On July 23, WordPress pushed out a security update that fixed a cross-site scripting vulnerability. To fix this, the shortcode API was changed and disallowed some usages of shortcodes that had been shown to have potential security issues. This meant that the shortcodes that were being used in this particular way would no longer work.
And thanks to the automatic updates mechanism of WordPress, the security update got pushed out to millions of sites. A lot of sites turned out to use shortcodes in this now-unsupported way, and they woke up to find their sites updated and broken.
A broken experience
A lot have been said about the experience of the automatic security update. Not everything went as smoothly as it could have been.
Developers have been asking for more involvement prior to releases, in a non-public channel, so that they would be able to make patches to their plugins earlier. Many received huge amount of support requests for code that worked one day but not the next, without prior warning.
Some people even starts to question whether automatic updates should be on at all, now since the promised never-break-your-site ideal has been tarnished.
I think those who advocates disabling automatic updates has missed a huge point.
A broken site means a patched security hole
Think about it for a moment. All those sites that were broken for a while, they broke because the shortcodes were used in a potentially insecure way. If the sites would not have been updated, they would have been open for exploit. In fact, they were exploitable all the time up to when the security update got pushed.
Now I don’t think for a moment that the plugin authors that used shortcodes in the now-unsupported way had any nefarious intent. They probably had no idea that this way of using shortcodes could have security implications.
But it did.
The WordPress security team learned about it, and issued an update to remove that vulnerability.
Better secure than compromised
The very nature of these things make them undisclosable to the public. You can’t tell the world – “hey here is how you can compromise a site, we are working on a fix right now”. A plugin author channel can also be risky because the more people you tell about these things, the bigger the risk of information leakage.
The harsh reality is that the users whose sites got broken are the ones that should be most thankful for the automatic update. The breaking of their site showed that they were ones affected by the security vulnerability.
A broken – but fixable – site that is secure is better than a compromised one. Every time.