• Latest
  • Trending
, WordPress Security Team Discusses Backporting Security Releases to Fewer Versions – WordPress Tavern, Rojak WP

WordPress Security Team Discusses Backporting Security Releases to Fewer Versions – WordPress Tavern

4 months ago
, WordPress Security Team Discusses Backporting Security Releases to Fewer Versions – WordPress Tavern, Rojak WP

The Most Powerful WordPress Gallery Plugin?

20 hours ago
, WordPress Security Team Discusses Backporting Security Releases to Fewer Versions – WordPress Tavern, Rojak WP

35+ Stunning Examples of The Astra WordPress Theme in Action (2019)

2 days ago
, WordPress Security Team Discusses Backporting Security Releases to Fewer Versions – WordPress Tavern, Rojak WP

7 Best Podcast Hosting Services Compared for 2020

2 days ago
, WordPress Security Team Discusses Backporting Security Releases to Fewer Versions – WordPress Tavern, Rojak WP

How to Add Your WordPress Site to Google Search Console

2 days ago
, WordPress Security Team Discusses Backporting Security Releases to Fewer Versions – WordPress Tavern, Rojak WP

How Much Does a Domain Name Really Cost? (Expert Answer)

3 days ago
, WordPress Security Team Discusses Backporting Security Releases to Fewer Versions – WordPress Tavern, Rojak WP

How to Run A/B Tests to Improve Your Website

3 days ago
, WordPress Security Team Discusses Backporting Security Releases to Fewer Versions – WordPress Tavern, Rojak WP

19 Best Makeup Websites To Inspire Makeup Artists and Brands

3 days ago
, WordPress Security Team Discusses Backporting Security Releases to Fewer Versions – WordPress Tavern, Rojak WP

Beta Test WooCommerce 3.9 and Get a Nice Reward

4 days ago
, WordPress Security Team Discusses Backporting Security Releases to Fewer Versions – WordPress Tavern, Rojak WP

Black Friday, #WCUS State of the Word, WordPress 5.3, bbPress 🗞️ December 2019 WordPress News w/ CodeinWP

4 days ago
, WordPress Security Team Discusses Backporting Security Releases to Fewer Versions – WordPress Tavern, Rojak WP

How to Add an Author Info Box in WordPress Posts

4 days ago
, WordPress Security Team Discusses Backporting Security Releases to Fewer Versions – WordPress Tavern, Rojak WP

30+ Grid WordPress Themes – The Best Grid-Based WordPress Themes

4 days ago
, WordPress Security Team Discusses Backporting Security Releases to Fewer Versions – WordPress Tavern, Rojak WP

News – The Month in WordPress: November 2019 – WordPress.org

4 days ago
, WordPress Security Team Discusses Backporting Security Releases to Fewer Versions – WordPress Tavern, Rojak WP
  • Home
  • Sources
    • BobWP
    • Chris Lema
    • Colorlib
    • Winning WP
    • WP Beginner
    • WP Explorer
    • WP Lift
    • WP Sessions
    • WP Tavern
    • WP-Com
    • WP-Org
    • WPEka
    • WPMU Dev
    • OnlineRockersHub
  • Top
  • Themes
  • Plugins
  • WooCommerce
  • Free Stuff
  • Popular Tags
    • WordPress
    • Website
    • Templates
    • Tavern
    • SitePoint
  • Videos
No Result
View All Result
  • Home
  • Sources
    • BobWP
    • Chris Lema
    • Colorlib
    • Winning WP
    • WP Beginner
    • WP Explorer
    • WP Lift
    • WP Sessions
    • WP Tavern
    • WP-Com
    • WP-Org
    • WPEka
    • WPMU Dev
    • OnlineRockersHub
  • Top
  • Themes
  • Plugins
  • WooCommerce
  • Free Stuff
  • Popular Tags
    • WordPress
    • Website
    • Templates
    • Tavern
    • SitePoint
  • Videos
No Result
View All Result
, WordPress Security Team Discusses Backporting Security Releases to Fewer Versions – WordPress Tavern, Rojak WP
No Result
View All Result

WordPress Security Team Discusses Backporting Security Releases to Fewer Versions – WordPress Tavern

July 31, 2019
in WP Tavern
, WordPress Security Team Discusses Backporting Security Releases to Fewer Versions – WordPress Tavern, Rojak WP
0
SHARES
6
VIEWS
Share on FacebookShare on Twitter

The WordPress Security Team is exploring different approaches to backporting security fixes to older versions of the software. The effort that goes into supporting versions back to 3.7 (the release that introduced automatic background updates) increases with each major version released.

“For the Core Security team, that means when security updates need to be released, we have to take the testing and release process not just to the current version of WordPress, but we have to test the changes, create code patches, and then release to every major version all the way back to 3.7,” security team lead Jake Spurlock said. “With 5.3 around the corner that puts us at over fifteen major versions of WordPress to support long term.”

Spurlock said 3.7 represents 0.1% of all WordPress sites but noted that supporting older versions requires “a large amount of time and energy and hurts the team’s ability to work effectively.”

When asked how much of a time investment is in involved, Spurlock said it varies depending how many tickets/issues have to be ported. All patches are reviewed, tested, and committed by several team members. There are approximately 50 security experts on the team, many of which are employed by Automattic, although some are volunteers.

“The problem with developing security releases for older versions of WordPress lies in the amount of testing and then reengineering that is specific to each older version of WordPress,” Spurlock said. “As an example. WordPress 4.2 received a fairly large refactor, and so taking a fix back before that time means extra testing, and ensuring that paths works for patches and more. Getting the testing suite to work on older versions has been difficult too with the code changes that accompany each version.”

