Support » Plugin: WooCommerce » Woocommerce Automatically Updated, while auto-updates were disabled

  • Resolved attd

    (@attd)


    Hi. I have all auto-updates for all plugins disabled, and usually update them manually one by one to avoid any possible conflicts.

    But just got an email that Woocommerce automatically updated, from version 5.5.0 to 5.5.1. Any specific reason for this? Just seemed strange to me, since that option is disabled.

    Thanks

Viewing 11 replies - 1 through 11 (of 11 total)
  • My site was not updated automatically, but I’ve updated manually, read this notice:
    https://woocommerce.com/posts/critical-vulnerability-detected-july-2021/

    Moderator Samuel Wood (Otto)

    (@otto42)

    WordPress.org Admin

    Auto-updates are neither enabled nor disabled by default. For security updates, WordPress.org can enable them for especially serious security issues.

    You can manually disable updates if you like, of course, and we have instructions for doing exactly that: https://wordpress.org/support/article/configuring-automatic-background-updates/

    But by default, security updates are enabled for plugins, themes, and core.

    Samuel,

    Thank you for the reply.

    This is what I already have in ALL my configs;

    /** Disable WordPress automatic updates */
    define( ‘automatic_updater_disabled’, true );
    define( ‘WP_AUTO_UPDATE_CORE’, false );

    The updates occurred anyway and as far as I can tell they should not have. Any other thoughts on how to prevent this?

    Moderator Samuel Wood (Otto)

    (@otto42)

    WordPress.org Admin

    define( ‘automatic_updater_disabled’, true );

    That is incorrect. There is no define check for that specific phrase, as capitalization matters. The correct statement for a define would be here: https://wordpress.org/support/article/configuring-automatic-background-updates/#constant-to-disable-all-updates

    You can also find the correct line of code to disable all updates here. Note that this will disable security updates as well, potentially leaving your site vulnerable to active threats: https://wordpress.org/support/article/configuring-automatic-background-updates/#disabling-all-updates-via-filter

    That page contains extensive information on this topic.

    Perhaps wait until the team have released details of their reasoning before passing judgement. After that you can decide to sharpen your pitchforks or not

    Moderator Samuel Wood (Otto)

    (@otto42)

    WordPress.org Admin

    @markwordpress1 As stated, capitalization matters. That particular phrase you mentioned to disable updates is in ALL CAPS. The lowercase version you posted will do nothing, because it’s not the correct case.

    @joelkay The “user preferences” cannot be overridden. However, the default is not “off”, but “do what wordpress.org suggests”. If you disable updates properly in the wp-config file, then they are quite disabled and nothing can override that setting.

    WordPress.org does not “push” updates. Instead, each individual site checks for updates and applies those updates themselves. If your site updated, then it was because it was at the default setting, which is to apply the updates that are suggested to be automatically applied by the WordPress.org systems. We only turn that on for security updates. No other reason.

    The All Caps line was taken direct from the link you posted, might want to change that instruction if the caps is an issue. I also thought it was the ‘define’ that was the issue?

    Really disappointed with this, WordPress or any of the plugin vendors are not authorized to access our servers and perform updates without us initiating the updates. We’ll make sure they can’t do this in the future. We get paid to make sure our client’s sites stay online and don’t break, to have a 3rd party come in and break them is just not acceptable.

    It also begs the question, if you have the ability to force updates to anything for all sites what kind of security implications does that create? Could a disgruntled employee wreak havoc? Could a compromise access your methodology and gain access to vast amounts of sites?

    @markwordpress1 Maybe you are a bit slow to understand 🙂 but Ottomaic is telling you that this is wrong:

    define( ‘automatic_updater_disabled’, true );

    it must be written

    define( ‘AUTOMATIC_UPDATER_DISABLED’, true );

    Also, Otto explained that if you use this correct define, your websites will never never never ever be updated again even for critical reason.

    I’m sure it’s me and I am just slow.

    Thanks for your kind input.

    Moderator Samuel Wood (Otto)

    (@otto42)

    WordPress.org Admin

    I’m sorry that I was not able to explain this clearly the first time, but if you still have questions, please ask them, I’m happy to give any help that I can. 🙂

    The WordPress software updates itself. We don’t have any ability to “go into” sites and update them. We just have our “auto-update” flag turned off most of the time. But security updates get turned on for special cases.

    We very rarely use this ability, and if you have code in a plugin or in the wp-comfig to directly disable automated updates, then we cannot override that.

    Your site does the update all by itself. We only provide the recommendation for it to do so.

    Plugin Support Igor H woo-hc

    (@ihereira)

    Hi there,

    Please be advised that this forum thread is resolved.

    I recommend creating a new thread with us in case you have any questions: https://wordpress.org/support/plugin/woocommerce/#new-topic-0

    Thanks.

Viewing 11 replies - 1 through 11 (of 11 total)
  • The topic ‘Woocommerce Automatically Updated, while auto-updates were disabled’ is closed to new replies.