We first launched our WordPress AutoUpdater in 2012. Some tweaks were made to the system a year later, when the original AutoUpdate feature was included in the WordPress core, but we continued to rely primarily on our own system for our customers. The SiteGround AutoUpdater has been used successfully for the last 5 years and has kept a lot of our customers up-to-date and safe from hacks. Thanks to it, more than 70% of the WordPress installations on our servers have been constantly using the latest software version. However, we have been thinking for a while how to get this percentage even closer to 100. The recent security issues with WordPress REST API motivated us to introduce a change into the system that increased the upgrade rate to more than 90%.
What has changed and why?
In short, WordPress users, hosted on SiteGround servers are no longer able to permanently switch off our AutoUpdater. Till now we provided two options: you could skip a single upcoming update, or you could switch off the AutoUpdater completely. From now on, the interface will only allow you to skip one upcoming update. If you want to be removed from the AutoUpdate system permanently you can request it via our Help Desk. (see AutoUpdater tutorial for detailed usage instructions)
We decided to introduce this change, because there were too many people who had switched off the AutoUpdater and had simply forgotten to turn it back on. As a result they were vulnerable to hacks that were easily preventable through auto updates. For example, WordPress 4.7.2 was released last week to fix a major security vulnerability that allows attackers to deface websites using the REST API. This case presented a sufficient incentive for us to restart our system and to include all WordPress installations to be updated under the new rules.
How safe is it to have our AutoUpdater turned on?
The way we perform WordPress application updates is different than the way core update system works, and I can say our method is much safer. First, we make a backup of your site before we launch the update. Once the backup is ready, the system performs the update and installs the latest WordPress version from the official repository. Next, it checks for any errors on your index page. There are numerous checks made and if we detect that your site was somehow broken during the update process, we immediately revert the upgrade and email you that it has failed. So far, our system has shown success rate above 98% in upgrading without problems. However, not all issues can be automatically detected, so you still have the option to revert the upgrade if needed with a single click manually from the tool.
The Result: More than 90% of WordPress Installations on the Latest Version
After the recent campaign and the changes in the AutoUpdate system, we're more than happy that over 90% of the WordPress sites we host are on the latest version - 4.7.2. Meanwhile, more than 2 million WordPress sites across the world have been hacked through the REST API vulnerability. What's even scarier is that this number was 1.5 mil according to BBC just few days ago. We believe that we have responsibility to make everything within our power as a hosting provider to keep our customers and their websites safe. We understand that there's always a risk when you update a web application like WordPress but with good preparation and checks that risk is minimal, compared to the consequences of having an outdated site!