Make WordPress Core

Opened 3 years ago

Closed 3 years ago

Last modified 3 years ago

#55185 closed defect (bug) (invalid)

Auto-updates despite disabled

Reported by: psychosopher's profile Psychosopher Owned by:
Milestone: Priority: normal
Severity: normal Version:
Component: Plugins Keywords: close
Focuses: Cc:

Description

The plugin UpdraftPlus WordPress Backup plugin updates automatic also when auto-updates is disabled.

It is the only plugin with this problem. Despite this it is for the support of the plugin a core problem and I have to open a ticket:

https://wordpress.org/support/topic/automatic-updates-if-the-option-is-disabled/

Change History (4)

#1 @SergeyBiryukov
3 years ago

  • Component changed from General to Plugins
  • Keywords close added

Hi there, welcome back to WordPress Trac!

This is explained in the Configuring Automatic Background Updates support article:

By default, automatic background updates only happen for plugins and themes in special cases, as determined by the WordPress.org API response, which is controlled by the WordPress security team for patching critical vulnerabilities. To enable or disable updates in all cases, you can leverage the auto_update_$type filter, where $type would be replaced with “plugin” or “theme”.

Based on the linked support topic, it looks like patching a security issue in the plugin is exactly what happened here, which is why an automatic update was pushed even if it was not explicitly enabled.

Last edited 3 years ago by SergeyBiryukov (previous) (diff)

#2 follow-up: @Psychosopher
3 years ago

This has never been the case in all this years also there were very severe security issues.

And it's ennoying if user settings are not respected.

#3 in reply to: ↑ 2 @knutsp
3 years ago

Replying to Psychosopher:

This has never been the case in all this years also there were very severe security issues.

And it's ennoying if user settings are not respected.

This article https://make.wordpress.org/plugins/2015/03/14/plugin-automatic-security-updates/ may bring some information and history.

But

define( 'AUTOMATIC_UPDATER_DISABLED', true ); // in wp-config.php

// OR a filter to disable automatic updates
add_filter( 'automatic_updater_disabled', '__return_true' );

should disable it completely (manual updates only).

Last edited 3 years ago by knutsp (previous) (diff)

#4 @Otto42
3 years ago

  • Milestone Awaiting Review deleted
  • Resolution set to invalid
  • Status changed from new to closed

The default state of WordPress updates is to trust the WordPress.org systems, and the plugin and security team has used this to push critical security updates since WordPress 3.7 was released.

So no, auto-updates in WordPress are not off by default, and have not been since 2013.

Last edited 3 years ago by Otto42 (previous) (diff)
Note: See TracTickets for help on using tickets.