I have wanted to talk about the WordPress auto updates feature for a while, but I don’t want to continue the general good or bad argument. I have every faith in the WordPress Foundation’s ability to responsibly use the feature, however I don’t believe anyone other than the WordPress Foundation should have access to it.
It was only recently that the excellent WordPress SEO plugin was force auto updated to fix a security vulnerability. Again this is a responsible use of the feature, managed by the WordPress Plugins Repository team, people I trust far more than I trust myself.
What I really want to talk about is how custom and/or premium plugins can reproduce the exact same behaviour. To be clear, by default, premium plugin shops have the ability to force auto update their plugins. Despite supporting the Auto Updates feature when controlled by the WordPress Foundation, I strongly oppose its control by any third party.
While I may trust a company to write a functional, reliable and secure plugin, I trust very few people with the power to inject code into my websites at will or to properly secure their systems so that no-one else could use it to do the same.
Luckily WordPress has provided the solution, developers can easily block plugin updates all together, or white-list specific plugins they trust to use the feature (like the snippet below).
[wpgist id=”a25d87b38ac6780a0bc6″ file=”autoupdate_plugins.php”]
Despite being able to block it manually, having the feature open for use by anyone still makes me nervous.
My main problem with it is similar to the arguments against security services forcing companies to add back doors to their products and services. The general consequence is that by doing this you actually reduce security, by creating a method by which a third party could gain access too.
We have already seen companies losing customer credit card details, is it so far fetched to imagine plugin update services being targeted? After all some of them would give access to hundreds of thousands of websites, that is a gold mine for hackers.
Even if nothing changes, I think it would be healthy for users and especially plugin shops to be more aware of the responsibility they now have. You have a back door key to your users websites, don’t hide it under the flower pot.
I am interested in how everyone else feels about this particular aspect of the auto updates feature, does this unsettle you too or do you think I am overreacting?