The wisdom of the crowd gets it wrong on this one. Automatic Updates for WordPress can only help fix WordPress’s tarnished security reputation. Microsoft showed that this solution works unreasonably well. So, it follows WordPress should copy the same playbook. When you have a large distributed install base you most definitely need Automatic Updates. We see no better way to deploy security fixes than to remove the human element. Have the systems repair themselves.
So, Who becomes the crank that advocates tampering with the built in security solutions? Why do they undermine the best solution to the security problem? How did they get this way?
I say to those who go around telling people to disable updates: Stop It!
It appears to me the “Never Update” group have accreted over time and mostly because of their past mistakes. The most glaring mistake the Never Update WordPress people made stems from their heavy use of untrustworthy plugins and themes. Once bitten, twice shy.
But where do you get untrustworthy plugins and themes? Well, they come directly from WordPress.org. I believe that the root cause of discontent originated from the mandate that all plugins must come free of charge. Operating a marketplace that offers no easy way for vendors to monetize their wares means that those same vendor eventually abandon their work. Old plugins don’t get updated to work with the current versions of WordPress. And abandoned plugins tend to break when the WordPress platform changes.
Things may have been different if WordPress spent more time and engineering effort on maintaining backward compatibility. But they didn’t and so here we are.
Recall that in almost all cases the “Never Update” members have learned this wrong lesson from their experience. Their support contracts to keep their customers’ websites running no longer pay for the effort require to fix broken plugins. When a WordPress Update breaks a customer’s site you learn quickly not to do those updates at all. The cost benefit analysis tips toward if it aint broke don’t fix it.
Your responsibility included choosing the plugins and keeping them working as security vulnerabilities emerge. You can’t bury your head in the sand and ignore all the automatic update benefits because you can’t be bothered to do your due diligence on the Build vs. Buy decision. The theme and plugins you deployed remain your responsibility. Next time pick ones where automatic updates are a good thing.
