cPanel’s Site Software Addon Disables WordPress Auto Updates

A little more than two months ago, Derek Munson, who goes by the username Drumology2001 published a thread in the WordPress.org support forums. While performing maintenance on several WordPress sites on his virtual private server, Munson discovered a number of them running outdated versions. Versions ranged from 3.9 to 4.1 with at least one site using WordPress 3.9.2.

I’m used to seeing the ‘nag’ at the top of the screen that lets me know there’s a newer version available. I am not seeing that on any of these sites which aren’t on the newest version (4.1.1). When I go to Dashboard > Updates and click ‘Check Again’ to force a manual check, it’s still acting as though everything is up to date when it’s clearly not.

Initially, Munson thought All in One WP Security and Firewall was blocking update notifications. Mbrsolution, the plugin’s main developer, confirmed that it doesn’t block update notifications. After completing a number of troubleshooting techniques suggested by volunteers on the WordPress support forum, Munson installed Wordfence Security, a WordPress security plugin.

One of Wordfence’s noteworthy features is its scanner. It compares clean WordPress core files to those on the server and notifies the user if it detects a difference. Results of the scan shows three files had been changed.

wp-admin/includes/update.php
wp-admin/update-core.php
wp-admin/includes/class-wp-upgrader.php

These files were only changed on WordPress sites that were installed using cPanel’s Site Software addon.

WordPress’ update.php file.
function get_core_updates( $options = array() ) { $options = array_merge( array( 'available' => true, 'dismissed' => false ), $options ); $dismissed = get_site_option( 'dismissed_update_core' );

cPanel’s update.php file.
function get_core_updates( $options = array() ) { # cPanel override: Disable all core updates to prevent conflict with cPAddons. return false; $options = array_merge( array( 'available' => true, 'dismissed' => false ), $options );

WordPress’ update-core.php file.
function core_upgrade_preamble() { global $wp_version, $required_php_version, $required_mysql_version; $updates = get_core_updates();

cPanel’s update-core.php file.
function core_upgrade_preamble() { # cPanel override: Do not display the current or the latest version, because we've disabled updates. return; global $wp_version, $required_php_version, $required_mysql_version; $updates = get_core_updates();

WordPress’ class-wp-upgrader.php file.
public function is_disabled() { // Background updates are disabled if you don't want file changes. if ( defined( 'DISALLOW_FILE_MODS' ) && DISALLOW_FILE_MODS ) return true;

cPanel’s class-wp-upgrader.php file.
public function is_disabled() { return true; // Force this functionality to disabled because it is incompatible with cPAddons. // Background updates are disabled if you don't want file changes. if ( defined( 'DISALLOW_FILE_MODS' ) && DISALLOW_FILE_MODS ) return true;

The code added by cPanel disables core WordPress updates, update notifications, and automatic background updates to point releases. Once Munson restored these files to their original version, automatic updates and notifications worked properly.

cPanel and cPAddons

Those who manage dedicated servers or virtual private servers with cPanel have the ability to use cPAddons. According to cPanel documentation, “Addons are applications that work with cPanel to perform functions for your users’ websites. Examples of these applications include bulletin boards, online shopping carts, and blogs.”

Open Dialogue With cPanel

George Stephanis, a WordPress core contributor and lead developer of Jetpack publicly called out cPanel’s actions as a bad practice.

Wait, seriously? @cPanel is hacking WordPress core to prevent updates? I’m kinda dumbfounded by how bad of an idea this is. #donthackcore

— George Stephanis (@daljo628) May 11, 2015

A representative of cPanel saw the tweet and responded that they’d like to receive more information.

@daljo628 re: @cPanel w/ @WordPress we would like to get more info from you can you provide a email? Or email into sales @ cpanel dot net^MR

— cPanel Cares (@cpanelcares) May 11, 2015

Stephanis engaged in a lengthy conversation with cPanel representatives explaining why it’s a bad idea to disable core updates. cPanel disables WordPress’ native update system because it could cause conflicts with cPanel’s Site Software version of WordPress.

We generally release the latest version of WordPress within 1 to 5 days of the latest WordPress update. At a minimum, server administrators are informed each night of all Site Software applications that need updated. It is up to users to configure their notifications within cPanel to receive such updates.

The way our cPAddons tool tracks software is not compatible with the way WordPress updates, hence why we disable the auto-updates so we can track it through cPAddons.

cPanel goes on to explain how updates are handled for software installed using its Site Software cPAddon.

Whenever WP releases a maintenance build that addresses security concerns, we react very quickly to get our software updated to be available to customers.
By default, we define that software managed/installed through cPAddons is automatically updated when a new update is available.
Based on the above information, if the server administrator leaves the defaults enabled, once WP introduces a maintenance release that corrects security concerns and we’ve tested and updated our source for it, customers will receive the release automatically.
If the server administrator decides to disable automatic software updates, the end-user and systems administrator will still receive notifications that their installation is out of date accompanied with steps on how to update their application.

By default, software installed by cPanel is configured to update automatically but some of Munson’s sites didn’t update. He also didn’t receive update notifications for those sites. cPanel believes there is something wrong with Munson’s server configuration and pledged to contact him to find out more information.

Based upon what Drumology2001 reported on the forum, it appears something is amiss on that server. We’d love to examine that server to determine why WordPress updates were not available to the user.

Based upon the fuzzy dates used on the forum and compared with our internal records, the 4.1.1 update was available to the Site Software system prior to the initial post. We’ll reach out to him to determine whether there is anything we can do there.

Receptive to Change

The good news is that cPanel is responsive and willing to make any necessary changes to improve the update process. Considering how many webhosting companies offer customers the ability to install WordPress with a one-click installer, it’s important that sites receive updates as soon as possible.

If you installed WordPress through cPanel’s one-click installer, check to make sure your site is running WordPress 4.2.2 which is the latest stable version.

Source: WP Tavern