Support » Requests and Feedback » Enforced plugin update

  • In general I always have auto updates for plugins switched off due to past experiences with fatal errors. Yesterday, my site received an enforced “security” update for the plugin “Updraftplus” because it has a large user base according to their support forum. They stated that this was by WordPress, not the plugin author. This update occurred just before a scheduled automated backup. There are other posts in their forum about fatal errors caused by this update. The update caused my site to go offline for a number of hours. When it returned, it was completely out of memory due to whatever changes had been pushed. I only became aware of the problem due a memory monitoring automated email I had set up just recently. This out of memory spike only occurred after the site went back online. The end result is that I managed to restore the site from a week old backup, and deactivating the plugin. Even after I downgraded and deactivated the plugin, the enforced update was still pushed, although it remained deactivated. Content is missing from the past week locked in an unresponsive out of memory instance. I don’t think there’s ever a scenario where plugin updates should be enforced unless they’re rigorously tested. Especially for a memory intensive operation like creating backups. The potential for taking sites down is high due to the infinite number of variations in configurations and other installed plugins, and themes.

Viewing 3 replies - 1 through 3 (of 3 total)
  • Moderator James Huff

    (@macmanx)

    Volunteer Moderator

    The update was forced due to an extremely critical security vulnerability that “[allowed] any logged-in user on a WordPress installation with UpdraftPlus active to exercise the privilege of downloading an existing backup, a privilege which should have been restricted to administrative users only.” https://updraftplus.com/updraftplus-security-release-1-22-3-2-22-3/

    UpdraftPlus quickly patched the vulnerability, and given the severity of it and the wide use of the plugin, WordPress.org made the decision to force the update in the best interest of the safety and security of the over 3 million sites using the plugin.

    If there are any problems with the update, those should be directed to the plugin’s support at https://wordpress.org/support/plugin/updraftplus/

    Thread Starter arthurdaly

    (@arthurdaly)

    Thanks, I understand the importance given the security vulnerability. I’m not sure what was in this update, or whether the issue was entirely the fault of the plugin. All I know is that the site was functioning normally, and then I received an email stating there was an enforced update. A plugin shouldn’t be able to use so much memory that a site ceases to function. That’s the main feedback I wanted to provide. Also if an update is enforced for security it should be just for that. I don’t know what the changes were, but it seems like it was something more than just a permissions check. I would’ve updated the plugin anyway in the next few days.

    Moderator James Huff

    (@macmanx)

    Volunteer Moderator

    Ok, I recommend directing that feedback to the plugin’s support at https://wordpress.org/support/plugin/updraftplus/

Viewing 3 replies - 1 through 3 (of 3 total)
  • You must be logged in to reply to this topic.