Turn off auto-updates?

Hi @abigailm,

I’m sorry to hear about the issue you’re having.

Yes, that FAQ explains that the plugin uses the WordPress plugin API. It provides full control over plugin updates.

It’s after 2 am here as well, and we’re working on fixing the issue. Please submit all support requests at the WP-SpamShield Support page. Thank you.

– Steven

Please note that the WP-SpamShield Support page is our main support venue, not the WordPress forums here, so that will always be the best way to get a quick response and resolve any tech support issues. Please direct any further support questions there.

A new version has been released with the fix. The issue affected Wordfence users. If you install version 1.9.9.8.3, you’ll be good to go.

Thank you, but your reply does not address my concern. I need to disable auto-updates for wp-spamshield.

I have suggested that you include a program setting to disable this auto-update, so I don’t have to stay up all night in order to test and address problems caused by a patch you decide to push out at 3:30 am.

You know… so I can do updates and testing on MY schedule.

(And yes, the new updated did cause problems on my site. Every time spamshield updates, the comment forms all generate a javascript/cookie error. That usually requires clearing all caches and disabling/reenabling the plugin to fix).

Hi @abigailm,

We have an FAQ that addresses auto-update…as you mentioned above, FAQ 16. The situation is not as simple as what you are asking. We already explain in the FAQ how to take full control of the update process.

Every time spamshield updates, the comment forms all generate a javascript/cookie error. That usually requires clearing all caches and disabling/reenabling the plugin to fix).

If that’s happening, then you may need to adjust your cache plugin’s settings, or there could be an issue with your cache plugin. That should not happen. The vast majority of users have no issue with this. If you are having consistent JavaScript and Cookie errors, then please review the Troubleshooting Guide as there are a number of easily fixable issues that could be causing this.

As noted above:

Please note that the WP-SpamShield Support page is our main support venue, not the WordPress forums here, so that will always be the best way to get a quick response and resolve any tech support issues. Please direct any further support questions there.

We’ll be happy to help you address your concerns, but we would ask that you address further questions to our main support venue, the WP-SpamShield Support Page. Thank you.

– Steven

I tried to go to your support page but it had a long complicated form to fill out and then did not let me submit the form — particularly inappropriate since I saw submitting a “suggestion” rather than a request for tech support.

I’ve disabled WP-Spamshield on the site that went down tonight and switched to a different anti-spam plugin for now.

Your troubleshooting guide says in bold print, “Very important: Caches should be cleared every time a plugin is updated, added, or removed from your WordPress site!”

So you KNOW that the cache needs to be cleared and you also KNOW that WP-Super Cache is not going to clear itself when a plugin updates. (Also on your site, “Some caching plugins don’t automatically update the cache when a new plugin is installed, and most don’t when plugins are updated.”)

All I want is for my plugins to let me decide when to update. I do keep plugins up to date, but I make sure that I do updates on plugins with the potential to impact site function at a time when I will be able to test the site after updates.

Whether or not there is a problem that is specific to my site configuration, I should have the ability to prevent any software from making automated changes if that is my preference.

I agree with the O/P and surprised that any plugin can auto-update – I was sure I had to do the updates. A bit worrying and perhaps we need to just know what plugins auto-update and which do not, I suppose?

Hi @abigailm,

I’m not sure how many ways there are to say this, but the WordPress support forums here are not the main support venue for the plugin. The support form has basic information that is necessary to help users fix their issues. It takes less time to fill out than to post here.

We can help you fix the issues on your site. I believe that you are mis-attributing the source of your site issues. This is based on our team doing tech support on literally tens of thousands of sites.

As mentioned, we’ll be happy to help you, but there is literally nothing we can do for you if you don’t follow our support process.

Suggestions are great, but when there is already a solution, that doesn’t help as it’s just reinventing the wheel. We are all about solving problems, so if you would like us to help you solve the problem, then please submit a support request at the WP-SpamShield Support Page. Thank you.

– Scott

Scott, as I noted above, I tried to submit a support request on your site at the link you provided and there was a long form to fill out, and after I filled it out and clicked “submit”, the form was rejected.

In any case, I am not seeking support, I am making a suggestion, and based on your response to this and other threads I prefer to keep my suggestion on an open forum where others can see it.

You do not have to reply to my remarks that follow — they are really meant for other support forum users to read.

You have created an excellent, powerful plugin but your use of forced auto-update- particularly without clearly documenting it and providing users with a means to opt-out in the setting menu – is in itself a serious security problem. Here’s an article that explains why – https://www.wordfence.com/blog/2016/11/hacking-27-web-via-wordpress-auto-update/ — but the events of last night are equally illustrative. You pushed out two updates that causes hundreds or maybe thousands of websites to go down. In the first case, the problem was a conflict with Wordfence, which is one of the most widely used WordPress security plugins, with well over a million installations.

The WordPress auto-update API for plugins is intended for critical security updates — it’s a logical way to quickly push out a patch for a newly discovered vulnerability. WordPress would allow you to configure the API to limit plugins to those situations.

But that is not how you are using it. You used it last night to push out a release with a very long list of changes and improvements:

= 1.9.9.8.2 =
*released 01/18/17*

* Added robust detection for over 90 web hosting services to further improve compatibility with various server setups and edge cases. We developed this functionality for our RS System Diagnostic plugin and imported it to WP-SpamShield.
* Added robust detection for web proxy/WAF/CDN services such as Cloudflare, Incapsula, and Sucuri CloudProxy. We developed this functionality for our RS System Diagnostic plugin and imported it to WP-SpamShield.
* Improved support for Varnish and other server-side caching systems.
* Added functionality to enforce existing [plugin Minimum Requirement #3](https://www.redsandmarketing.com/plugins/wp-spamshield/?wpss=requirements#wpss_requirements), “Your server must be configured to allow the use of an .htaccess file.” Accordingly, if a standalone Nginx server is detected, the plugin will deactivate. Standalone Nginx servers have never been supported by the plugin, and this has always been explained in the plugin Minimum Requirements, but unfortunately despite existing warnings in the admin, not everyone pays attention, and this became necessary.
* Made various code enhancements and improvements.
* Improved some filters in the anti-spam algorithm.
* Maintenance: Updated existing spam filters.

Auto-updating is potentially a valuable and convenient service for many unsophisticated users who have small sites and blogs and don’t want to be bothered with having to regularly update their sites on their own.

But for those of us who are more experienced and may manage multiple sites for different clients, perhaps dozens or even hundreds of sites — it is disastrous when a plugin causes multiple sites to go down at once. For live sites, many web designers prefer to test things out first in a development environment. Just reading through the changelog I quoted above suggests a dizzying array of things that could go wrong depending on a particular site configuration.

So while it is nice to offer auto-updates as a feature (as Wordfence does) — it is not helpful to build it into a plugin without providing prominent notice to users that the plugin is to configured to make changes to itself (and the site) at unpredictable times and intervals, or to provide a clear and prominent way to opt-out.

Forced automatic updating is a feature that requires a considerable amount of trust between end user and developer. Trust from the user that updates have been thoroughly tested in multiple environments, and trust as well that that the developer is honest and would not push out an update with malicious code or spam. (This has happened in the past with some WordPress plugins).

While I do trust your honesty and good faith – the events of last night are a breach of trust as to the quality of your programming and pre-testing. Basically you you pushed out software with serious bugs–and your fix was buggy as well.

So no, I don’t want forced background updates for your plugin; I want to be able to test first.

At this time I’m choosing to post my comment in this public forum because I believe that others who use the plugin have the right to understand and be aware of the problem. When you ask users to post private support requests via your site, that might be more convenient for you, but it also tends to bury the problem from public view.

When I discovered the problem last night, after fixing it on my own site I promptly came to this forum with the intent to report the bug, to alert others as well as you of the problem. I then saw that others had already posted.

You certainly deserve kudos for promptly fixing the problem you created.

But we users cannot assume that will be the case. One advantage of an open forum is that users can often help one another when a theme or plugin developer is not so quick to respond.

There is an other advantage of an open forum: when I am using a plugin or theme with a history of problems on updates, I typically will wait several days to upgrade and monitor support forums to ensure that the latest update is safe. Unfortunately your plugin now falls into that category (history uf buggy updates). If you discourage users from posting problems here, it just makes me more wary, as I feel I am then left on my own to thoroughly test each updates.

Hi @abigailm,

I’m not here to argue. However, I don’t appreciate being misrepresented, so I will clear up a few things.

Scott, as I noted above, I tried to submit a support request on your site at the link you provided and there was a long form to fill out, and after I filled it out and clicked “submit”, the form was rejected.

On the support form, the requirements for submitting a support form are clear, and users click a check box to show they understand this. If the requirements aren’t met, it will let you know. There are far more plugin users out there than there are of us, so it is fair to ask users to spend a few minutes of troubleshooting before submitting a support request. The only way we can provide free support is to do this. If it does not accept your for on the first try, it is nothing personal, and it is not arbitrary. You just need to spend a few minutes troubleshooting first. That is completely fair.

In any case, I am not seeking support, I am making a suggestion, and based on your response to this and other threads I prefer to keep my suggestion on an open forum where others can see it.

If you are asking for a change to the plugin, this is seeking support. You have posted on the support forum. It does not help development move forward if we can’t have a two way conversation.

…your use of forced auto-update- particularly without clearly documenting it and providing users with a means to opt-out in the setting menu – is in itself a serious security problem.

Contrary to what you have said, the plugin’s auto-update functionality is well-documented, and there already is a way to opt-out. This is explained fully in FAQ 16: Q: Can WP-SpamShield do Automatic Updates?

Calling it a “security problem” could not be further from the truth. Being that WP-SpamShield is an anti-spam and security plugin, just like an anti-virus, anti-malware or other security program on your computer, it is extremely important for us to do regular updates, so you may find that this plugin has more releases than some other plugins.

I think you may misunderstand the purpose and functionality of an anti-spam plugin…by nature, it has to be frequently updated, and auto-update is a necessity for this.

You call it a “security” issue, yet this plugin is one of the few major plugins that has never had a security vulnerability. You probably use quite a few on your site that have. Check them against wpvulndb.com and you might be surprised. We go over code with a fine tooth comb.

The auto-update feature was added as a result of many, many, many requests for it. By comparison, we do not receive many requests to remove it or disable it.

You pushed out two updates that causes hundreds or maybe thousands of websites to go down. In the first case, the problem was a conflict with Wordfence, which is one of the most widely used WordPress security plugins, with well over a million installations.

You overestimate the number of sites that had an issue. We received a total of less than 20 support requests today (including both our site and the forums here. There are almost 200,000 users of this plugin. That’s not to say that there wasn’t an issue, but it did not affect everyone. We fixed it within a couple hours.

That’s also ironic that you mention Wordfence…they’ve had a similar issue more than a few times, and the issues in that plugin did affect nearly everyone.

…the events of last night are a breach of trust as to the quality of your programming and pre-testing.

It’s easy to say things like that when you’re not the one developing the code. Again, this statement could not be further from the truth. We have an extensive pre-flight regimen. I guarantee you that we are tougher on our plugin in pre-flight than most plugin devs. However, we are humans. Plugins and code are developed by humans. Unfortunately despite the best of efforts, sometime things happen that we can’t foresee. It does not happen often with us.

Unfortunately your plugin now falls into that category (history uf buggy updates).

Because of one update? That is a bit unfair and inaccurate, don’t you think?

Normally, I would not spend this much time on a response, but I think given our track record of excellence and our high-level of support for the plugin, your comments were a bit unfair, and deserved a fair rebuttal.

If you have further issues with the plugin, your are free to contact us for support. We are always willing to help. We solve problems…that’s what we do.

– Scott

• This reply was modified 8 years, 1 month ago by redsand.

yet this plugin is one of the few major plugins that has never had a security vulnerability

It caused a very important web site that I manage to go offline last night, well past my working hours, and required me to essentially stay up all night to fix it, and then check all of the other sites I manage using your plugin. The pushing out of a fix 3 hours later only increased my workload, as I then had to redo the testing/checking of all sites. (And the first “fix” generated a bunch of error messages my logs, so my desire to check and verify all installations was obviously a legitimate concern)

Anything that can change my site configuration and bring down my site without my active involvement or approval is a security risk in my view.

I don’t care whether the problem is due to malicious intent or mere negligence, the result is the same: someone made a change to my web site without my knowledge, approval or permission, and it broke my site.

Because of one update?

No, I have had problems on sites due to the background updating of your plugin on multiple occasions on multiple sites because of the need to clear caches on update, something that you also have documented as necessary. Usually I find out when someone writes to me about a form not working.

Those weren’t bugs in your program, but caused me inconvenience in the same way.

Unfortunately despite the best of efforts, sometime things happen that we can’t foresee.

That is why it is inconsiderate and irresponsible to force automated updates on users who haven’t opted into that service.

That’s also ironic that you mention Wordfence…they’ve had a similar issue more than a few times, and the issues in that plugin did affect nearly everyone.

Wordfence has automatic updates as an option that can be toggled on and off by the user. It is an option listed near the very top of their options menu, and they also provide the option to email the site owner every time there has been an automatic update.

I was offering you the helpful suggestion that you could code something similar. Instead I just get an argument. (I think that most developers would have simply politely acknowledged the suggestion, whether or not they intended to implement it.)

