The developers behind the WordPress open-source content management system (CMS) are working on a plan to forcibly auto-update older versions of the CMS to more recent releases.
The goal of this plan is to improve the security of the WordPress ecosystem, and the internet as a whole, since WordPress installations account for more than 34% of all internet websites.
Officially supported versions include only the last six WordPress major releases, which currently are all the versions between v4.7 and v5.2.
The plan is to slowly auto-update old WordPress sites, starting with v3.7, to the current mimum supported version, which is the v4.7 release. This will be done in multiple stages, as follows:
- 2% of all WP 3.7 sites will be auto-updated to WP 3.8
- After a week, another 18% will be auto-updated to WP 3.8
- After two weeks, 80% of WP 3.7 sites will be auto-updated to WP 3.8.
- Repeat the same steps as above, but migrating sites from WP 3.8 to WP 3.9; WP3.9 to WP 4.0; and so on.
The WordPress team said it plans to monitor this tiered forced auto-update process for errors and site breakage. If there’s something massively wrong, then auto-update can be stopped altogether.
If only a few individual sites break, than those site will be rolled back to their previous versions and the owner will be notified via email.
“The email should be a strongly-worded warning, letting them know that their site could not be upgraded to a secure version, and that they should manually update immediately. If they don’t update, it’s almost guaranteed that their site will be hacked eventually,” said Ian Dunn, a member of the WordPress dev team.
A first auto-update plan would have wreaked havoc on the internet
This looks like a sensible solution, but an earlier proposal had the WordPress team forcibly update all old WordPress sites to version 4.7 at once.
This idea was quickly scraped after an avalanche of negative feedback from WordPress site owners who warned that millions of sites would have gone down with WSOD (white screen of death) errors caused by incompatibilities between themes, plugins and the newer WordPress core version.
The tiered forced auto-update is the result of the feedback, and one that takes possible site breakage into account.
Furthermore, the WordPress team plans to allow site owners to opt out of this forced update process. The WordPress team plans to send emails to website administrators and show a stern warning in websites’ dashboards before starting the auto-update process. These warnings will also include opt-out instructions, and will be shown/sent at least six weeks before a site is forcibly auto-updated.
“They’ll be warned about the security implications of opting-out,” Dunn said.
More than 3% of the internet runs outdated WordPress sites
The finer details of the auto-update process have not been finalized yet, but a source has told ZDNet that the WordPress security team hopes to auto-update all old sites within a year.
Versions prior to v3.7 will not be auto-updated because v3.7 is the version in which the auto-update mechanism was included in the CMS.
These older versions only support manual updates and can’t be auto-updated. Versions prior to v3.7 account for under 1% of all WordPress installations, though, so this won’t be a big issue.
WordPress sites running versions from v3.7 to v4.7 account for 11.7% of all WordPress sites, which is roughly in the tens of millions of sites range.
That’s about 3% of all internet sites, currently running extremely old WordPress versions. WordPress 3.7 was released in October 23, 2013, while the current minimum “safe” version, v4.7, was released in December 2016.
It was foreshadowed last year
While the plans to go with a forced update has shocked some members of the webdev community, it has not surprised ZDNet.
We knew it was coming because the WordPress security team hinted about it last year. In a talk at the DerbyCon 2018 security conference, WordPress Security Team lead Aaron Campbell said his team was working on “wiping older versions from existence on the internet.”
This is what he meant.
The reason behind the WordPress dev team’s desire to forcibly update all older CMS versions to the new one is because of man-power.
For the past six years, WordPress developers have been backporting every single security patch for all versions going back to WordPress 3.7.
While this was doable in the beginning, as the WordPress CMS moved forward, it took up more and more time because WordPress devs had to convert newer PHP code into one that’s compatible with the older WordPress codebase.
“That sucks for us as a security team,” Campbell said about this process, last year at DerbyCon. “But it’s absolutely the best thing for our users. And because that’s where we set the measure of success, that’s what we do.”
By moving all users to WordPress 4.7 (and then 4.8, 4.9, etc), developers are also making their lives easier, but also keeping the internet more secure, as a whole.
Currently, WordPress is the most targeted CMS today, mainly due to its large adoption and huge attack surface. Reducing the attack surface is the easier way to combat malware botnets that take over WordPress sites and use them to host malware, SEO spam, or launch DDoS attacks.
Related cybersecurity coverage: