WordPress AutoUpdater Restarted
We first launched our WordPress AutoUpdater in 2012. Some tweaks were made to the system a year later when the original AutoUpdate feature was included in the WordPress core, but we continued to rely primarily on our own system for our customers. The SiteGround AutoUpdater has been used successfully for the last 5 years and has kept a lot of our customers up-to-date and safe from hacks. Thanks to it, more than 70% of the WordPress installations on our servers have been constantly using the latest software version. However, we have been thinking for a while how to get this percentage even closer to 100. The recent security issues with WordPress REST API motivated us to introduce a change into the system that increased the upgrade rate to more than 90%.
What has changed and why?
In short, WordPress users, hosted on SiteGround servers are no longer able to permanently switch off our AutoUpdater. Till now we provided two options: you could skip a single upcoming update, or you could switch off the AutoUpdater completely. From now on, the interface will only allow you to skip one upcoming update. If you want to be removed from the AutoUpdate system permanently you can request it via our Help Desk. (see AutoUpdater tutorial for detailed usage instructions)
We decided to introduce this change because there were too many people who had switched off the AutoUpdater and had simply forgotten to turn it back on. As a result, they were vulnerable to hacks that were easily preventable through auto-updates. For example, WordPress 4.7.2 was released last week to fix a major security vulnerability that allows attackers to deface websites using the REST API. This case presented a sufficient incentive for us to restart our system and to include all WordPress installations to be updated under the new rules.
How safe is it to have our AutoUpdater turned on?
The way we perform WordPress application updates is different from the way core update system works, and I can say our method is much safer. First, we make a backup of your site before we launch the update. Once the backup is ready, the system performs the update and installs the latest WordPress version from the official repository. Next, it checks for any errors on your index page. There are numerous checks made and if we detect that your site was somehow broken during the update process, we immediately revert the upgrade and email you that it has failed. So far, our system has shown a success rate above 98% in upgrading without problems. However, not all issues can be automatically detected, so you still have the option to revert the upgrade if needed with a single click manually from the tool.
The Result: More than 90% of WordPress Installations on the Latest Version
After the recent campaign and the changes in the AutoUpdate system, we’re more than happy that over 90% of the WordPress sites we host are on the latest version – 4.7.2. Meanwhile, more than 2 million WordPress sites across the world have been hacked through the REST API vulnerability. What’s even scarier is that this number was 1.5 mil according to BBC just a few days ago. We believe that we have responsibility to make everything within our power as a hosting provider to keep our customers and their websites safe. We understand that there’s always a risk when you update a web application like WordPress but with good preparation and checks that risk is minimal, compared to the consequences of having an outdated site!
Comments ( 32 )
Thanks! Your comment will be held for moderation and will be shortly published, if it is related to this blog article. Comments for support inquiries or issues will not be published, if you have such please report it through
kenny
Thanks for this siteground. Just a point... if I am correct, you will advise (I haven't seen this on the cloud account?) that you will be updating. then the update happens and you do your processes and checks. If we update from the dashboard prior to that, then the backup and the checks that you do, don't happen? (I assume) Therefore, it is best to not upgrade from the dashboard and let the siteground process run?
Hristo Pandjarov Siteground Team
The changes affect our cloud accounts too. If you update manually before our system, it will skip any further actions. You shouldn't worry about our system, if you want to update manually, you can always do it.
Peter
SG has been exceeding my expectations in excellence in customer support, quality of service and as we hear above as well: Assuring server security! All I can say: Since being with SG I sleep a lot better at night! THANK YOU very much for all that you are doing at pricing levels that are truly impressive!!! Peter
Brian Prows
Great idea! I recently read that 30%+ of all WordPress sites, which represent 27% of ALL websites, are not running the latest WP release. I'm glad SiteGround has taken this positive action to protect users. SiteGround continues to distinguish itself from other hosting companies through constant improvements.
