Make WordPress Core

Opened 2 years ago

Last modified 20 months ago

#55321 assigned enhancement

Adding new themes in releases without a global theme auto-update setting renders installations insecure

Reported by: bertvandepoel's profile bertvandepoel Owned by: pbiron's profile pbiron
Milestone: Future Release Priority: normal
Severity: normal Version:
Component: Upgrade/Install Keywords:
Focuses: ui Cc:

Description

I'm a member of a student organisation offering hosting to other student organisations at a Belgian university. Thanks to WordPress, organisation with a complete lack of technical ability are able to maintain a website, largely through enabling automatic updates of WordPress, its plugins and its themes.

I understand it's a conscious choice of WordPress to add a theme every year through its releases. While I'm personally not a huge fan of these themes being added, I understand there isn't much we can do about that. However, many of our organisations assume that once they have enabled auto-updates, they're largely safe from maintenance issues. This isn't the case however since our a twentytwentytwo has only been installed a few months ago and very recently received its first update.

There doesn't seem to be a global setting to enable all auto-updates or auto-updating for all themes anywhere in the web interface of WordPress. This will mean that we will have to email each organisation to try to explain what they have to do and how. This seems contradictory to the idea of WordPress being very user-friendly even for those with little technical skills.

I would therefore either recommend a global setting concerning auto-updates, or ending the practise of adding a new theme every year without user consent.

Change History (15)

#1 @costdev
2 years ago

  • Keywords reporter-feedback added
  • Type changed from defect (bug) to enhancement

Hi @bertvandepoel, welcome to Trac!

There are numerous plugins to enable automatic updates. However, these tend to offer additional options that you may simply not need.

You can alternatively save this code to a file called enable-automatic-updates.php, ZIP it and distribute it to the other organisations to install via the Plugins > Add New > Upload.

<?php
/**
 * Plugin Name: Automatic Theme Updates
 * Description: Enable automatic updating of all themes on your website.
 * Author:      WordPress Contributors
 * Author URI:  https://www.wordpress.org
 * License:     GPLv2 or later
 * License URI: https://www.gnu.org/licenses/old-licenses/gpl-2.0.html
 * Version:     1.0.0
 */

if ( defined( 'AUTOMATIC_UPDATER_DISABLED' ) && false === AUTOMATIC_UPDATER_DISABLED ) {

    add_action(
        'admin_notices',
        static function() {
            $notice  = '<div class="notice notice-info is-dismissible">';
            $notice .= "<p><code>AUTOMATIC_UPDATER_DISABLED</code> is set and can't be overridden. Please delete the line from <code>wp-config.php</code>.</p>";
            $notice .= '</div>';
            echo $notice;
        }
    );

} else {

    add_filter( 'auto_update_theme', '__return_true' );

}

However, you can also simply disable the installation of themes bundled in upgrades if that is your preference.

Add this to wp-config.php:

define( 'CORE_UPGRADE_SKIP_NEW_BUNDLED', true );

Or create a plugin like the above if you want it to be easier for the organisations to make the change themselves.

Note: If adding to a plugin, use:

if ( ! defined( 'CORE_UPGRADE_SKIP_NEW_BUNDLED' ) ) {
    define( 'CORE_UPGRADE_SKIP_NEW_BUNDLED', true );
}

#2 @SergeyBiryukov
2 years ago

#55341 was marked as a duplicate.

This ticket was mentioned in Slack in #core-auto-updates by pbiron. View the logs.


2 years ago

#4 @pbiron
2 years ago

  • Component changed from Themes to Upgrade/Install
  • Milestone changed from Awaiting Review to 6.0
  • Owner set to pbiron
  • Status changed from new to assigned

Hi @bertvandepoel, this ticket was discussed during the Upgrade/Install component meeting earlier today.

We decided to try to get a solution to this in the next major version of WP, no promises, but we'll try.

This ticket was mentioned in Slack in #core-auto-updates by pbiron. View the logs.


2 years ago

#6 @Otto42
2 years ago

We have never turned on auto-updates for any theme. Ever. It seems way too dangerous. People modify their themes. Plugins tend to not be directly changed.

This is just my opinion, updating themes directly loses any customizations they may have made to files in the theme folder. It's risky. Very, very risky.

