By now, you may have heard of (or even experienced the consequences of) the botched CrowdStrike software update that led to a “Blue Screen of Death” (BSOD) for many Microsoft Windows computer systems. According to Ars Technica, the problem was triggered by a buggy .sys file installed as part of a CrowdStrike Falcon security software update. Falcon is cybersecurity software used by many Fortune 500 corporations.
For Windows systems configured to perform automatic software updates, the faulty Crowdstrike Falcon update was installed overnight on July 19, 2024. Since the bug caused a BSOD, the fix issued by Crowdstrike later in the day was difficult to install as systems would crash before the fix could be downloaded. Often, 15 or more system reboots or even a USB drive to locally load the fix were necessary. If your Windows system was configured to use Microsoft’s BitLocker drive encryption, you were in for even more frustration.
This begs the question: are automatic updates your “friend” or your “foe”?
Benefits of Automatic Updates
As humans, we tend to avoid repetitive and tedious tasks like updating software as much as possible. It’s just not “interesting”. Automatic software updates lift the burden of performing that repetitive and tedious task manually.
Additionally, software updates that contain fixes for security vulnerabilities typically benefit from being installed as quickly as possible. This minimizes the length of time that systems are vulnerable to hackers. For customers needing or desiring high security such as governments, financial institutions, and large corporations, that can be an overriding concern.
Risks of Automatic Updates
The other side of the coin is that automatically installing unproven software updates can lead to scenarios such as what just happened with CrowdStrike. If the software bug is severe enough, the consequences can be extraordinarily severe in our computer dependent society. This risk is often highest for “major” upgrades where extensive changes are made to the software in question.
In many cases, excepting situations where system security is paramount, the smart course of action is to wait for a few days until the first “bug fix” is released. At that point, the “early adopters” have identified most of the critical or serious bugs in the update and the vendor has released fixes.
Most modern software will have a dependency on another piece of software. In the case of web applications, such as WordPress, that dependency could be on a “scripting language” such as PHP. Consider a situation where you have a WordPress installation with several plugins and a theme that runs perfectly fine on PHP v7.4. PHP v7.4 ceased being supported on 28 November 2022 (i.e., the developers for PHP no longer release any updates, security or otherwise, to v7.4 after that date). If the developer for one of your installed plugins releases an update removing support for PHP v7.4, your website probably goes down as the newly updated plugin no longer runs on PHP v7.4.
Auto Updates and WordPress
Automatic updates and WordPress present additional concerns. While WordPress itself is maintained by a group of professionals, such is not always the case with plugins and themes (especially those that are “free” and with no “paid” version to generate income for the developer). Less experienced developers can’t always be counted on to fully and extensively test new versions of their plugin and/or theme. Bugs happen, even for software developed by professionals.
WordPress v6.6
WordPress v6.6 (released on July 16, 2024) contains a new feature allowing for a “roll-back” of automatically installed updates. In WordPress v6.6, a failed plugin auto-update is rolled back to the previous plugin version, ensuring continuity with your site until you can diagnose and fix the issue. Under the assumption that this feature is robust and works as designed, this would go a long way towards ameliorating many of the risks of using the WordPress auto-update functionality.
Our Approach
Cardinal Acres Web Development takes the position that automatic updates are typically not beneficial (although that may have changed with WordPress v6.6). For our clients with website service agreements, we always turn off automatic updates (for WordPress core, plugins, and themes); we do a pre-update check of WordPress core, plugin, and theme updates. While we don’t pretend to do a comprehensive check of every aspect of site functionality, our pre-update check does prevent most major site disruptions. Additionally, waiting for a “point release” after major updates (especially for WordPress core) allows developers to fix most issues. Most end-users don’t want to be volunteer “beta testers” for major software updates…
If your small business or non-profit organization would like managed updates to your WordPress-based site, contact us to discuss your options.