What is a “forced plugin update”, how can I avoid it and use it for my plugins

To answer the first question…

If you look within the WP_Automatic_Updater class found in wp-admin/includes/class-wp-upgrader.php we note the method is_disabled which is used by the method should_update to determine whether or not an automatic update is allowed.

The is_disabled method will return true under the following conditions,

  • if DISALLOW_FILE_MODS constant is defined and is true
  • if WP_INSTALLING constant is defined regardless of value state
  • if AUTOMATIC_UPDATER_DISABLED constant is defined as true

Be aware though that the latter constant AUTOMATIC_UPDATER_DISABLED is also associated with a filter, automatic_updater_disabled, so even if defined, it is possible for the value to be filtered elsewhere in which case you are best served by declaring the following hook:

add_filter( 'automatic_updater_disabled', '__return_true' );

Here is the method excerpt from the WP_Automatic_Updater class:

wp-admin/includes/class-wp-upgrader.php:1730

/**
 * Whether the entire automatic updater is disabled.
 *
 * @since 3.7.0
 */
public function is_disabled() {
    // Background updates are disabled if you don't want file changes.
    if ( defined( 'DISALLOW_FILE_MODS' ) && DISALLOW_FILE_MODS )
        return true;

    if ( defined( 'WP_INSTALLING' ) )
        return true;

    // More fine grained control can be done through the WP_AUTO_UPDATE_CORE constant and filters.
    $disabled = defined( 'AUTOMATIC_UPDATER_DISABLED' ) && AUTOMATIC_UPDATER_DISABLED;

    /**
     * Filter whether to entirely disable background updates.
     *
     * There are more fine-grained filters and controls for selective disabling.
     * This filter parallels the AUTOMATIC_UPDATER_DISABLED constant in name.
     *
     * This also disables update notification emails. That may change in the future.
     *
     * @since 3.7.0
     *
     * @param bool $disabled Whether the updater should be disabled.
     */
    return apply_filters( 'automatic_updater_disabled', $disabled );
}

I would further suggest the following link for reading:

Configuring Automatic Background Updates

http://codex.wordpress.org/Configuring_Automatic_Background_Updates

…which provides in detail a list of the available constants and filters for fine grain control over what components to disable against updates.

For the case of only disabling automatic plugin updates you have:

add_filter( 'auto_update_plugin', '__return_false' );

…and so forth.

To answer your second question…

(someone correct me if I am wrong)

Let’s add some context for the readers, this entire question is as a result of this twitter status which was in itself a response to the forced automatic update of Yoast’s WP SEO plugin see the following, https://yoast.com/wordpress-seo-security-release/, for more information.

There is a function in wp-includes/update.php named wp_maybe_auto_update which is fired on the hook with the same name do_action('wp_maybe_auto_update') which is fired from within the wp_version_check function contained within the same file which in itself is a scheduled event that runs twice daily.

So, what I suspect WordPress.org did, was that they internally incremented the version of WordPress so that an automatic update would be forced onto users due to the apparent severity of the security flaw associated with the Yoast WP SEO plugin.

To quote Yoast himself:

Because of the severity of the issue, the WordPress.org team put out a forced automatic update (thanks!)

I’m not 100% certain whether this in fact then also automatically updated any other plugins that had new versions in the WordPress.org repository or whether or not WordPress.org can dictate which plugins can be auto-updated from their end, perhaps there something within the code that also allows for this type of discretion.

As to whether or not you can use the same mechanisms yourself, well, for plugins that you host within the WordPress.org repository, yes, for those outside of the official repository, I’m not entirely sure, but you may be able to instantiate the WP_Automatic_Updater class and provide it a context for which to check against but I think ultimately we end up in function called wp_update_plugins within wp-includes/update.php which checks against the official WordPress repository API.

I may be incorrect so if anyone has something further to add, please chime in.


Related Posts:

