WordPress has a "daring plan" to forcibly update old websites
-
What could possibly go wrong?
-
If it is possible for wordpress to do a remote update without the user's will, it is proof in itself that the installations are not secured.
They did not say how they plan to do this update. Exploiting the known vulnerabilities of their old versions?
-
@El_Heffe said in WordPress has a "daring plan" to forcibly update old websites:
What could possibly go wrong?
nothing except breaking precisely all of those plugins which each user considers critical for the function of the site, which is why they haven't updated themselves in the first place - they didn't want their critical plugins that don't support newer versions to get broken.
this ia going to be all kinds of fun
-
@Adynathos said in WordPress has a "daring plan" to forcibly update old websites:
If it is possible for wordpress to do a remote update without the user's will, it is proof in itself that the installations are not secured.
They did not say how they plan to do this update. Exploiting the known vulnerabilities of their old versions?
According to the article, versions 3.7 and newer contain an "auto update" function. However, there must be a way to disable it, otherwise there wouldn't be anyone running old versions. So it does raise the question of how they are going to "forcibly" update people.
And if there is some way to do it, and something breaks (which seems highly likely since PHP is involved), I would imagine there will be a lot of pissed off people.
-
@El_Heffe said in WordPress has a "daring plan" to forcibly update old websites:
According to the article, versions 3.7 and newer contain an "auto update" function. However, there must be a way to disable it, otherwise there wouldn't be anyone running old versions. So it does raise the question of how they are going to "forcibly" update people.
The auto-updater doesn’t do major releases by default, only minor ones. That is, it did update from 4.9.9 to 4.9.10 by itself, but not to 5.0 — that required a site admin to click the update button. You can get it to do major updates as well, but that requires editing files to change a setting. Maybe their Grand Plan™ is to override that?
-
@Gurth said in WordPress has a "daring plan" to forcibly update old websites:
it did update from 4.9.9 to 4.9.10 by itself, but not to 5.0
Mine jumped from 4.whatever to 5.something all on its own. I didn't notice until I went to work on a page and they replaced the editor with some complete piece of trash WYSINECTWYG thing and I had to install the "Classic Editor" plugin just to restore basic editing functionality.
-
@Gurth said in WordPress has a "daring plan" to forcibly update old websites:
You can get it to do major updates as well, but that requires editing files to change a setting.
I found the next minor update.
-
@levicki said in WordPress has a "daring plan" to forcibly update old websites:
They should just uninstall WP remotely from all those websites and save us all from the menace.
How about functionally-equivalent results?
Newer versions of WordPress flat-out don't work on old PHP, so....
-
@Adynathos said in WordPress has a "daring plan" to forcibly update old websites:
it is proof in itself that the installations are not secured.
Well, they're running WordPress, so nothing new here.
-
@Tsaukpaetra said in WordPress has a "daring plan" to forcibly update old websites:
Newer versions of WordPress flat-out don't work on old PHP, so....
Which is the one big flaw in their plan. But, they've got it covered:
If only a few individual sites break, than those site will be rolled back to their previous versions and the owner will be notified via email.
"The email should be a strongly-worded warning, letting them know that their site could not be upgraded to a secure version, and that they should manually update immediately. If they don't update, it's almost guaranteed that their site will be hacked eventually," said Ian Dunn, a member of the WordPress dev team.
Yes, a strongly worded e-mail. That will do it.
-
@El_Heffe If you can't get your customer to cooperate, just intimidate them to submission!
-
@mott555 said in WordPress has a "daring plan" to forcibly update old websites:
@Gurth said in WordPress has a "daring plan" to forcibly update old websites:
it did update from 4.9.9 to 4.9.10 by itself, but not to 5.0
Mine jumped from 4.whatever to 5.something all on its own.
Odd, I seem to have to start those myself, but get emails about how my site has been automatically updated to version x.y.z.
-
The email should be a strongly-worded warning, letting them know that their site could not be upgraded to a secure version, and that they should manually update immediately.
I am sure the phishers are already sending those emails:
Your wordpress version is insecure and prone to quantum AI hacks! Automatic update failed, download new version at wordpress.totallynotmalware.com and install immediately!
-
@Tsaukpaetra said in WordPress has a "daring plan" to forcibly update old websites:
@levicki said in WordPress has a "daring plan" to forcibly update old websites:
They should just uninstall WP remotely from all those websites and save us all from the menace.
How about functionally-equivalent results?
Newer versions of WordPress flat-out don't work on old PHP, so....
Older versions of WordPress don't work with newer versions of PHP either. Every few years I get a call from a church at Tampere, that their website has fallen apart and the admin interface is inoperative. The web-hotel dropped support for the oldest PHP version again. I go in, update the WordPress installation via SSH file copy-paste, and hey presto, it's alive again.
-
@El_Heffe said in WordPress has a "daring plan" to forcibly update old websites:
@Tsaukpaetra said in WordPress has a "daring plan" to forcibly update old websites:
Newer versions of WordPress flat-out don't work on old PHP, so....
Which is the one big flaw in their plan. But, they've got it covered:
If only a few individual sites break, than those site will be rolled back to their previous versions and the owner will be notified via email.
"The email should be a strongly-worded warning, letting them know that their site could not be upgraded to a secure version, and that they should manually update immediately. If they don't update, it's almost guaranteed that their site will be hacked eventually," said Ian Dunn, a member of the WordPress dev team.
Yes, a strongly worded e-mail. That will do it.
The thing you quote sounds a lot like "that's a lovely site you've got there, it would be a shame if someone were to hack it... "
-
@El_Heffe Those hipster clowns have some nerve thinking they can force users to do anything. You know, they could've tried not building a festering pile of garbage that needs hourly updates. Alas, hipster clowns...
-
@El_Heffe "eventually" is a long ways out. WordPress's do-the-hack queue is so full that all the devs will be dead and in the grave by the time they get thru all the existing to-be-hacked sites.
-
@Zecc said in WordPress has a "daring plan" to forcibly update old websites:
"that's a lovely site you've got there, it would be a shame if someone were to
hackupdate it... "