Basil Brooks
What about major releases? I can absolutely see the sense of auto-upgrading for security releases, but I'm not so sure about major releases that introduce new features, these are more likely to cause problems with templates and plugins etc. I have auto-update switched on for all minor security updates but would prefer to try major releases on one or two of my sites before upgrading them all. Will there be any way to do that with the new system?
Hristo Pandjarov Siteground Team
Most of the releases, even major ones are a mix of security fixes, bug fixes and new features. Sometimes, serious security fixes don't even reach the changelog like the famous emoji update, for example. This said, you can always opt-out from a particular update, test it out, do it manually and then leave consecutive updates to happen automatically. We plan to further improve the system though and being able to select how updates work is definitelly something we consider.
MuMu
I second Basil poin of view. In this particular case (RESTful API) the bug was introduced in major release while 4.6 branch was immune. This demonstrates why keeping the older release (with minor updates on) is often safer then updating with next major release. Furthermore usually bug fixes included in major releases are also deployed for the previous version in the form of minor release. I think you should definitely consider to let users opt out major updates policy while leaving minor updates available (maybe mandatory).
Joe
@Hristo Do you have any stats on how often a WordPress upgrade will damage or mess up the installed theme or plugins? I know that sometimes WooCommerce versions are compatible with certain WordPress versions. Same for other plugins. Is the answer to just test and update everything all the time? Or at least after every WP release?
Hristo Pandjarov Siteground Team
We do all the possible automatic checks we can and roll back updates when we detect a problem. So far, more than 98% of the updates are successful. Of course, plugin incompatibilities may occur and may affect your site in different undetectable ways but usually WordPress updates don't cause major problems. If you're using a plugin like WooCommerce that adds a ton of new functionality to the application, it's always a good idea to test it out after each update.
Alexander
It is a shame! Auto update can broke my site. Anyone do not must have ability for changing my files .
Hristo Pandjarov Siteground Team
If you want to have your sites out of the automatic updates system, please post a ticket in your Help Desk.
Rarst
I dislike this change quite a bit. I get the benefit for all the barely maintained sites out there, but this isn't something that should be forced on more serious WP builds. Especially those using Composer or otherwise managing deployment of specific core version. This is decision out of arsenal of “managed” WP hosts whose managing primarily consists of padding with layers of restrictions on what can be done. As a dev I value SIteground for giving me good tools to work with and getting out of my way otherwise, this is the first move that runs very contrary to that philosophy. I would suggest possibly reverting to allowing cPanel setting in GoGeek accounts and upwards at least.
Hristo Pandjarov Siteground Team
Hey Rarst, I completely understand your point on this. You can opt-out from the system by posting a ticket in the Help Desk.
Rarst
Yes, I got that and I will. :) My point is mostly I don't _like_ that this is now a restricted helpdesk–level option.
Hugues
I'm with Rarst on this, I value the flexibility that Siteground generally offers so I really don't like that major updates and minor releases will be treated the same. For me this is an unnecessary restriction which doesn't do thing the "WordPress way". I completely agree and welcome auto-updates for minor releases as those are usually without problems and cover security issues but I am not happy to have Siteground apply major releases automatically. I would want to be able to set each site I manage for clients to be on manual updates for major core releases and auto updates for minor releases. I don't want to have to go in and opt out manually on 20+ sites before every major update or have to contact support via 20 different accounts... Are you planning to offer this feature to set major updates to manual and minor updates to auto as a one time operation ? I get that some users never update their sites but that should be handled in a way that doesn't impose restrictions on us developers. Thanks Hugues
Hristo Pandjarov Siteground Team
It's not a restriction at all since you are free to opt-out from the auto update system. We plan more updates soon to that system but I can't give you exact ETA. Note, however that if all your accounts are listed under one username, you can open one ticket and request delisting of all of those.
mark k.
even minor versions updates are not safe as 4.7.1 breaking SVG uploads shows. I need to move my client from the shared hosting environment in which he is hosting right now on your servers (and which I truly enjoy to work in), to some VPS solution, and if this is your attitude, than it is less likely to be SG. Sites that generate money can not afford unplanned down time.. Having some obscure opt-out that I will forget of its existence in two days, is not a solution.
