Don't Fear The Reaper

Don’t Fear The Auto Update

I was not surprised to see the backlash to Auto Updates. We spent a lot of time trying to figure out how to explain to people that while you can disable it, we really, really, really, really, don’t want you to, and basically ended up with a Codex page that explained how to configure it and then Nacin’s followup post that is, indeed, the definitive guide to disabling updates. But people hate it or love it, and there’s no middle ground. This was, as I implied, somewhat expected.

No auto-updates makes me sadReasons why people hate it have varied from “I want to control my own updates!” to “This 3.7 upgrade broke something, so clearly you’re not ready!” Oh and don’t forget “You suck, I hate this! Why would you default this to on!?”

I want to stress one really important thing here. The automatic background updates for WordPress are for minor updates only. We’re not talking about auto-upgrading people from 3.7 to 3.8, but just 3.7 to 3.7.1 – These are small, minor, updates. When someone comes to me and complains that major releases don’t always work, I have actually said, “So? We’re not talking about major releases.” And of course, “You are making good backups on these super important websites, right? Right?”

It’s really easy to get bogged down with all the variable permutations about what updates could include and forget that WordPress started out simple. Yes, it’s defaulted to “on” because after intensive testing, and careful thought, WordPress core devs are pretty darn sure that these minor updates, which are more often than not security related, will not break a site. I’ll get back to breaking sites in a second. The point is that minor updates were picked specifically because it’s known that major upgrades can often break things.

Why is it defaulted to on? This is my reasoning here… Because the people who wouldn’t turn it on are the people who need it most. If they don’t know it can be turned on, they won’t do it. And they need it. The people who don’t read all the nerdy things are the ones who are still running WordPress 3.4 (no I’m not kidding). I spend a lot of time debugging WP without ever seeing or really ever looking at their site. I know a lot of users don’t upgrade because of laziness, or fear, so I want to address this (see? told you I’d get back to breaking sites).

Don’t fear updates

Don't Fear The ReaperI said this on Twitter: If your site breaks every time you update WordPress, it’s time for a theme and plugin audit.

So what’s an audit? How does one audit?

It’s really simple. I have a longer presentation I give on this, but let’s go over how simple and basic this is.

Who is the author?

This is really obvious. With one exception, every plugin I use that’s made by core developers is updated to fix problems right away. It’s tested on versions of WordPress in the Beta stage, or even on trunk. It’s reliable because the author is reliable. Using a plugin by Mark Jaquith? No fear!

How active is the author?

Sometimes even I have no idea who that author is, so I look them up. And I want to see how active they are in WordPress. If someone is engaging on trac and writing plugins and themes, and posting about WordPress, yes, I take the time to read up on them. Remember, I’m auditing the plugin! So I want to see that this author is active and writes or contributes in a way that I approve of. That helps me trust them. Now I’m not expecting them to code as prolifically as Nacin, or write as frequently as Chris Lema, or even scour trac like Scribu. I have realistic expectations. One of my favorite developers is ‘try-lingual’ when it comes to CMSs, so I’ll check on her to see if she’s able to keep up with all the myriad CMSs her code works on. She knows about every release coming up? No fear!

How popular is it?

The more a plugin is used, the more people are banging on it in a diverse myriad of environments in ways the author probably never imagined. This is good. This means that the odds are higher than normal that the plugin will work on a bog-standard setup. It also means if I have a common server type (shared) it will probably work. The odds also go up for a more active volunteer environment. Popular plugin, used by thousands? No fear!

How often is it updated?

This is a careful thing. I don’t particularly worry if a plugin is old (i.e. not updated in over two years) if the plugin is simple, or made by someone very reliable. Heck, I haven’t touched the code in Impostercide in years, but I do update the readme every couple of WordPress releases to avoid people thinking it’s been abandoned. That said, I do like to see if the complicated ones are at the very least updating their readmes to say “yes, compatible up to the most recent version.” That tells me not only are they testing, but they’re aware of what’s going on in WordPress. Updates are reasonable? No fear!

What does the code look like?

