Yesterday a large number of websites were broken due to a security fix that affects the Shortcodes API.
I’m grateful for the security efforts of the WordPress Core team and I do appreciate various fixes that are automatically updated.
2 years ago Ipstenu wrote in her blog something about the automatic updates when people freaked out that the dark holes will unleash on each update:
The reason the updates are restricted to just minor, security/maintenance, updates is that, in general, they do not cause the problems people experienced 2010.
I believe I’ve seen similar statements by core leads and that was expected, and I haven’t seen major problems for a while – at least before the utf8mb4 was introduced. Then a lot of sites around me started to bend under the new database conversion, and the latest change had us staying until past midnight fixing some things that used to be working before.
My friend Amir who owns the business behind WPML and Toolset (Types and Views) commented on the aforementioned post regarding the security fix with something that resonated with me:
We received a huge amount of support requests due to this, but this isn’t the issue. We can deal with a wave a support issues. This time it wasn’t “our fault”, but sometimes it is.
What worries us, as mentioned above, is seeing our clients (folks who build WordPress sites for a living), losing their faith in the system. They feel like the system sees them as little ants and not as humans. People don’t like seeing their problems being dismissed.
Many of them run hundreds of sites. They cannot afford to stop everything and fix content on so many sites. Especially not if they are currently away for their family vacation.
What others have asked here and I would like to ask too, is to setup a mechanism that allows WordPress core developers to privately communicate such upcoming issues with plugins developers.
We are your partners.
Without WordPress (secure, stable and reliable), we would not exist.
Without great themes and plugins, WordPress would not power 24% of the Web.
I couldn’t agree more.
And I don’t believe that WordPress is meant for blogs. Maybe it was 12 years ago, but it no longer is. Over the past 3 years we’ve been building SaaS solutions, large Multisite networks with tens of thousands of subsites, and large WordPress solutions for the educational, event management, airline and automotive industries. And when those websites get affected, we’re screwed.
Because even if we disable the updates due to our deployment process, we’re left with a public fix for a security issue that is trivial to resolve by anyone with a decent programming/security background.
So due to the open source model, we’re forced to update – regardless.
Here’s the funny thing.
Since WordPress is known to be a “simple blogging platform” or a free and easy system that everyone can set up (even non-technical people), business owners believe that building a website is a one-off thing. I’m not even talking about content marketing, SMM or anything else that actually runs the business. I’m talking about the regular work required for a system to run.
Is your car something that works forever without maintenance? No. You need to change your engine oil every now and then, check your brakes, probably your tires before the winter season, not to mention all of the filters and other small things that make your car move on a daily basis.
So you go to a mechanic? Good.
Same goes for home management, your health, and most of the products that you generally use.
If you don’t maintain them, they rot.
And that maintenance is done by professionals – people who have been long enough in the industry to see all of the nasty problems that happen every now and then, and help businesses run with less troubles and unexpected surprises.
Which is why I’m still frustrated that a minor fix broke tens of thousands of websites. But while some of those were taken care of by experts, many business owners were left alone since they paid for their website and left it online. Simply as that.
No ongoing updates. No feature updates.
We do offer maintenance services for all of our clients, and expect them to understand the significance of the technology. WordPress is currently over 300K lines of code. That huge engine runs 24% of the Internet, and every single change can affect tens of thousands, hundreds of thousands or millions of websites out there.
And anything larger than a simple blog for a teenage homework can be affected. That’s the truth.
If you opt-in for a custom solution built from scratch, you’ll probably encounter other problems and pay way more than a WordPress-driven solution. But if you invest a nickle in your online business and don’t invest in any ongoing maintenance, then you’re dealing with the consequences.
I have an ongoing car maintenance plan that lets me call my mechanics any day of the week and ask them to come and pick up my car if it suddenly stops on the street. And this helps me sleep at night. And I’ve called them already, and they did their magic.
But I’ve been out there under the sun looking at my engine, having no clue what happened, and spending hours trying to be an engineer. And this simply didn’t work out.
So, if you’re aware enough that running a business with some online presence is essential for the future of your business, that’s a good first step. But your product is a vivid creature, that lives and changes constantly, and your business requires an update or two every now and then.
So, have you signed for maintenance already, and did you struggle with the latest Shortcode API update?