The fallout over the automatic update of Yoast’s WordPress SEO plugin shows the WordPress community is suffering from a severe case of Developer Goggles.
Yesterday (March 11th, 2015) Joost de Valk released a security update to the popular WordPress SEO plugin, currently running on over 1 million WordPress sites around the world. The release came after a responsible disclosure by Ryan Dewhurst of the WPScan team that detailed a significant and serious vulnerability in the plugin that could allow a hacker direct access to your database.
In the immediate wake of the update several hosting companies specializing in WordPress started either updating hosted sites with the plugin automatically or put in place safeguards to prevent hacker incursions.
A few hours after the initial release the WordPress.org team started rolling out an automatic (“forced”) update to all sites running the plugin. This means if you are using the WordPress SEO plugin you are now running
the latest a secure point-release version whether you updated it manually or not. In other words your WordPress site is safe.
While not entirely unprecedented this is a rare occurrence. Reportedly such automatic plugin updates have happened only about 5 times:
— Andrew Nacin (@nacin) March 12, 2015
Since version 3.7 WordPress itself has automatically updated whenever a security release has been published. There has also been a lot of talk in the community about instigating similar automatic updates for themes and plugins, much of which has been met with strong resistance.
In the wake of the automatic update many WordPress developers and community contributors have voiced concern, anger, even outrage.
The more I think about it, the more infuriating the auto-update of WP SEO gets.
— Ad-less Douglams (@zamoose) March 12, 2015
Nick Haskins summed up much of the concerns quite nicely in his post “On Automatic WordPress Updates“:
An update, is an update, and WordPress automatically updated a 3rd party plugin without my consent.
This constitutes a breach of trust, plain and simple.Nick Haskins
Haskins notes in an update to the post that the wording on the Codex page about automatic updates has been updated to clearly state that “Automatic background updates currently only happen for plugins and themes in special cases (determined by the WordPress.org API response)” and provides an example of how to permanently disable all automatic updates.
However, this Codex update does not diminish the core of the criticism of the update. The reason many developers are upset is that an automatic update of a plugin blurs the line between “self hosted” – as in autonomous – WordPress and “managed” WordPress. Haskins cites examples of plugin updates crashing sites. Others cite examples of plugin updates changing core functionality or behaviors without notice.
All of these are great arguments, but they run counter to an oft overlooked reality of the WordPress community: We, the people who develop and talk about WordPress on a daily basis, are not the typical user. We are the WordPress One Percent. And automatic updates are not for us. They are for everyone else.
Developer Goggles and the Real WordPress User
WordPress development runs on what’s known as the 80/20 principle. In this context it means anything that is done with WordPress core should be of benefit to 80% of the users. It would be hard to argue that a significant security update like the one released for WordPress SEO does not pass this test.
Though I don’t have any numbers I would venture a guess that the vast majority of WordPress users a) never read WordPress news, b) never monitor conversations about WordPress security issues, and c) rarely if ever check to make sure their plugins and themes are up to date. In fact every time there is a new full release of WordPress or major update to a plugin I get hundreds of questions by Twitter, Facebook, and email from regular users about whether it’s “safe” to update. In the real world many WordPress users are deathly afraid of any update and are clinging to ancient installs with out of date themes and plugins because they are worried an update may take their site down. Jeff Chandler posted some telling stats about this in his aforementioned, and strangely prophetic, article about the need for automatic plugin updates.
There are also a large number of WordPress users who have no idea whether a particular plugin is installed. In many cases the plugins are installed by the contractor they hired to build their site, and once the site is built they are left to maintain it. A warning about a security update would go unnoticed by them unless someone called or sent an email, and even then it is not certain that they would know how to or even have access permissions to run the update.
With this in mind it is clear the outrage over the automatic rollout of a significant security update to a popular plugin is one that only makes sense if you wear pretty thick developer goggles. The update is not for the WordPress Literati – it’s for the people we build WordPress for: The blogger, the small business owner, the people around the world who have something to say and want to say it without having to become a professional web developer in the process.
We can talk until the cows come home about whether all plugins and themes should be auto-updated. But the more important conversation we need to have is about how we define the typical WordPress user and how we serve them best. Let’s be honest here: If you are reading this you are in the WordPress 1%. And WordPress, for better or worse, is not really built for you.