Warning: WordPress 4.9.6 Really is a Major Update

WordPress disguised minor update

We are days away from 4.9.6. This is no minor release. If releasing Gutenberg, the new website editor, is a statement for WordPress version 5.0, this next update is for GDPR and really should be using a different version number such as 4.10… even if WordPress never went past “.9” in previous versions.

 

Why does this matter?

Let’s go back a couple of years to the release of WordPress 3.7 (code name “Basie”). WordPress introduced this “update while you sleep” functionality where “you don’t have to lift a finger to apply maintenance and security updates”. Their point was that too many websites weren’t being updated when a security update became available and, as the most used software on the web, they wanted a way to handle this issue. It was a responsible move to provide a safer web for everyone. Minor issues happened throughout this process over the years, but in our opinion, it has done a lot more good than bad.

How does it work? Well, when the third digit (also known as “sequence”) of the version number changes, this automatically triggers an update on your website and is considered a minor update. In other words, you have to manually update your website from 4.8 to 4.9 but the updates would automatically be performed from 4.9.1 to 4.9.2.

According to WordPress’ website, “minor WordPress version is dictated by the third sequence. Version 3.9.1 is a minor release. So is 3.8.2. A minor release is intended for bugfixes and enhancements that do not add new deployed files and are at the discretion of the release lead with suggestions/input from component maintainers and committers.

WordPress minor update definition

 

Here comes GDPR

Maybe you know, maybe you don’t (where were you?): the General Data Protection Regulation (GDPR) becomes enforceable on May 25th, 2018. This legislation mainly addresses privacy and data protection for all individuals within the European Union.

For some weird reason, the WordPress team decided this should be part of WordPress’ core. We believe it should be a plugin.

Yes, millions of sites will be affected by this new regulation… but should the global WordPress ecosystem be impacted by something that emanates solely from Europe or any other specific country or region on the planet? What makes GDPR more important than SPAM filtering, SEO, multilingualism or any other topics which affect a much higher percentage of websites than this new EU directive?

If you’re using WordPress in a local or development environment, if you’re not interacting with anyone from Europe, and if you’re NOT collecting any data, you should not have to care about GDPR.

It would seem that WordPress core developers think otherwise, for reasons unknown.

 

Gutenberg in version 5.0

Now that you know how the WordPress versioning works, you also know that version 4.9 is no more or less important than version 5.0. Major versions are defined by the first two digits. But in the software world, changing the first digit is typically a statement that this should be a big release.

But from the version numbering page :

For example, 3.5 is a major release. So is 3.63.7, all the way up to 4.0. Version 4.0 is no different than 3.9 and 4.1. There isn’t a “WordPress 3” or “WordPress 4” – we’re weird like that for historical reasons.

So for some weird reason (once again), it seems that the controversial new editor Gutenberg will be released in version 5.0. As the latest major release of WordPress was 4.9, it seems there is no room for GDPR between 4.9 or 5.0. But we totally disagree. If they want to use version 5.0 for a big release, despite what is said in the version numbering page, they should use version 4.10 and not 4.9.6, no?

 

4.9.6 is just wrong

Let us be very clear here: the release of 4.9.6 is just wrong.

As said before, it does not respect the definition of a minor update. More than that, we feel developers played the system. While it’s true that no files were added to the release… some files’ purpose are not the same anymore. For instance, the file privacy.php in the wp-admin folder went from being a file that displays text and had 42 lines to a file that is now a form with 227 lines.

Everything related to GDPR should be, in our opinion, in a plugin and not into the core. That said, we understand that this can be related to an ideology that might not be shared by everybody.

And what about the translations? Our co-founder Jean-François Arseneault is part of the translations team for the fr-CA locale and he noticed that there were more than 200 translation to perform for this “minor” release, and not simple/quick translations either. As GDPR is related to a law, shouldn’t these translations be performed by legal staff and not by volunteers, as well-intended as they may be?

 

What others think

It would seem we’re not alone in thinking that way… after we shared our thoughts on Twitter about 4.9.6, we noticed many people feeling the same way:

Dev Chat Summary: May 2nd (4.9.6 week 5)

 

What’s next?