Again, no need to respond. Your refusal to acknowledge the concern I expressed in my feature request (which is not the same as a “support request”) has told what I need to know for the future.

Hi @abigailm,

To be clear, we never dismiss a user’s concern. Your concerns always reach our ears, and we take that seriously. I understand the frustration it causes. If I gave you the impression that I was dismissing your concerns, then I apologize because I have not communicated clearly. I hope you would see that we bend over backwards to help our plugin users.

I did not say that we will never add the feature you ask. We just don’t do it lightly and we can’t make that decision quickly. Every feature addition/deletion is a decision made based on research, data, and weighing pros/cons for the entire body of plugin users.

I was pointing out that there is already a solution to your concern, and it’s in our documentation. Before adding a new feature, we want to help users resolve any current issues first.

That’s why you may not realize it, but it’s still a support issue. For example:

No, I have had problems on sites due to the background updating of your plugin on multiple occasions on multiple sites because of the need to clear caches on update, something that you also have documented as necessary. Usually I find out when someone writes to me about a form not working.

That’s not a common issue. Under normal use and proper (even default) configuration, you shouldn’t have to experience any issues like this. We’d have people at our front door with proverbial pitchforks if that was a common issue. That’s a matter of configuration, and we can help users fix issues like that. As you mentioned, yes we do say in the Troubleshooting Guide that caches should be updated when changes are made to a site.

That is there to make sure that all potential issues are eliminated during Troubleshooting. It’s probably overstated a bit, but with proper cache configuration, it doesn’t need to be done manually. We use WP Super Cache on a high percentage of the sites we manage (including our own), and it never has issues. Proxy/WAF/CDN services like Cloudflare need proper configuration as well. That’s why we want to help you resolve existing support issues on your site before moving forward with feature requests.

Anyway, if you ever change your mind, we’ll be happy to help. Take care and best of luck. ??

– Scott

Thank you, but now we are just going around in circles.

I wrote in the first line of my opening post that it was a “Feature Request” and I specifically stated that I had found the information in your Troubleshooting Guide suggesting installation of a third party plugin to control auto-updating (Easy Updates Manager.)

So I already knew what your solution is. I just don’t think it is a satisfactory solution because I don’t want to be installing new plugins to fix problems caused by other plugins.

Obviously you think it is acceptable, so there is no point in debating. It is your plugin, you can do what you want with it.

It’s just that it makes extra work for me because I have multiple sites to worry about. I can’t accept your reassurances that it really isn’t necessary to test the site after update because last night it produced such a critical error.

So right now now even though your plugin does good things, I think it is more trouble than it is worth for me to use it … so I will look for a different solution.

Hi @abigailm,

No worries. We understand. Know that if you ever do change your mind, we’re happy to help. Take care. ??

– Steven

Update: Version 1.9.9.8.6 has been released. Issues affecting a small subset of 1.9.9.8.5 users have been resolved. An option to disable auto-updates has been added to the settings page, along with an advanced option to force-disable automatic updates and remove the option from the settings page. (This would be useful for multisite admins.) To disable auto-updates in the settings page, just uncheck the box for “Enable Automatic Updates” and click “Save Changes”. To use the advanced option, add the following code to the wp-config.php file (before it says to stop editing):

define( 'WPSS_AUTOUP_DISABLE', TRUE );

That should make everyone happy. ??

– Scott

Thank you for adding my suggested option to disable auto-updates to version 1.9.9.8.6.

I have upgraded to that version on one of my lower traffic sites, and so far have not seen any problems or errors. I’d note that the installation appears to be running in “compatibility” mode even though I have done nothing to select or enable that mode. I don’t know if that is intended behavior of the upgrade or not — I have no problem with it, just reporting it in case it is significant.

I do believe that from a design and usability perspective, it would be better if the auto-update option were more prominent. I would suggest that it be the very first option at the top of the settings page, rather than the at the bottom of a long list. This isn’t important for me personally, as I am now acutely aware of all configuration options, but it would be a courtesy to new users, given the inherent problems that unanticipated auto-upgrades can cause on a site.

Again, thank you for heeding my suggestion…. the check box in the settings page is exactly what I wanted to see and resolves my concerns and frustrations.

Though in the future, I would also suggest that when someone uses these forums to make a suggestion, that the socially & professionally appropriate response would be, “thank you for your suggestion; we will take that under consideration”. That is so much more efficient than engaging in an extended debate with the user or chastising the person for making the suggestion in this forum. It would save a lot of time and energy on your end, and be far less frustrating to the person who has offered up the request or suggestion, whether the suggestion is useful or feasible or not.