SiteGround have improved the upgrade rate of its WordPress Auto-updater to more than 90 percent following recent high-profile vulnerabilities targeting outdated versions, such as the recent REST API vulnerability.
Even though auto-updates have been enabled by WordPress automatically for minor versions since WordPress 3.7, SiteGround continued to rely on their own system. Their auto-updater was first introduced back in October 2012 and has been used by over 70 percent of all installations hosted with them. With the changes, they have increased the upgrade rate to over 90 percent and are currently working on ways to increase this to nearer 100 percent.
What are the changes?
The essence of the changes is that users are no longer allowed to switch off the Auto-updater permanently. Previously, you were given the option to either skip a single update or switch it off altogether.
As of now, the admin.
Sometimes, though, there is a good reason to switch off the updates (perhaps you have code \ plugin conflicts and are awaiting fixes), and you can still turn them off permanently, but you will need to open a support ticket to do so.
According to Hristo Pandjarov, from their Product Development team:
Too many people who had switched off the AutoUpdater and had simply forgotten to turn it back on. As a result they were vulnerable to hacks that were easily preventable through auto updates.
While the native WordPress Updater only covers minor version upgrades, the great thing about SiteGround's Updater is that it includes the major core updates as well.
Easy and safe to use
The auto-updater is accessed by clicking on the WP Auto Update tool from within the cPanel account area. You will then be presented with a list of your WordPress installations, the current version of WordPress including whether it is up-to-date, as well as options to automatically update the plugins as well.
A screenshot is below:
Furthermore, a backup is taken before every upgrade, so you can easily restore your website should something go wrong, or a conflict occur:
That being said, the system will automatically check your index page to see if the website is working as it should. If something appears to be wrong, the system will automatically revert the upgrade and email you notice that it has failed.
According to SiteGround, their system has shown success rate above 98%.
Reaction to the changes
The comments made in response to the announcement on the SiteGround blog make interesting reading.
Right or wrong, many users do not like the idea of major versions of WordPress being updated. We would agree to some extent, but think the argument for greater security is more compelling. The gist of the arguments against the new rules is that the inbuilt WordPress auto-updater is sufficient and that this will cause significant difficulties for developers who manage many client websites, and who are responsible for keeping the websites online and ensuring no conflicts occur. Even small downtimes or small conflicts can cause extra work for already busy developers.
That being said, the recent REST API vulnerability was not forgiving for those that take the delayed upgrade approach. While there are some outlier cases, we do think the steps by SiteGround are in the right direction, and that developers should adapt to a faster upgrade schedule. After all, backups are available should something not be quite right, and developers could easily announce updates to their clients ensuring that they test any upgrades after the event.