By releasing a major update as a minor update, this will trigger automatic updates on millions of websites. Who knows if this will break your site or not? Automated updates were introduced to fix problems… not to add new functionality. For that reason, the automatic update system cannot be trusted anymore.

Unless WordPress steers away from this practice in the future and sticks to their own self-imposed rules, we would recommend that you disable automatic updates on your WordPress site and take matters into your own hands by manually performing updates, once you’ve had a chance to test new features on a test copy of your site. This is not fun news since we really loved this feature. It serves an important purpose by ensuring everyone’s safety. But as it stands, it’s now introducing new risks.

To disable automatic core updates on your website, as per the WordPress Codex instructions, you must add this line in your wp-config.php file:

define( 'WP_AUTO_UPDATE_CORE', false );

 

Update: It is also good to know that some web hosts, like SiteGround, automatically trigger core updates. You might have to check and/or contact them to validate if more actions are required on your end to fully disable automatic updates.

If you have a Maintenance Plan with SatelliteWP, we’ve already deactivated automatic updates on your WordPress site so that from this point on we can manage minor updates the same way we’re already handling major updates. If you don’t have a Maintenance Plan and would like us to take care of your WordPress site, visit our maintenance plans page or contact us for more information.

Warning: WordPress 4.9.6 Really is a Major Update was last modified on May 15th, 2018 by Maxime Jobin.

About Maxime Jobin

Maxime Jobin is the Co-Founder of SatelliteWP. Automation and performance are his professional passions. He loves to share his expertise and experiences in order to pass on his knowledge so that others may avoid making mistakes in the first place. Revolving around the spheres of efficiency and ROI, he's an expert in the analysis and development of IT solutions.

15 Comments

  1. Stéphane Najman on 15 May 2018 at 14h18

    Hi Maxime,

    Interesting post !

    FYI, concerning auto-updates with Siteground, I spoke to them and there is no way to disable their auto-update, just to defer it for a maximum of 72 hours. But before each update, a back-up is made.

    • Guillaume on 22 May 2018 at 08h33

      @Stéphane

      Actually, if you open a support ticket with them, they will actually disable it. We did it for lots of our clients.

      By the way, they will kind of push back a bit, but it’s just a way for them to make sure the person making the request knows what he/she’s doing.

  2. Interwebs on 15 May 2018 at 14h25

    > Everything related to GDPR should be, in our opinion, in a plugin and not into the core.

    Very true.

  3. Vaughan on 15 May 2018 at 21h26

    For some weird reason, the WordPress team decided this should be part of WordPress’ core. We believe it should be a plugin.

    Yes, millions of sites will be affected by this new regulation… but should the global WordPress ecosystem be impacted by something that emanates solely from Europe or any other specific country or region on the planet? What makes GDPR more important than SPAM filtering, SEO, multilingualism or any other topics which affect a much higher percentage of websites than this new EU directive?

    Disagree. You obviously do not understand the requirements of GDPR. and if you think only EU people are affected by it, you’re definitely not understanding it.

    GDPR is more important because of it’s requirements, and implications of non-compliance. can cost you millions. That means WordPress has a duty to provide users with GDPR compliance & the necessary functions in order to comply with it. You may think it doesn’t affect you as you’re in USA or whatever country outside of EU, but you’re wrong. If you run a business that deals with any EU customers, or clients, then you will need to comply, otherwise, well, the whole of the EU is gonna stop dealing with you, and if you want to do business with EU, then, well you have to be compliant. Likewise, for WordPress, it becomes necessary & important if wordpress want people from the EU to use WordPress in future.

    • Maxime Jobin on 16 May 2018 at 09h46

      > You obviously do not understand the requirements of GDPR.

      I do. That is why I wrote this phrase using 3 examples : “If you’re using WordPress in a local or development environment, if you’re not interacting with anyone from Europe, and if you’re NOT collecting any data, you should not have to care about GDPR.” I could also add that if you are using WordPress as a web application framework, GDPR is still irrelevant in many cases.