Hristo Pandjarov Siteground Team
You can opt-out completely from the auto update system by posting a ticket in your Help Desk in case you incorporate a more sophisticated deployment workflow.
Marcos
Hi, The data of the woocommerce will lose if i update it?, sometimes says alert about it. Thanks
Hristo Pandjarov Siteground Team
You shouldn't lose any data. However, it's always recommended to make a backup before such upgrades just to be extra sure.
Stefan
I agree with the comments from Rarst and Hugues. To avoid misunderstandings: There's no need to explain to me the importantance of WordPress updates in general. As a WordPress developer, consultant and professional site maintainer I give this subject a lot of thought. Eventually, the automation of major CMS updates can under almost no circumstances be a viable solution for professionally used feature-rich websites - or "web applications" if you prefer. WordPress itself comes with a sufficiently configurable auto-update mechanism. Critical security patches are of course offered separately from feature updates. I've never heard any complaints about that nor have I myself experienced any significant issues in this respect. Like many others I've been recommending Siteground to my customers for it's distinct WordPress awareness, that doesn't come with the paternalism that some other popular Hosts within the WordPress ecosystem involve. If Siteground wants to go this route, I think it will do so without a considerable number of WordPress professionals among it's customers and proponents. There also seems to be an internal communication issue regarding the new auto-update system. Following the instruction in this blog post I'm currently trying to opt out my customer's sites by logging into each user account and paste my request to the support team - since this is the only long-term solution being offered. Parts of the helpdesk stuff obviously isn't yet aware of the opt-out variant via supoort request and told me they were sorry but exceptions from the new system weren't provided. Having to write a support ticket on behalf of each of our customers and, furthermore, having to discuss the subject with the support stuff (multiple times) and needing to refer them to this blog post, doesn't quite feel like working on a developer friendly platform.
Stefan
I'd like to add, that in the meantime all my requests have been positively answered by the support staff and that they have been exceptionally cooperative and informative.
Hristo Pandjarov Siteground Team
We're working on major update on the system which will provide both power and flexibility to newbie and experienced WordPress users. Meanwhile, please post a ticket in your Help Desk to get removed from the automatic update system if you have a better workflow.
Mark
Have to agree with @Hughs and @Rarst on this. I prefer to test major updates first. Having to request opt out on a per site basis is a pain.
Hristo Pandjarov Siteground Team
Every change in a default setting or policy causes inconvenience. It wasn't easy for us to make this decision but we believe it's for the good.
Eve
a fellow developer asks:Are they doing automatic updates for major versions (e.g. 4.6 to 4.7)? This can have some negative effects, as updating to 4.7 exposed lots of sites to a huge security issue that wasn’t fixed until 4.7.1. Generally it’s safe to go auto for minor updates (4.6.1. to 4.6.2) Also, it’s unlikely that issues that happen in the dashboard would be caught by these automated checks. For example, the issue introduced in 4.7 where people can’t upload documents other than images.
Hristo Pandjarov Siteground Team
Yes, we do major updates too. You can opt-out from individual update from the tool itself or completely by posting a ticket in your Help Desk.
Paul Dahlen
Until SiteGround provides a way to roll back an automatic upgrade that breaks a client's site, I will be opting out for all my clients.
Hristo Pandjarov Siteground Team
You can restore the update with literally one click. Check out our tutorial for more information on that matter: https://www.siteground.com/tutorials/wordpress/siteground-autoupdate.htm#5
Obliterator
I'm a new customer researching your functionality. If I rollback an auto-update, what happens regarding further updates in the future? Does rollback disable the automatic update feature entirely? Or does it simply ignore that one update and apply any updates released later?
Hristo Pandjarov Siteground Team
Unless you explicitly request delisting from the automatic update system, each new version will trigger the update procedure.
Richard Fowler
Their service is top notch! I used godaddy for 10 years and liked them however siteground is better!
Start discussion
Thanks! Your comment will be held for moderation and will be shortly published, if it is related to this blog article. Comments for support inquiries or issues will not be published, if you have such please report it through