things.
There's an obvious list:
1. os doesn't have updated php packages
2. marketing dept paid a ton of money for a custom theme for 3.x and don't want to pay to update it. (lived this at my previous job)
3. some now defunct custom plugin is essential so customer needed functionali
Re: (Score:1)
Forced updates == unauthorized computer access == hacking == prison time.
Re: (Score:2)
Not necessarily. WordPress has had an auto-updater that is enabled by default for a *long* time. Presumably they're going to use that mechanism to trigger an update to a new "point" release where that point release enables updating across major/minor versions automatically by default, which can then trigger a cascade of auto-updates rolling through various major/minor releases. If they do this step-wise (3.7 to 3.8 to 3.9, etc.), they will probably get a *lot* of sites up to a much safer version even if the
Re: Force updates? *Rant* (Score:1)
No, this is hacking.
What you are describing is privilege escalation. Just because you figure out a clever way to exceed your mutually understood privilege doesn't mean you can leverage it unilaterally.
GP is right.
Re: (Score:2)
well, presumably anybody to whom it is important, will now shut off auto update until they can fix whatever it is that stops them from updating. This thinking which basically goes. "we know what is good for you better then you know what is good for you or want and you should continue being an uninformed consumer rather then learning what you are doing" is exactly the reason I always shut off auto update. Updates should be pull , not push ( assuming you own the device , it is of coarse different in a mana
Re: (Score:1)
"I'm sorry, We've detected that you have not been upgraded to the new "Developers know best, shut up and take it" Trusted Computing paradigm. Please report to the nearest reeducation center immediately for expedited processing, and mandatory submissive training. Thank you for your compliance. - Big Brother." /s
Although really, the hand-holding has to stop. These developers are running around with their heads cut off. The big proprietary software makers justify* this auto-update behavior because they need mo
Re: (Score:2)
Re: (Score:2)
This brings up another concern. Security updates should always be kept separate from feature updates.
They are, but software isn't maintained forever. You sound like the same sort of bozo who still runs Internet Explorer 6.
Re: (Score:2)
no. when you stop supporting a version of something , and many people are refusing to upgrade to a supported version there are 2 things going on.
1) if they have problems it is their own tough luck so stop complaining.
2) there is usually a reason they don't want to upgrade, like time / money vs risk where the user ( read: the person in control ) is making a decision that time or money needed to upgrade is costly enough that the risk of being hacked is justified given the (usually low) value of their content.
Re: (Score:2)
You sound like someone who is wet behind the ears and is likely to upgrade something without proper testing, costing the company you work for thousands or millions of dollars. What needs to happen in any large scale IT environment, is upgrades need to tested on a test environment first , anything that will be critically broken and cost you too much money needs to have money put into it first so the upgrade can go smoothly, THEN you PUSH the upgrade out to the network. Even then you have to monitor changes
Re: (Score:2)
Yeah, they tried that, people tended to pick stupid, so they had to make rules to stop people picking stupid.
When people were allowed to pick stupid, they sued, and were awarded lots of money for being allowed to pick stupid.
Which was kind of stupid.
So now we have stupid laws, to stop people being stupid and gettin
Re: (Score:2)
I'm sorry. This kind of thing is just out of hand in the industry in general and I don' t care if it is with the BEST of intentions and motives. Don't mess with other peoples stuff !!!
If your stuff is vulnerable it has no place on the Internet. I would have preferred that they rolled out rm -rf / instead. That would get the attention of the site owners.
Re: (Score:2)
Don't mess with other peoples stuff !!!.
I agree. I don't want my email inbox filled with spam. I don't want malware to be served to me by your website. Keep your crap up to date and stop messing with other people's stuff.
It's a classic, your rights end where mine begin kind of scenario and given how feral Wordpress security is in general I say Chrome should just implement a new feature that blocks access to any website served via wordpress that is a version out of date.
What could possibly go wrong? (Score:3)
So forcefully update many web sites with many different dependencies and unknown customizations behind peoples back. Yes this will probably end very well for everybody.
Re: (Score:2)
So forcefully update many web sites with many different dependencies and unknown customizations behind peoples back. Yes this will probably end very well for everybody.
Well it's quite likely that if the customer is running an old out of date Wordpress site that it is already broken, serving malware, and spamming inboxes with invitations from hot sexy Russians.
An old out of date wordpress server was bricked by the auto update? Not only is nothing of value lost, but the world is a better place as a result.
Re: (Score:2)
Really the wrong approach (Score:1)
I think the problem is, for most small websites, having your own fully fledged wordpress (or any CMS) is no longer a great idea. It's a complex software stack in itself and requires constant maintanance. WP itself needs updates, plugins need updates. Things change and your site breaks - It becomes a real burden in the long run and a lot of people prefer not to touch their WP site's inner workings for fear of breaking something.
While CMSs, WP in particular, were a revolution in site development and hosting b
What is in the Wordpress TOS? (Score:2)
From TFA, it sounds like Wordpress is going to change the source of the sites to become compatible with later versions. I've never used Wordpress or allowed marketing companies working for to use it (instead coding my own pages) because it always felt like the page was being forced to their approaches (along with having to use the plug ins that the page designer owned) rather than what I wanted.
So, I don't know their terms of service, but I would think changing the HTML/CSS/Javascript source without the ow
Re: (Score:2)
I believe they are GPL'd open source.
https://wordpress.org/about/li... [wordpress.org]
Wordpress 10 (Score:2)
Anyone with... (Score:1)
Re:Anyone with... Isn't it open source? (Score:2)
so if you don't like the way the behave. DISABLE auto update and only update when you like.
If there are vulnerabilities out there that need to be fixed in your version but aren't why not fix them?
Even fork the project if it's worth your time.
Re:Anyone with... (Score:4)
Anyone with half a brain wouldn't have used WP in the first place. It's insecure garbage.
You know how we know they're insane? WP still uses MD5 for user passwords.
Re: (Score:2)
You know how we know they're insane? WP still uses MD5 for user passwords.
LOL tip of the iceberg.
well... (Score:2)
I would say that this is the kind of thing that would get professional site builders to run away from Wordpress, but.... What professional site builder would use Wordpress anyway? It's popularity stems mostly from is ability to be automatically installed for every user of an isp. its the walmart of CMS's.
Wrong approach. Also stupid. (Score:1)
If WP doesn't mind breaking a few sites, they should simply blacklist non-compliant sites from accessing/including WP assets (scripts, etc.). This would likely cripple those sites to the point that visitors would be warned off and/or admins would engage to bring them up to date.
Abusing their update mechanism is overly invasive. If it isn't illegal, it should be. It's definitely WP-grade stupid.
WordPress for Nerds? (Score:2)
Re: (Score:2)
Real nerds make their own webapge, not fill out a template.
Hand coded in vi/emacs/edlin using a keyboard with a broken "h" key... In winter, without shoes, uphill, both ways.
WordPress Team Breaks a Quarter of the Internet (Score:2)
Good luck (Score:2)
I am not an outdated release so this doesn't affect me, but I have SELinux enabled and I have to deliberately temporarily disable it to install Wordpress updates. I am pretty sure SELinux is on a fair bit of WP sites, so good luck with that idea.
Forced update? (Score:2)
A "forced update" sounds one step away from hacking or computer trespass.
Don't you DARE force any update on any of my sites or you'll be referred to as the "defendant" in court filings.
Maybe I'll come over there and forcefully update your dental work. For your own good, of course.