      > GDPR is more important because of it’s requirements, and implications of non-compliance. can cost you millions.

      I honestly don’t think a worldwide used CMS should add GDPR to its core for that reason. I have laws in my country that would benefit me if they were in the core. That said, I don’t think it would make sense to be in it for the whole community. A plugin would have done the same job. It is up to you and other businesses that are impacted to take required action. It is not WordPress’ role in my opinion.

      > You may think it doesn’t affect you as you’re in USA or whatever country outside of EU, but you’re wrong.

      I never said that and don’t think that.

      Thank you for sharing your thoughts. I do not agree with you but I’m happy you took time to respond to my post.

      • Sebastian on 18 May 2018 at 15h17

        … yet another guy from Europe who feels in need to point out, that you are wrong about GDPR in the core.

        I am total with you about the stupidity of put the updates in 4.9.6 – WordPress should follow https://semver.org/ and just call it 4.10.0 – but it has a history of don’t follow semver

        But the GDPR thing.
        That is huge!
        And we need some clear fundament to handle private data in the core! Plugins need to have easy APIs to help handle information.
        There need to be mechanisms to handle the processing of delivering and deleting/anonymizing data with little effort.

        Some pages don’t need multi user management. Some pages don’t need comments (most of the sites I have built don’t use comments) etc.
        Yes, there is always overhead in the core. That is the byproduct of using a system like WP.

        It might be, that the core developers should solve the GDPR support in other ways – but: it needs to be part of the core.
        Clear APIs that all plugins can use.
        It needs to be as easy as enqueue assets or scale images elseway it won’t be used broad enough and too many plugins will fuck up the whole system.
        This needs to be easy.

    • Bobby on 18 May 2018 at 00h31

      Actually, my company will be re-routing all EU users. We are going to stop dealing with them. We are a mid-sized publisher based in the US and have no hesitation to stop providing our content and services for free, the same as users of ad-blocking tech. Further, the risk of liability far exceeds the reward from the traffic. Further, we are moving away from WordPress as a whole, this is great motivation.

      Happy 302

      • Andi on 19 May 2018 at 06h35

        That is good reaction as already many resources in EU warn to use US resources or companies based in the US since the Cloud Act passed the Senate, which violates the GDPR!

        https://www.computerwoche.de/a/in-der-wolke-ist-die-freiheit-nicht-grenzenfrei,3544860

        https://schutt-waetke.de/2018/04/cloud-act-usa-blaest-zum-angriff-auf-eu-daten/

        and there are many more. The risk to get an “Abmahnung” if you are a company based in the US or using resources and services based in the US is simply much to big. We reloacted all our Data meanwhile to EU Data centers and serve scripts we served before from US servers locally. A solution how to avoid to face juristical problems is what Microsoft did. They simply outsourced the job to the German Telecom and are therefore no more the Data Provider and Data Processor at all. If now the US government wants to get access to the Data stored for Microsoft with German Telekom they would have no way to get it!

        Privacy is very important and should also be dealt as this and since Snowden we all know what Privacy means in the US – It is similar to a Glass house.

  4. David Anderson on 16 May 2018 at 20h30

    Is 4.9.6 being pushed as an automatic update? On my understanding of the system, they *can* do that. But it’s not automatic at their end that it must be just because of being a ‘minor’ version bump. But having said that… if they don’t, and if a future security release is needed (4.9.7, or whatever), then it’d be pushed anyway as part of that. So, perhaps an academic question.

    I agree though that this will break most users expectations of what should be in a minor release, and that’s not a good thing. The big mess-up appears to have had two parts:
    1) The decision that 5.0 had to include Gutenburg, and be delayed indefinitely until that was ready
    2) Not starting work on these privacy tools soon enough, and now having a rush

    I disagree that core should not have privacy tools. Yes, it’s GDPR which is forcing them to include these privacy tools. But that’s just a detail of how it’s come about. Core should have privacy tools. There’s nothing particularly GDPR-specific about the two particular tools in this release… 1) a tool to allow a user’s request for all your stored data on them to be supplied, and 2) another one for a user’s request for all your stored data on them to be deleted. If GDPR finally forced WP core to “do the right thing” and build in basic privacy tools into core, then that’s a good thing. But I think “GDPR stuff should not be in core” is a red herring. Allowing users to control their data is of interest to all responsible site owners. If you consider the ability of users to control their data to be a niche interest then I guess that’s not something you’re telling your customers before they sign up with you, right?

