WordPress is going to update obsolete versions forced automatically

WordPress is working on a plan to forcefully and automatically update old versions to more recent releases. The open source content management system (CMS) aims to improve the security of the WordPress ecosystem and the internet as a whole.

No less than 34 percent of all internet websites run on WordPress according to ZDnet. It’s not surprising that WordPress is currently the most attacked CMS, especially because of its huge attack surface. Reducing it is an easy way to combat malware botnets. These take over websites in favour of malware, hosting SEO spam or launching DDoS attacks.

Version 3.7

Versions currently officially supported by WordPress cover the last six major releases between v4.7 and v5.2. The plan is to automatically update old WordPress sites from v3.7 onwards to the current minimum supported v4.7 in small steps. Versions prior to v3.7 are not automatically updated, as the mechanism for automatic updates is only included in v3.7. Versions older than v3.7 have to be manually updated, accounting for barely one percent of all WordPress sites.

Sun 11.7 percent of all WordPress sites used an extremely old version between v3.7 and v4.7. This accounts for tens of millions of websites and about 3 percent of all internet sites. Just to show you how old these versions are: WordPress 3.7 was released on October 23, 2013, while the current minimum and thus secure version v4.7 dates from December 2016.

Compatibility issues

An earlier proposal to transfer everything to v4.7 at once was the subject of a lot of negative reactions. For example, WordPress site owners were afraid that millions of websites would fail with a WSOD (white screen of death) or that compatibility problems would arise between themes, plugins and the new WordPress core version.

WordPress therefore wants to update these older, insecure versions automatically and forcibly in the following way within a year:

• 2 percent of all WP 3.7 sites automatically update to WP 3.8
• A week later, another 18 percent is automatically updated to WP 3.8.
• Two weeks later, 80 percent of the WP 3.7 sites are automatically updated to WP 3.8.

The above steps are then repeated by migrating sites from WP 3.8 to WP 3.9, WP 3.9 to WP 4.0, and so on.

The tiered forced auto-update process allows you to check for errors and site breakage. If something goes wrong, the automatic update can be stopped and in individual cases even a previous version can be replaced. WordPress hereby informs the owner of the website by e-mail.

Opt-out instructions

The e-mail must be a strongly worded warning. One that lets you know that their site cannot be upgraded to a secure version and that they need to update immediately manually. If they don’t update, it’s almost guaranteed that their site will eventually be hacked, says Ian Dunn, member of the WordPress dev team.

WordPress intends to allow site owners to unsubscribe from the forced update process. In addition to sending an e-mail, a strict warning is displayed on the dashboard. These warnings also include opt-out instructions and are displayed for at least six weeks before a site is automatically updated.

Manpower

In addition to safety, manpower also plays a role in the update plan. Over the past six years, developers have been backing up security patches for versions dating back to WP 3.7.

A time-consuming job, since WordPress developers had to convert newer PHP code to a code compatible with the older WordPress code base. As a security team, we’re not happy about that, but it’s definitely the best for our users. Because we set the standard for success, we also do so, says Aaron Campbell, leader of the WordPress Security Team.