WordPress 3.7 was released on October 24, and the first maintenance release 3.7.1 was released yesterday (10/29).
There are several new features in 3.7 – improved search results, stronger password testing, and improved global support — but the biggest is the auto-update feature.
Starting with version 3.7, WordPress will automatically install all maintenance updates when they are released. You will not be notified or given a chance to opt-out. For most sites this is a good thing. For some complex, mission-critical sites we feel this is a concern.
The auto-update feature can be disabled by editing a parameter in the WP-config file, but there is no way through the user interface to prevent the updates.
The Pro’s of auto-updates: small security patches will automatically be installed. You don’t have to do anything, you don’t have to pay anybody, it just stays up to date. This makes the internet a safer place by preventing old, stale WordPress sites from causing security risks and making WordPress look bad. The risk of an update crashing your site is very low. For most sites, especially small, low traffic sites with limited plugins, this is a very good thing.
The Con’s of auto updates: the updates are installed without your knowledge and without a prior backup being run. If an error or a plugin conflict does happen, it can crash your site without a backup and without any prior warning. If you are a merchant and this happens on Black Friday, it could be a disaster. If you are selling concert tickets and your site decided to auto-update without a backup, it could ruin your event. The chances of failure are small, but they increase with the number of plugins you are running. You have to weight the risks of downtime against the benefits of auto-updates.
Right now we are advising clients with simple sites and limited plugins to leave the auto-updates enabled. The risk of failure is very low, the benefits of the updates outweigh the risks.
If you have a large, complex site with many plugins, or a mission-critical site that cannot risk any unexpected downtime, then we recommend disabling the auto-updates by modifying the WP configuration file. If you don’t know how to do that, hire a professional. Messing up the config file will guarantee your site will crash.
Main Street will monitor this situation for next few updates. There is a lot of heated discussion in the developer community about this right now. Some love the idea of keeping sites up to date, others are very wary of letting a third party update their sites without their knowledge or at least a good backup.
The WordPress core developers assure us their testing procedures are infallible, but the fact that they issued a maintenance release five days after a major release causes me to question that statement.
We still love WordPress. It is still the best content management system by far. It is secure, flexible and easy to use. None of that has changed, the only concerns we have are with the auto-updates for large mission-critical sites. Smaller, low traffic sites should have no worries.