  5. Martin Wolfert on 18 May 2018 at 04h27

    Hi Maxime,

    “if you’re not interacting with anyone from Europe, and if you’re NOT collecting any data, you should not have to care about GDPR.”
    and
    “This legislation mainly addresses privacy and data protection for all individuals within the European Union.”

    Disagree!

    With this comment, you work for sure with personal data, if your website will store my actual ip address. Also you will store my email address. So, of course you store and collecting data from the EU.
    ON top you work just in this minute with data from someone sitting in Germany. And after May 25-th, I could (theoretically) ask you which data you have stored regarding myself. And (theoretically) you have the duty to deliver that data in machine readable format within 4 weeks back to me. Your website uses Google Analytics and Google Fonts. So … you share personal data without my consent with Google.

    Ok, of course I would not have practically the chance to claim my due to get information about that stored data: no court in the US or Canada would enforce the right I have as a European citizen after May 25-th.

    So … perhaps you think German or European citizen are somehow weird … I can live with that 🙂

    Just my two cents,
    Martin

    • Maxime Jobin on 18 May 2018 at 09h14

      Martin, I was talking “in general” in the article. I was not talking about SatelliteWP’s website. As we sell online, of course store some information.

      I still believe it is possible to have a site that does not collect any personal data. And I’m wondering if sharing anonymous data where I have no control (aka Google Analytics) is included in “personal data”.

      There is no way for me (or anybody) to provide the information collected by a third party. And I don’t even think I would have to provide the information I collected on an anonymous user.

      Let’s say I collect your IP, your browser’s version and nothing else. Then you contact me to get “your” information. As I collected it anonymously, how am I supposed to know if it is your information ? Your IP address is not a unique identifier that can be only used by you.

      I’m not educated enough about the subtleties of that legislation but I can’t believe I would have to ask you permission to use Google Fonts and be held accountable for what Google (or any other organization) might do with your data.

      At the end of the day, I don’t know if you are weird or not… and I’m totally fine with it!!! 😉

      • laken on 18 May 2018 at 13h40

        If I was a European citizen, and right after I left this comment, I requested from you to give me all the data I’ve provided to you (if it was after May 25th), you would be required to provide it. WordPress didn’t have the ability to export that data on a per-user basis – that was the majority of this update.

        • Maxime Jobin on 18 May 2018 at 13h43

          You are missing the point.

  6. James Tryon on 18 May 2018 at 23h29

    100% agree with all of this.

  7. Andi on 19 May 2018 at 06h27

    The author does not seem to understand GDPR and it is actually VERY good that the WordPress Core team took this huge responsibility and is providing great tools to face the challenges GDPR and DSGVO brings with it. Unfortunately it is not going far enough as since the Cloud Act passed the US Senate which violates the GDPR and DSGVO it would have been great to have a way to download all scripts from external resources based in the US or run by companies located in US territiories locally and serve them from there. Hopefully that will come in one of the next “minor” releases.

    It is also very good that this update came more or less for all websites worldwide who keep their sites updated. No problems so far with any of our sites. It gives WordPress and any Agency using and promotiong WordPress a very good way to Promote the number 1 System as GDPR | DSGVO compliant.

    “If I was a European citizen, and right after I left this comment, I requested from you to give me all the data I’ve provided to you (if it was after May 25th), you would be required to provide it. WordPress didn’t have the ability to export that data on a per-user basis – that was the majority of this update.”

    This is a very valid comment and it will be interesting how the author will deal with it after 25. May 2018! “Laken is not at all missing the point.

Leave a Comment