Hi @attd, @joelkay and @markwordpress1 — as mentioned above, there is a post with further details on the woocommerce dot com official blog, and you should have received an email with information about this as well (if you’ve ever purchased an extension from WooCommerce, or had an account there). We definitely did weigh up the options and in consultation with the WordPress.org Plugins Team chose to go this route to make sure as many people got updated as quickly as possible, because it’s a serious issue. We will be following up with more information on the official blog so please keep an eye out there.
thanks for the confirmation, @beaulebens – good luck with the rest of the patch rollout
I understand this is a security flaw and your team might want to fix it asap, but auto-updating a live site poses a lot of risks.
My website was DOWN immediately (500 error) due to the auto-update (which of-course was disable like other have mentioned). I quickly restored my previous backup but the plugin updated IMMEDIATELY afterwards, causing the site to crash again. It’s like a vicious cycle.
I have to race with the plugin update and disable it within seconds. Horrible experience…
same problem here, does it mean that this update was really essential ? Or they just don’t care what we decide ?
@cacabe my gut tells me this was very serious, so it’s the former
So we are now considered as smart as shopify users and have no more choice to decide what we want to update or not ?
🙂
Perhaps wait until the team have released details of their reasoning before passing judgement. After that you can decide to sharpen your pitchforks or not
@markwordpress1 As stated, capitalization matters. That particular phrase you mentioned to disable updates is in ALL CAPS. The lowercase version you posted will do nothing, because it’s not the correct case.
@joelkay The “user preferences” cannot be overridden. However, the default is not “off”, but “do what wordpress.org suggests”. If you disable updates properly in the wp-config file, then they are quite disabled and nothing can override that setting.
WordPress.org does not “push” updates. Instead, each individual site checks for updates and applies those updates themselves. If your site updated, then it was because it was at the default setting, which is to apply the updates that are suggested to be automatically applied by the WordPress.org systems. We only turn that on for security updates. No other reason.
The All Caps line was taken direct from the link you posted, might want to change that instruction if the caps is an issue. I also thought it was the ‘define’ that was the issue?
Really disappointed with this, WordPress or any of the plugin vendors are not authorized to access our servers and perform updates without us initiating the updates. We’ll make sure they can’t do this in the future. We get paid to make sure our client’s sites stay online and don’t break, to have a 3rd party come in and break them is just not acceptable.
It also begs the question, if you have the ability to force updates to anything for all sites what kind of security implications does that create? Could a disgruntled employee wreak havoc? Could a compromise access your methodology and gain access to vast amounts of sites?
Hi all,
I am having the same problem of getting a 500 Internal Server Error when trying to access my pages. This happened right after the Woocommerce update. Any tips on how to fix this? Is this something that’s going to be fixed by Woocommerce, or do we have to fix it ourselves?
Any tips would be really helpful! Thanks!
@markwordpress1 Maybe you are a bit slow to understand 🙂 but Ottomaic is telling you that this is wrong:
define( ‘automatic_updater_disabled’, true );
it must be written
define( ‘AUTOMATIC_UPDATER_DISABLED’, true );
Also, Otto explained that if you use this correct define, your websites will never never never ever be updated again even for critical reason.
I’m sure it’s me and I am just slow.
Thanks for your kind input.
Don’t worry, I feel retarded at least once a day when I also do not understand something ! hahaha
It’s good that we are actually allowed to block any woocommerce update, otherwise we would be on shopyshit !
I’m sorry that I was not able to explain this clearly the first time, but if you still have questions, please ask them, I’m happy to give any help that I can. 🙂
The WordPress software updates itself. We don’t have any ability to “go into” sites and update them. We just have our “auto-update” flag turned off most of the time. But security updates get turned on for special cases.
We very rarely use this ability, and if you have code in a plugin or in the wp-comfig to directly disable automated updates, then we cannot override that.
Your site does the update all by itself. We only provide the recommendation for it to do so.
