Support » Plugin: WooCommerce » Woocommerce Automatically Updated, while auto-updates were disabled

  • Resolved attd

    (@attd)


    Hi. I have all auto-updates for all plugins disabled, and usually update them manually one by one to avoid any possible conflicts.

    But just got an email that Woocommerce automatically updated, from version 5.5.0 to 5.5.1. Any specific reason for this? Just seemed strange to me, since that option is disabled.

    Thanks

Viewing 15 replies - 1 through 15 (of 31 total)
  • I just got the same thing. This is REALLY not ok on production ecommerce sites, thats why we have ALL updates disabled. We update in Staging and then production.

    Seriously, updating the Ecommerce Storefront in prime time is just absurd.

    Any ideas on how this is happening?

    Just as a followup, we just saw the same thing happen on a deactivated version of WooCommerce

    My site was not updated automatically, but I’ve updated manually, read this notice:
    https://woocommerce.com/posts/critical-vulnerability-detected-july-2021/

    This is most likely due to it being a critical vulnerability patch. My guess is that when a plugin has this, it can override the user setting for auto-updates.

    Read more here: https://mailchi.mp/woocommerce/action-required-critical-vulnerability-woocommerce

    Moderator Samuel Wood (Otto)

    (@otto42)

    WordPress.org Admin

    Auto-updates are neither enabled nor disabled by default. For security updates, WordPress.org can enable them for especially serious security issues.

    You can manually disable updates if you like, of course, and we have instructions for doing exactly that: https://wordpress.org/support/article/configuring-automatic-background-updates/

    But by default, security updates are enabled for plugins, themes, and core.

    Samuel,

    Thank you for the reply.

    This is what I already have in ALL my configs;

    /** Disable WordPress automatic updates */
    define( ‘automatic_updater_disabled’, true );
    define( ‘WP_AUTO_UPDATE_CORE’, false );

    The updates occurred anyway and as far as I can tell they should not have. Any other thoughts on how to prevent this?

    I have replied to this prior in this thread but the comment is held for moderation. I said:
    “This is most likely due to it being a critical vulnerability patch. My guess is that when a plugin has this, it can override the user setting for auto-updates.”

    visit this URL to find out more:
    mailchi.mp /woocommerce/action-required-critical-vulnerability-woocommerce

    Moderator Samuel Wood (Otto)

    (@otto42)

    WordPress.org Admin

    define( ‘automatic_updater_disabled’, true );

    That is incorrect. There is no define check for that specific phrase, as capitalization matters. The correct statement for a define would be here: https://wordpress.org/support/article/configuring-automatic-background-updates/#constant-to-disable-all-updates

    You can also find the correct line of code to disable all updates here. Note that this will disable security updates as well, potentially leaving your site vulnerable to active threats: https://wordpress.org/support/article/configuring-automatic-background-updates/#disabling-all-updates-via-filter

    That page contains extensive information on this topic.

    Thats interesting, the first link you posted (https://wordpress.org/support/article/configuring-automatic-background-updates/) had this:

    `Constant to Disable All Updates #Constant to Disable All Updates
    The core developers made a conscious decision to enable automatic updates for minor releases and translation files out of the box. Going forward, this will be one of the best ways to guarantee your site stays up to date and secure and, as such, disabling these updates is strongly discouraged.

    To completely disable all types of automatic updates, core or otherwise, add the following to your wp-config.php file:

    1
    define( ‘AUTOMATIC_UPDATER_DISABLED’, true );`

    So it looks like there used to be a define check, was this a recent change? If so that would certainly explain the updates taking place.

    What else is interesting is that it is only WooCommerce thats updating, nothing else…

    You discovered why this is happening?

    Looks like I am responding to a post that was removed…

    yes but this thread keeps holding my comments for moderation. I think due to the word vul- nerability

    Basically there was one of those in WooCommerce discovered so they are auto-patching.

    EDIT: I have no evidence that is the reason but it makes sense. I was emailed from WooCommerce to update immediately, so that is the only reason I can assume they have overridden user preference for auto-update. Also I did not remove my own comment above…

    • This reply was modified 6 months, 1 week ago by joelkay.
    • This reply was modified 6 months, 1 week ago by joelkay.

    Thanks Joelkay,

    That makes the most sense so far.

    Still don’t like they have that kind of control over the sites we manage, I’ll have to dig into the logs and discover the IPs they’re using.

    When you discover a zero day you notify your users and urge an update, you don’t act like big brother and just start updating (without approval) everyone that uses the software.

    I agree, it’s frustrating. But who knows how serious this is, and perhaps they did weigh up the options and took the calculated risk to force update. Only the devs will know, and I’m sure they don’t take this decision lightly

    It looks like they’ve put up a post on the official WooCommerce blog with info about it (I won’t try linking as it will probably get flagged)

Viewing 15 replies - 1 through 15 (of 31 total)
  • You must be logged in to reply to this topic.