#7 @JosVelasco
2 years ago

An alternative would be to send a reminder in the e-mail that includes an update with a new bundled theme to activate automatic updates.

Also, maybe include the suggestion in the WordPress Site Health as well.

#8 follow-up: @peterwilsoncc
2 years ago

I share @Otto42's concern about developers modifying themes directly. It's certainly something I did when I was less experienced. I'm asking around for some more anecdotes.

@pbiron When the UI was introduced for plugins, do you recall what discussion was had about themes at the time?

#9 in reply to: ↑ 8 @pbiron
2 years ago

Replying to peterwilsoncc:

@pbiron When the UI was introduced for plugins, do you recall what discussion was had about themes at the time?

Yes...I do. Their is also a UI for enabling/disabling auto-updates for themes :-)

On multisite, that UI looks just like it does for themes (and only from the Network Admin > Themes). On single sites, there is an "Enable/Disable auto-updates" link on Appearance > Themes > Theme Details.

#10 @pbiron
2 years ago

The reason I milestoned this for consideration in 6.0 is the following:

  1. a site running WP 5.8.3 already has an active theme
  2. they update to 5.9 (possibly even via an auto-update)
  3. unbeknownst to the site owner/admin, that update installed another theme

I agree that the fact that people modify themes directly is a concern. But I also think that WP installing new bundled themes without explicit consent of the site owner/admin is a reason to consider enabling auto-updates for those new bundled themes.

#11 @bertvandepoel
2 years ago

Sorry everyone for the slow response on my end. I work with WordPress as a volunteer at a student non-profit, and my actual job and other responsibilities got a bit in the way.

Our point of view very much is what @pbiron his last post describes. Most of the student organisations we host don't have a dedicated webmaster, and often it's "the boyfriend of a friend of a member who is a mathematician" and they vaguely understand. Often for them it's enabling auto-updates everywhere (after us pressuring them about security) and then only going to the dashboard to add a new post or update a page every few weeks/months.

I understand that there are plenty of intermediate users who edit their themes, so I'm not asking to make auto-updating mandatory or anything like that (as some seem to fear). Mostly it's the fact that when a new version of WordPress is installed through auto-updates, it doesn't make sense that it brings along a new component that doesn't receive auto-updates and that can cause security issues without the user even knowing.

There are several ways to solve this issue:

  • Imply auto-updates for themes based on the auto-update status of other themes
  • Presume auto-update when the installation of the theme was through an auto-update
  • Have a global setting for auto-updates (in general or for themes specifically)
  • Do not install themes when auto-updating
  • Have a setting on the settings page to toggle auto-updates for newly installed themes/plugins
  • Probably more

I personally have a preference for the last option. This would make it much easier for those wishing to have a full auto-update experience to not have to worry about it, while they can still disable auto-updates for very specific components.

In my view it's awesome that WordPress makes it possible for those with few technical skills to actually maintain a website, but this specific issue is a burden to them that I think could be eased.

Last edited 2 years ago by bertvandepoel (previous) (diff)

#12 @Otto42
2 years ago

So, maybe this idea: starting with the "twentytwentythree" theme, if and when, auto updates are on by default. In the core code, that checkbox is flipped on. It's not us "pushing" anything from .org, just that it's on by default. Next new default theme, auto updates unless you turn it off.

I'm perfectly okay with that. Discuss. 👍

#13 @peterwilsoncc
2 years ago

  • Keywords reporter-feedback removed
  • Milestone changed from 6.0 to Future Release

I'm moving this off the 6.0 milestone as I think it requires much more discussion than the time frame allows. It's something that would need to be discussed in various make.wordpress.org teams: core, themes and probably others.

#14 @deborah86
2 years ago

I was told to post my suggestion here by the Gutenberg team. I would like the ability to enable/disable updates for multiple themes at once in the themes menu.

#15 @bertvandepoel
20 months ago

2023 is swiftly moving closer, and considering that the new theme is sometimes released a bit early (if I recall correctly) and I expect that things will get busy in December, I thought I'd bring this up again now. I still think it would be of great advantage to a huge amount of WordPress users that they won't get a new theme installed by automatic updates without their consent, which will then, unbeknownst to them, not get automatically updated when updates become available. So I hope that either the automatic installation or the fact it doesn't get marked for automatic updates even if all other components are will be revised.

Note: See TracTickets for help on using tickets.