Spurlock called for feedback and ideas on how the security team can support fewer versions of WordPress while keeping users secure. An active discussion is underway and opinions range from enthusiastic support for the idea to opposition.

Some who weighed in prefer to focus on urging users to update via emails to admins on older installs and/or a “please upgrade” widget ported back to older versions. As big version jumps can be intimidating for users, some recommended WordPress provide better ways to do incremental updates from older versions to the next most recent.

“If the goal is to keep WordPress users secure against hackers and other rogue agents, you should continue supporting older versions with security releases,” WordPress core contributor Rami Yushuvaev said.

“WordPress 3.7 represents 0.1% of all WordPress sites but WordPress 3.0 – 3.6 represents 1.6% of all WordPress sites. You don’t want to increase the number of sites using un-secure versions. With the current policy, ‘old version’ is not the same as ‘un-secure version.’

“I think you should educate users to use updated software, not to stop releasing security releases for older versions.”

Several commenters are in favor of limiting backporting security fixes to a set number of versions, as outlined by former WordPress security lead, Aaron Campbell:

I like the idea if supporting X versions back. That allows users to know that they don’t have to update to the latest version no matter what our release cycles are, and also makes sure we can eventually hone in on how many versions are actually tenable to support.

Supporting X years back would allow users to know they can avoid upgrading for a certain amount of time, but it would also mean that the security team wouldn’t always be supporting the same number of versions and if a release ever took longer than our supported time then all users would be expected to upgrade to the latest version (exceptions could always be made, but it’s harder to rely on those).

Stephen Edgar, one of the maintainers of WordPress’ build tools component, suggested implementing automatic major version upgrades to keep moving users forward to supported versions in waves.

“Maybe continue to ship them until ‘major’ updates are implemented,” Edgar said. “The current thinking is to add major updates to 3.7 first, bumping 3.7 to 3.8 via automatic updates. Once that’s completed then security updates would no longer be backported to the 3.7 branch.

“And similarly, once 3.8 major updates are implemented, i.e. 3.8 gets bumped to x.x then again, backports to 3.8 would cease at the same time and so forth through the branches.”

Edgar also noted that providing users a way to opt into automatic updates for major core releases is one of the nine projects that Matt Mullenweg had identified for working on in 2019.

Several other commenters said they would like to see WordPress implement semantic versioning and adopt a long-term support (LTS) policy. WordPress would then clearly communicate the number of years those versions would be supported. Older sites could then be auto-updated to the LTS version.

No decision has been made on the ideas proposed and the discussion is still ongoing. If you have experience maintaining older sites or have input on how WordPress can best keep users secure while decreasing the work load, leave a comment on the Make WordPress Core post.

Would you like to write for WP Tavern? We are always accepting guest posts from the community and are looking for new contributors. Get in touch with us and let’s discuss your ideas.

Like this:

Like Loading…

Related

Credited Source

Tags: BackportingDiscussesReleasesSecurityTavernTeamVersionsWordPress
Previous Post

How to Test WordPress Site Backups

Next Post

How to Build Order Forms with Payments for Free in WordPress

Related Posts

, WordPress Security Team Discusses Backporting Security Releases to Fewer Versions – WordPress Tavern, Rojak WP
WP Tavern

bbPress 2.6 Released After 6 Years, Includes Per-Forum Moderation and Engagements API – WordPress Tavern

November 15, 2019
, WordPress Security Team Discusses Backporting Security Releases to Fewer Versions – WordPress Tavern, Rojak WP
WP Tavern

WordCamp US 2020 Date and Location Announced, New Weekday Schedule – WordPress Tavern

November 14, 2019
, WordPress Security Team Discusses Backporting Security Releases to Fewer Versions – WordPress Tavern, Rojak WP
WP Tavern

WordPress 5.3 “Kirk” Released, Brings New Default Theme, Editor Improvements, and UI Tweaks – WordPress Tavern

November 13, 2019
, WordPress Security Team Discusses Backporting Security Releases to Fewer Versions – WordPress Tavern, Rojak WP
WP Tavern

Recurring Payments Feature Launches for WordPress.com and Jetpack Users – WordPress Tavern

November 13, 2019
, WordPress Security Team Discusses Backporting Security Releases to Fewer Versions – WordPress Tavern, Rojak WP
WP Tavern

A WordPress Developer’s Guide to PHP Namespaces – WordPress Tavern

November 12, 2019
, WordPress Security Team Discusses Backporting Security Releases to Fewer Versions – WordPress Tavern, Rojak WP
WP Tavern

A Design Framework and a Master Theme – WordPress Tavern

November 9, 2019
Next Post
, WordPress Security Team Discusses Backporting Security Releases to Fewer Versions – WordPress Tavern, Rojak WP

How to Build Order Forms with Payments for Free in WordPress

Ads

Rojak WP © 2019

No Result
View All Result
  • Home
  • Sources
    • BobWP
    • Chris Lema
    • Colorlib
    • Winning WP
    • WP Beginner
    • WP Explorer
    • WP Lift
    • WP Sessions
    • WP Tavern
    • WP-Com
    • WP-Org
    • WPEka
    • WPMU Dev
    • OnlineRockersHub
  • Top
  • Themes
  • Plugins
  • WooCommerce
  • Free Stuff
  • Popular Tags
    • WordPress
    • Website
    • Templates
    • Tavern
    • SitePoint
  • Videos

Rojak WP © 2019