Jetpack receives a forced update

ByDavid Bisset Posted onJune 4, 2021September 7, 2021 Updated onSeptember 7, 2021

Jetpack patched an exploitable vulnerability in their Carousel feature this week. The patch was delivered through a “forced update.” For some people, it happened overnight. Even WordPress websites that had specifically turned off auto-updates received the update.

Tony Perez took a deeper dive into what happened and shared the community feedback he received:

The Meta/Security team with the WordPress Foundation made the decision to push the update — not Automattic or Jetpack.
It’s important to differentiate between Auto-updates and Forced Updates. WordPress 5.5 introduced auto-updates, but forced updates are different. They have always been in the WordPress platform for emergencies.

John Jacoby on Twitter firmly stated that “Jetpack did not disobey user settings. It cannot and did not update or heal itself.”

I agree with Tony: forced updates are “especially dangerous when put into the hands of a bad actor.” But perhaps for now, the risks are outweighed by the benefits. Either way, if documentation or explanations about “Forced Updates” exist on the official WordPress.org site, I haven’t seen them. This seems like an important thing to explain well for the community.

Hosting

Plugin repo and frameworks

ByBrian Krogsgard March 1, 2016March 1, 2016

There’s a newly clarified policy on Make Plugins from Mika Epstein where she says that developer frameworks are no longer going to be approved for the plugin repo. Plugins like CMB2, Advanced Custom Fields and others that may be dependencies of other plugins, and are not feature plugins of their own, would theoretically not be allowed. However,…

Business | Design | Planet | Post Status Podcasts | The Excerpt

Post Status Excerpt (No. 48) — Running a WordPress Business

ByDavid Bisset February 28, 2022May 10, 2022

When — and what — should you outsource to SaaS and open source? Learn this an more from Dave Rodenbaugh, founder of Recapture.io.

Development

Properly using wp_reset_postdata(), wp_reset_query() and variable naming in queries

ByBrian Krogsgard July 3, 2013April 30, 2014

Understanding how to alter the main query and how to create custom queries in WordPress are two essentials for WordPress developers. You should familiarize yourself with a few things right away: What is the WP_Query class, including creating new custom queries for secondary loops Never use query_posts() Alter queries with the pre_get_posts hook You also…

Security

Licensing matters

ByBrian Krogsgard January 28, 2015

There’s a popular WordPress vulnerability scanner called WPScan. To validate its popularity: it has over 1,800 commits, 750 stars, and 165 forks on Github. The scanner is used by a lot of security folks, as well as other service and product vendors. The plugin has historically been split license, sort-of, between GPL and some kind…

Draft | Planet | Post Status Podcasts

What is a WordPress theme anyway? — Draft podcast

ByKatie Richards September 19, 2016April 22, 2021

In this episode, Joe and Brian discuss WordPress themes, the functionality people put into them, and the challenges that face the WordPress ecosystem with the current state of theming.

Design | WordPress News

ThemeForest authors can now ditch support for Internet Explorer 8

ByBrian Krogsgard November 25, 2013January 31, 2015

ThemeForest announced that authors can opt not to support Internet Explorer 8, citing the widespread adoption of Windows 8 and jQuery 2.0 dropping support for the old browser. We’re finally entering an era of only modern web browsers.

Share this:

Similar Posts

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Post Status is proudly supported by great partners