The Reaper is Melvin'dThis is hard. This is really hard. I review plugins, and write them, and it’s just plain hard okay? If I’m lucky, I don’t actually have to do this. Examples? Okay, try StudioPress’ Genesis Theme. I don’t look at their code, unless I need to make a child theme. Even then, it’s a case of trusting them to do the best by me. I believe in their code more than mine most of the time. Another example? Anything managed by But what about the rest? When it’s simple, I can read through the code, make sure it’s not doing anything nefarious and move on. When it’s not, I hire someone else to do it. You heard me. I pay people to do what I can’t because an audit of code is important. Now I don’t do this for every site. Personal/play sites? I may wing it, knowing I make good backups. But a big, company site? Oh you bet every single line of code was checked. Good code? No fear!

Really? No fear?

No. Not really. You have to keep in mind that none of these are absolutes. I don’t look at just one thing and say “Done, I have no fear.” I mean, I say ‘no fear’ in these explanations, but the truth is it’s the combination of these things that makes me fear less. WordPress is doing a good thing here and I’m not afraid of it.

And in case you’re wondering, I’m using auto-updates on all my sites.


9 responses to “Don’t Fear The Auto Update”

  1. Central Geek Avatar
    Central Geek

    “pretty darn sure”, isn’t sure.
    “Because the people who wouldn’t turn it on are the people who need it most. If they don’t know it can be turned on, they won’t do it. And they need it. The people who don’t read all the nerdy things are the ones who are still running WordPress 3.4” Unless Automatic Updates goes back to 3.4 you aren’t touching them anyway. And telling those who do update, that it can be turned on, when the update to 3.7 is done would let them know it can be turned on. It’s not that nerdy to have a notice on the update to turn on or off Automatic Updates.

    I am one of those who wants that control. Yes, I know how to turn them off. The point is, I shouldn’t be required to go into my files to turn them off. All I want is to have the option in the settings to turn them on or off. Why is that so much to ask?

    The logic being used, doesn’t even apply to most people who are updating, you are talking about those lazy, unknowing souls who aren’t paying attention to anything anyway. Those people won’t be reading your post, my post or Andrew Nacin’s post. Or that would be my understanding after you made the classifications.

    You are very knowledgeable in WordPress. You are all over the place with a lot of great ideas, I don’t doubt you would rather people update their sites, it’s a pain trying to troubleshoot something that isn’t up to date. However, the issue isn’t with those people. They aren’t going to update to 3.7 anyway, they are too lazy and don’t care. So, how do you propose to bring them into the fold, and allow the rest of us to backup our sites prior to doing these “minor, security” updates?

    This decision to turn on automatic updates is only affecting those people (according to your logic) who are updating, and they are doing it when they are notified of updates, not via automatic updates. The logic on this one is escaping me. Please do explain.

    1. I’ve seen all your replies to Nacin on the subject, and there’s no way I can explain this to you better that he did, which makes me wonder if you’re trolling. You already know the answers, you just don’t like them. Which is totally fair and I would never suggest otherwise. You don’t like the upgrades, you don’t trust them, you feel it’s dangerous and ill thought out. Out of curiosity, where were you when this was publicized at WCSF in state of the Word? It’s not like this was a secret from developers or people who make their living on WP. You know, the people who owe it to themselves to be testing as early as possible because their livelihood depends on this stuff?

      You already know that you can install a plugin for the settings, and yes, I think that’s appropriate. Most people won’t. That means most people who use 3.7 will be updated with security and maintenance releases, and that means fewer sites I have to de-hack. Which brings me to my answer to your claim of a logical fallacy:

      This decision to turn on automatic updates is only affecting those people (according to your logic) who are updating, and they are doing it when they are notified of updates, not via automatic updates. The logic on this one is escaping me. Please do explain.

      Because I, and Sucuri and StopTheHacker and every other person who spends time cleaning up hacked sites updates users to the latest WP. It’s a little bit of Zeno’s Paradox, we’ll never get 100% saturation, and we know it. But if I can have a little more faith in the people I clean up, knowing they’ll be a little safer, then maybe I can put more time into making WP better, and less into cleaning up someone who ignored the check-engine light.

      Upgrade. Please. Leave on auto-updates. Make backups. You care about making them before the updates? They run at 7am and 7pm. Set the server to backup every day at 6am and 6pm. That’s too hard for you? VaultPress is a great option which for people who don’t have server power or skills like that.

      You have options. Not liking them is perfectly fine and fair, but you’re way too late to this game to change it.