  1. How Do I Configure Automatic Updates in WordPress 3.7?
  2. Will A WordPress automatic update harm my website?
  3. Automatic updates are not working
  4. Is it possible to prevent website from breaking with auto update?
  5. Enable automatic minor core updates when root of site is a git repository
  6. WordPress Health Tool reporting version control as a critical issue
  7. Unable to get WordPress auto update working on Ubuntu 12.04
  8. WordPress 3.0.1 Auto Update Problem
  9. Disable Plugin Updates but Allow WP Auto Security Updates
  10. Missing Update Link to 3.02/3.03 on Dashboard
  11. Change email for update notification
  12. How does wordpress handle file permissions when automatic updates are enabled?
  13. How to schedule Automatic WordPress Plugin and Core updates for night times
  14. Auto Plugin & Core Updates Not Working For Custom Theme
  15. WordPress updates and Git
  16. How to debug background/auto update?
  17. How can I fix my server so core/plugins/theme update don’t silently fail?
  18. WordPress 3.1 not autoupdating
  19. WordPress core auto update fails for UpdraftPlus WordPress Backup Plugin
  20. Automatic updates only in a predefined maintenance window
  21. Auto updating a single plugin
  22. Could auto-update delete core WordPress files and cause a white screen of death?
  23. Changing random post publish time for repost
  24. WordPress sites got auto upgraded [duplicate]
  25. How to turn off automatic updates of the WordPress core
  26. WordPress update fails with a “permission denied” error?
  27. How to trigger automatic plugin updates in WordPress 5.5
  28. Adding a banner to the install dialogue of a custom plugin
  29. Auto generate custom post title
  30. WordPress 3.3 auto update not working
  31. How to know current auto-update status of the WordPress core?
  32. Auto update error messages
  33. Allow auto-updates on a non-managed WordPress site?
  34. Will WordPress Auto Update work on a site with Basic Authentication enabled?
  35. WordPress site auto updates for no reason
  36. Are automatic background plugin updates for non-WP.org plugins possible?
  37. Auto Update fail time my external folder deleted
  38. Stop WordPress from auto updating
  39. How Do I Configure Automatic Updates in WordPress 3.7?
  40. Enable automatic plugin update for certain plugins [duplicate]
  41. Auto generate meta data value in post
  42. How to upgrade WordPress automatically?
  43. WordPress Automated Posts Creation
  44. How exactly do automatic updates work?
  45. How to update WordPress installed on IIS?
  46. Automatic updates in plugin – not hosted on wordpress repository
  47. WordPress updates defined vs add_filter?
  48. Disable WP core updates but send email notification
  49. Automatic Upgrade Filters in Multisite
  50. How long does it take for theme / plugin automatic updates to initiate?
  51. Making plugin unique to not conflict with plugins with the same name
  52. Why won’t my site automatically apply updates after upgrade to 3.7?
  53. Have WP Theme update from Git Repository
  54. How to update/auto-update my private plugin? [duplicate]
  55. I want to run different WordPress websites under the same database
  56. Why are the automatic updates to WordPress behind the version my site is on?
  57. Tablepress won’t update the table data [closed]
  58. What ALL can cause “Another update is currently in progress.”? [closed]
  59. Get data from dropdown and update page
  60. Avoid theme updates, just one theme
  61. Can I update themes without enabling maintenance mode?
  62. Can a manually uploaded plugin be made to track updates from the WordPress.org plugin directory?
  63. Updating Existed RocketTheme Theme on WordPress
  64. SELinux security vs WordPress updates
  65. Private Plugin Updates – Localhost
  66. WordPress 3.8.1 update error
  67. What file(s) in core control automatic background updates?
  68. Problem with automatic role change through cron job
  69. Group ownership permissions don’t allow web server to update WordPress content
  70. Theme Javascript.php Overwritten Nightly [closed]
  71. Upgrading problem
  72. Why does WordPress 4.1 have an auto-update entry in wp_options?
  73. I should enable automatic updates?
  74. Why my plugins are updating automatically?
  75. Can you refresh ONLY the wordpress adminbar and not the whole page?
  76. Where does WordPress get the theme name from to check for updates?
  77. How to execute plugin and theme updates from a web hook / endpoint?
  78. Wordpres core-update theme renames theme folder name
  79. How to allow WordPress updates to only one specific administrator?
  80. What request is WordPress sending on theme update?
  81. WordPress 4.4.2 Update not working
  82. EC2 WordPress install asks for connection info when auto-updating
  83. automated import from blogger
  84. Change modified date to current date when title updated automatically
  85. WordPress cannot auto update and cannot find .maintenance file
  86. is it right choose to connect database in template page directly in WordPress site?
  87. Update a previous version of plugin when the new plugin is built from the scratch
  88. Update (a function) post’s featured image as soon as $image_url changes
  89. Plugins download & install fine, wordpress update fails
  90. Where to add my code to auto attach images to existing products
  91. error_log() not working in add_filter auto update callback
  92. WordPress Auto Updates
  93. Custom theme and plugin updating
  94. To merge customized codes upon wordpress update
  95. Cannot Update wp DB – Get 500 Error
  96. Cannot update plugin
  97. Hook automatic_updates_complete to autoupdate plugin
  98. Can’t seem to disable Java Automatic Update
  99. Do plugin auto-updates also run for a lower version?
  100. Automated WordPress update failed to complete – but all updates fail with code -1

Leave a Comment