***Update – So several members of the Core dev team and Core security team have responded on Twitter and pointed out that the updates were always this way and that the Codex was incorrect.  It has been updated to reflect reality.  While this still causes some frustration on my part, I appreciate their quickness to both react and respond.  People like Mark Jaquith and Andrew Nacin were extremely helpful in pointing out code that could correct the problem and what the actual reality of the Core code was and is.***

I love WordPress.  The freedom it gives me in terms of both publishing and development has been wonderful.  It’s provided me a means to provide for myself and my family for almost 8 years now.  While I don’t agree with everything I see coming from the committers to the core and other areas, I very much respect them and the time, effort, blood, sweat and tears that they give without asking for a return.

But yesterday I learned of something that caused me to pause.  Then, as I thought about it and began to see details rolling in and more people find issue with it, it caused something very near to fear.  A plugin that is used by a large part of the community, WordPress SEO by Yoast had security vulnerability and users were being asked to update immediately.  Understandable.  While that plugin has not had the best history of updates as you can read about here, it serves a purpose in the community that is needed. But that wasn’t the scary part.  Plugins have vulnerabilities sometimes and we patch and update them.  The scary thing and what caught me most off guard was that the plugin was updated automatically by the wp.org team. Without my consent.

Read that last sentence again. Think about it a second.  While I am in favor of automatic security releases for core in most situations, I opt into those by choice.  I can also turn them off if I desire.  But this update was forced.  No opt-in.  While that may be okay to a blog user (but not this one) or someone else, I have clients, large and small, who depend on their websites.  Enterprise level clients expect to be in control of their applications and servers at all times.  In fact, we do a lot of convincing in my current role that WordPress isn’t a security vulnerability in their technology stack.  So when someone in the core team decides to override what is in the codex and force an update without my knowledge or consent, it is a problem.  It not only hurts my business and infuriates me, but it weakens my clients faith in the platform. Not only that, but it makes that next sell in the space that much harder.  If WordPress as a platform wants to move into the enterprise and application framework space as Matt Mullenweg has said it does, this is a terrible way to do that.

We may call this a “forced update,” but what really happened here is code was pushed to my servers without my knowledge or consent.  Most people would call this an attack.  The intentions behind it, while I can hope to assume that they were noble, do not really matter when we are talking about business and clientele.  While I do not want to cause drama or create a mob, this is something that must be addressed immediately by the core team and honestly needs to be made so that it never happens again.

Published by Matt Pritchett

Matt is a Christian, a husband, a father to two beautiful girls and a WordPress developer at CrowdFavorite. He also creates software for nonprofits and enterprise customers at Pritchett Media.

Join the Conversation


  1. I’m a little torn on this. On the one hand, I like to run updates myself so I can review the changelog and note changes to features and settings and backup my site if needed. On the other hand, I can see that this is meant as a service that should do more good than harm in most cases. However, I read Yoast’s blog post about the issue and noticed that many people are saying in the comments that the plugin was deactivated when it was updated… Overall, I’m so glad I noticed the update before it was automatically applied!

Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.