    2. Central Geek Avatar
      Central Geek

      @Ipstenu (Mika Epstein): No Mika I am not trolling. I receive updates from your website, which I you offer via following. I’m sorry you feel I might be trolling because I comment on your rationale, as stated above. If you would prefer I not comment on your contributions, then I will be happy to comment no further.

      After this, of course. I personally don’t care if updates are available automatically. And you as well as Andrew refuse to accept my (and many others) logic that WordPress developers should have offered the option to turn on or off the automatic updates in the settings.

      I understand and accept your reasoning. I have no problem with your reasoning. You have a job that requires you to be available for support on many more sites than I manage. I personally do not have to unhack sites, I update regularly and I choose the time for doing the updates as well as the backups. Knock on wood, I have been successful in keeping the sites I manage, secure. I monitor them with various different plugins and services. It is worth my time to do so.

      And that is where I come into the conversation about allowing the option to be a simple one, allowing turning off of the automatic updates. I love updates. Contrary to Andrews misinterpretation of what I was trying to say. Again, I do them regularly and without delay.

      All I ask is that WordPress reconsider their position, which a lot of people have voiced opposition to, and place an option in the settings to turn the automatic updates off. There is ample justification for such reconsideration. Whether or not I was available for whatever gathering, discussion or testing of WP 3.7 is immaterial. I have been busy in the last several months taking care of a number of things that didn’t avail me to many of those things you mentioned.

      I disagree with the automatic updates being on by default. That is all I have tried to say. The attitude I get back is like I attempted to pick someone’s pockets. 😉

      Again, I AGREE with the OPTION to set automatic updates. And I have installed, activated and use the plugin offered by one of the people who created it yesterday. However, I hold to my belief that it is better to have something like this in the settings without having to install another plugin. Take care, and I will leave this topic.

      I have one question for you though, before I go. Should I presume you were trolling when you followed me to the WP forums where you responded and repeated much of what I had to say on the same subject, in the same thread? Just curious why you would suggest I was trolling, when I had been somewhere else answering someone’s question about the same subject and you showed up.

    3. I started wondering if you were trolling when nothing anyone said would dissuade you. Repeating the same thing over and over, following people from the WPORG posts (where I was pretty much only noting technical inaccuracies) to their sites does make me Spock the brow.

      Trolling isn’t always something you intend to do. Accidental trolling happens when you are the one beating the dead horse. Which you kind of are.

      I highly doubt this will be reconsidered. For the people who need it, it’s good. For the people who take care of it on their own, they can continue to do so. But as someone who, about 2 years ago, was against this, the technical that went in to making this safe and solid won me over.

      It’s safe. The only time I disabled it was for a closed network site that we update and push via a controlled system and sync across multiple servers.

      If you want your option, use a plugin today. That’s your choice and while I wish you’d give this a chance, I’m the one who approved the controller plugin.

  2. […] best article I’ve read so far on this topic is from Mika Epstein entitled, Don’t Fear The Auto Update. While she doesn’t dismiss the fact that a site can break during an auto update, she provides […]

  3. People are paranoid. I suspect auto-updates will become the norm in web applications in future, not something new to be afraid of.

    I think Google has paved the way nicely with Chrome. Auto-updates in Chrome work really nicely.

    I even auto-update my OS these days. I got sick of the daily nag to update, so just set it to do it all automatically behind the scenes and now I never need to bother doing anything again. I just get updates seamlessly and nothing ever breaks. Heck, it’s not like I’m not going to hit the update button; the updates are supposedly there for my own benefit.

    I’m hoping we will eventually see all updates to core done automatically and maybe even give theme and plugin developers the option to set their plugin to auto-update (assuming the user has core updates turned on).

    Old manual updates are the way of the past. Auto-updates are the future 🙂

  4. Great info! Two thumbs up for auto updates. 😎

    I tell all my small biz clients the same thing: they can use something like, they can host with something like WP Engine, or they can pay me to keep things updated and backed up manually.

    If they don’t listen and run old software, I feel that I’ve at least explained it to them. It’s like keeping your hard drive backed up .. lots of people don’t do it and they run the risk of losing things.

    1. Other managed host companies include Pagely, Zippykid, WebSynthesis, and of course, DreamPress 😉 There are lots of options.

    2. I’m going to try DreamPress for my next project actually! They have great prices .. I haven’t used the other ones yet.