Welcome to Centmin Mod Community
Register Now

Wordpress Wordpress's plans to remotely force Wordpress updates !

Discussion in 'Blogs & CMS usage' started by eva2000, Aug 11, 2019.

Tags:
  1. eva2000

    eva2000 Administrator Staff Member

    41,080
    9,188
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,097
    Local Time:
    4:29 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    Interesting news that Wordpress is thinking about forcibly updating very out dated Wordpress sites remotely on https://www.zdnet.com/article/wordpress-team-working-on-daring-plan-to-forcibly-update-old-websites/ ! Imagine all the broken Wordpress sites as a result of this ! Then again if you're running Wordpress 3.7, you'd have more security related problems besides a broken site :)

    Though you'd be able to opt out of this process too
     
    • Like Like x 1
  2. deltahf

    deltahf Premium Member Premium Member

    331
    149
    43
    Jun 8, 2014
    Ratings:
    +237
    Local Time:
    2:29 PM
    Wait... what?

    How would this work from a technical perspective? WordPress has a back-door for WP devs to initiate upgrades or code executions, without this permission being specifically configured or granted by the site owner? This is the first I have heard of that! That sounds like a bigger security concern than out of date software!
     
  3. eva2000

    eva2000 Administrator Staff Member

    41,080
    9,188
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,097
    Local Time:
    4:29 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    Indeed I haven't given this more thought, but now you mention it yeah not sure how this would work from technical perspective given that from my basic understanding of Wordpress auto update mechanism, it only would auto update if Wordpress owner opted into auto updating - that the control is on Wordpress end user side.

    But guess you and I need to read the details which are at Configuring Automatic Background Updates | WordPress.org for Wordpress auto update mechanism
    edit: was thinking about this and one way would be Wordpress folks push out a Wordpress 3.7 minor release which has code only in that minor 3.7 release to force a major core auto-update bypassing the controls that usually skip core updates.
     
    • Informative Informative x 1
  4. deltahf

    deltahf Premium Member Premium Member

    331
    149
    43
    Jun 8, 2014
    Ratings:
    +237
    Local Time:
    2:29 PM
    Wow, I had no idea. I thought auto-updated only happened if you turned them on.

    Not sure how I feel about this... :eek:
     
  5. jcat

    jcat Member

    102
    16
    18
    Jun 21, 2015
    Ratings:
    +37
    Local Time:
    2:29 PM
  6. BamaStangGuy

    BamaStangGuy Active Member

    575
    171
    43
    May 25, 2014
    Ratings:
    +232
    Local Time:
    1:29 PM
    I support this.
     
    • Like Like x 1
  7. eva2000

    eva2000 Administrator Staff Member

    41,080
    9,188
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,097
    Local Time:
    4:29 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    Yeah it's something I have been thinking about myself for Centmin Mod. Question I ask myself, what if Centmin Mod users DO NOT regularly update their stack/versions ? Or if they just set and forget and there's security and bug fixes ? It's why I am working on tools/emailnotify.sh Beta Branch - add tools/emailnotify.sh in 123.09beta01 to get better alerts for such updates to Centmin Mod users.
    True especially if you're using Wordpress versions as old as 3.7!

    Yeah will make the internet as a whole that tad safer with less chance of compromised Wordpress sites become part of malicious botnet/attacks.
     
  8. jcat

    jcat Member

    102
    16
    18
    Jun 21, 2015
    Ratings:
    +37
    Local Time:
    2:29 PM
    Unrelated to WP:

    Biggest issue for us is nginx/php being built via source so

    I feel building from source is a bit more scary than simply updating an rpm although in most cases if building via source fails, it normally doesn't affect the current running binaries, etc. Building from source uses lots of CPU, so in an environment with many hundreds of installs of centminmod, it has to be done in small batches.

    On a seperate note and we started using 'expect' which is a bit hacky but in the end does the job very well and always us to automate using the centminmod menu. Being able to fully automate option 22 is the best thing ever :) and already testing automating nginx/php upgrades as well.

    But.. yes the I agree on emailnotify defintely a great thing to have.

    Also, I am in no way complaining about the decision to build from source, its awesome and love it, everything has pros and cons.
     
  9. Jon Snow

    Jon Snow Active Member

    432
    64
    28
    Jun 30, 2017
    Ratings:
    +102
    Local Time:
    3:29 PM
    Nginx 1.13.9
    MariaDB 10.1.31
    Wordpress is a bit different from centminmod.

    There are so many people who pay to have their wordpress sites set up without touching it. There are auto installers on cPanel that will do the job for you. People who use those tools are more likely to keep their sites outdated and that's why they get hacked.

    You need a little technical knowledge to set up a VPS with CMM, so I don't think you'll get people like that using it.

    There can be an option to enable automatic centminmod code updates when installing it. Could help. I'm not sure if automatic php/nginx updates are possible with cmm.
     
  10. eva2000

    eva2000 Administrator Staff Member

    41,080
    9,188
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,097
    Local Time:
    4:29 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    for centmin mod updates itself there already is via cmupdate command Beta Branch - Cronjob Auto Updating Centmin Mod Code Guide or AUTO_GITUPDATE persistent variable but this only runs when centmin.sh is triggered unlike cronjob cmupdate which will run regardless of centmin.sh trigger/runs Beta Branch - add AUTO_GITUPDATE variable support 123.09beta01
    working on unattended nginx/php-fpm update scripts so such can be possible in future
     
    • Like Like x 1
  11. Jon Snow

    Jon Snow Active Member

    432
    64
    28
    Jun 30, 2017
    Ratings:
    +102
    Local Time:
    3:29 PM
    Nginx 1.13.9
    MariaDB 10.1.31
    I meant like..

    You paste the line to install everything and at some point it'd just prompt a question asking you if you want to automatically update stuff and then it'd do it for you if you say "yes".

    That's just an idea if you really want centminmod users to have the centminmod code updated automatically.

    I personally rather do updates manually.
     
  12. eva2000

    eva2000 Administrator Staff Member

    41,080
    9,188
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,097
    Local Time:
    4:29 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    I see what you mean. Yeah the installer is meant to be unattended so it wouldn't prompt for such. Maybe I can put the auto update prompt at same time the first centmin.sh run prompts for primary and secondary email addresses for future notifications.