Warning: WordPress 4.9.6 Really is a Major Update

We are days away from 4.9.6. This is no minor release. If releasing Gutenberg, the new website editor, is a statement for WordPress version 5.0, this next update is for GDPR and really should be using a different version number such as 4.10… even if WordPress never went past “.9” in previous versions.

Why does this matter?

Let’s go back a couple of years to the release of WordPress 3.7 (code name “Basie”). WordPress introduced this “update while you sleep” functionality where “you don’t have to lift a finger to apply maintenance and security updates”. Their point was that too many websites weren’t being updated when a security update became available and, as the most used software on the web, they wanted a way to handle this issue. It was a responsible move to provide a safer web for everyone. Minor issues happened throughout this process over the years, but in our opinion, it has done a lot more good than bad.

How does it work? Well, when the third digit (also known as “sequence”) of the version number changes, this automatically triggers an update on your website and is considered a minor update. In other words, you have to manually update your website from 4.8 to 4.9 but the updates would automatically be performed from 4.9.1 to 4.9.2.

Your website is a target…

We’re all in hackers’ crosshairs. Get your free analysis of your current situation in less than 5 minutes.

According to WordPress’ website, “minor WordPress version is dictated by the third sequence. Version 3.9.1 is a minor release. So is 3.8.2. A minor release is intended for bugfixes and enhancements that do not add new deployed files and are at the discretion of the release lead with suggestions/input from component maintainers and committers.

Here comes GDPR

Maybe you know, maybe you don’t (where were you?): the General Data Protection Regulation (GDPR) becomes enforceable on May 25th, 2018. This legislation mainly addresses privacy and data protection for all individuals within the European Union.

For some weird reason, the WordPress team decided this should be part of WordPress’ core. We believe it should be a plugin.

Yes, millions of sites will be affected by this new regulation… but should the global WordPress ecosystem be impacted by something that emanates solely from Europe or any other specific country or region on the planet? What makes GDPR more important than SPAM filtering, SEO, multilingualism or any other topics which affect a much higher percentage of websites than this new EU directive?

If you’re using WordPress in a local or development environment, if you’re not interacting with anyone from Europe, and if you’re NOT collecting any data, you should not have to care about GDPR.

It would seem that WordPress core developers think otherwise, for reasons unknown.

Gutenberg in version 5.0

Now that you know how the WordPress versioning works, you also know that version 4.9 is no more or less important than version 5.0. Major versions are defined by the first two digits. But in the software world, changing the first digit is typically a statement that this should be a big release.

But from the version numbering page :

For example, 3.5 is a major release. So is 3.63.7, all the way up to 4.0. Version 4.0 is no different than 3.9 and 4.1. There isn’t a “WordPress 3” or “WordPress 4” – we’re weird like that for historical reasons.

So for some weird reason (once again), it seems that the controversial new editor Gutenberg will be released in version 5.0. As the latest major release of WordPress was 4.9, it seems there is no room for GDPR between 4.9 or 5.0. But we totally disagree. If they want to use version 5.0 for a big release, despite what is said in the version numbering page, they should use version 4.10 and not 4.9.6, no?

4.9.6 is just wrong

Let us be very clear here: the release of 4.9.6 is just wrong.

As said before, it does not respect the definition of a minor update. More than that, we feel developers played the system. While it’s true that no files were added to the release… some files’ purpose are not the same anymore. For instance, the file privacy.php in the wp-admin folder went from being a file that displays text and had 42 lines to a file that is now a form with 227 lines.

Everything related to GDPR should be, in our opinion, in a plugin and not into the core. That said, we understand that this can be related to an ideology that might not be shared by everybody.

And what about the translations? Our co-founder Jean-François Arseneault is part of the translations team for the fr-CA locale and he noticed that there were more than 200 translation to perform for this “minor” release, and not simple/quick translations either. As GDPR is related to a law, shouldn’t these translations be performed by legal staff and not by volunteers, as well-intended as they may be?

What others think

It would seem we’re not alone in thinking that way… after we shared our thoughts on Twitter about 4.9.6, we noticed many people feeling the same way:

Dev Chat Summary: May 2nd (4.9.6 week 5)

What’s next?

By releasing a major update as a minor update, this will trigger automatic updates on millions of websites. Who knows if this will break your site or not? Automated updates were introduced to fix problems… not to add new functionality. For that reason, the automatic update system cannot be trusted anymore.

Unless WordPress steers away from this practice in the future and sticks to their own self-imposed rules, we would recommend that you disable automatic updates on your WordPress site and take matters into your own hands by manually performing updates, once you’ve had a chance to test new features on a test copy of your site. This is not fun news since we really loved this feature. It serves an important purpose by ensuring everyone’s safety. But as it stands, it’s now introducing new risks.

To disable automatic core updates on your website, as per the WordPress Codex instructions, you must add this line in your wp-config.php file:

define( 'WP_AUTO_UPDATE_CORE', false );

Update: It is also good to know that some web hosts, like SiteGround, automatically trigger core updates. You might have to check and/or contact them to validate if more actions are required on your end to fully disable automatic updates.

If you have a Maintenance Plan with SatelliteWP, we’ve already deactivated automatic updates on your WordPress site so that from this point on we can manage minor updates the same way we’re already handling major updates. If you don’t have a Maintenance Plan and would like us to take care of your WordPress site, visit our maintenance plans page or contact us for more information.

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *