From Ken the Web Mechanic comes this:
Hi! I wonder if you’d have any insight on this… I’ll mention Wordfence, though I imagine that it applies to any security plugin that compares plugin files with those in the WordPress repository… One of the most common things that Wordfence reports as a file “inconsistency” is the readme.txt of many plugins. Frequently, when using Wordfence’s compare feature, the readme of an installed and up-to-date plugin is shown as not the most current version and the repository shows the latest version – which is for the version that is installed!! If you delete the plugin and then download and install it anew from the repository, the readme is for the current, Wordfence has no complaint and all is right with the world… So I guess my question is… When a plugin is updated through WordPress, does the readme.txt file always get updated? It’s always been my understanding that during an update all of the old filed are deleted and then the new version is installed from the repository… It’s seeming like this may not be 100% of the case. It’s certainly only a minor irritation to me… but it makes me curious… Inquiring minds and all of that! 😉 Thanks!
I put the whole question in because while the crux is “How are these buggers updating?” the whole picture is interesting. I’ve talked about this once before, but it was a very long time ago. How the WordPress Upgrade Works was posted in 2011, and Why does the WordPress background auto-upgrade work? was back in 2013. So it’s about time for a revisit.
The short answer is “Actually, the readme.txt is deleted on plugin (and theme) upgrades.”
The longer answer means first we should understand what’s going on with upgrades! How plugins (and themes) update is pretty basic and you can check out
/wp-admin/includes/class-wp-upgrader.php to see all this code:
- Connect to the filesystem.
- Download a package.
- Unpack a compressed package file.
- Clears the directory where this item is going to be installed into.
- Install a package.
These are all great failsafes, making sure multiple times that we’re not about to leave a user in a bad state. We check to make sure we can download and use the file before deleting and replacing. We check to make sure WordPress can find all the folders it needs, like
wp-content and so on. If it can’t connect to any of the ones it needs, it will fail. We make sure we can download and unzip the file. Even when we look at the complex fourth step, we’re all checking over and over to make sure that when we really do delete these files, we have something to replace them with.
The goal is that WordPress should never be able to leave you with a plugin deleted and not installed again, nor should it leave you with a half-deleted plugin. Obviously critical failures, like a server reboot mid-stream, will have some catastrophic effects. This is why WordPress tosses a
.maintenance file down, mind you. Stops your site from looking like total poop while all this is going on.
When we look at the class
Plugin_Upgrader itself (line 766 or so), we get into some nitty gritty things. The public function
upgrade does some interesting things:
add_filter('upgrader_pre_install', array($this, 'deactivate_plugin_before_upgrade'), 10, 2); add_filter('upgrader_clear_destination', array($this, 'delete_old_plugin'), 10, 4);
Here we are clearly deactivating and deleting safely before we upgrade. And at this point, I’m very confident that we’re deleting that readme.txt before we upgrade.
Okay! So why is WordFence being a dillweed?
I have a theory it’s related to the updates we do when WordPress core has a new version. You see, instead of updating the whole plugin, we update the readmes only to edit the “tested up to…” value. If there’s no code change, after all, why would we bother? No need to push an update! This means you no longer have a plugin that 100% matches what’s on Wordpress.org, you have a plugin where the code files match, but not the
And then poor WordFence notices that the readme you have and the readme on .org’s servers is out of whack, and tosses an error.
I don’t know how WordFence would fix that, but I’m pretty sure this would hang ’em up.
WordFence folks, got any ideas?