On June 1st, Automattic’s Jetpack plugin released an update to patch an exploitable vulnerability in the Carousel feature. The release invited users to update and noted it wasn’t known to be actively exploited at the time—but could be once disclosed.
One thing it didn’t make obvious at first: the update would be deployed automatically via WordPress’s forced update capability. Since originally posting, I learned this decision was made by the WordPress.org Meta/Security team—not Automattic/Jetpack.
Whether you fall for or against forced updates, a long-standing security concern remains: these mechanisms let a system make changes without explicit, immediate consent. In the wrong hands—or with good intentions but poor outcomes—that’s risky.
- The decision to update was made by the WordPress.org Meta/Security team (not Automattic/Jetpack).
- Auto-updates (introduced in 5.5) are different from forced updates. Forced updates have existed for years as a last-resort safety valve.
This doesn’t erase the core concern about the capability itself.
Disabling Auto-Updates with WP Config & Hooks
You can control auto-updates with constants and filters (note: these do not disable forced pushes):
Core (in wp-config.php
):
define('WP_AUTO_UPDATE_CORE', false);
Plugins (plugin or mu-plugin code):
add_filter('auto_update_plugin', '__return_false');
Themes (plugin or mu-plugin code):
add_filter('auto_update_theme', '__return_false');
These settings express administrator intent about when updates should occur—but they don’t apply to rare, centrally triggered forced updates.
Impacts of Ignoring User-Defined Settings (Intent)
The WordPress.org team’s rationale is safety of the wider web, and as JJJ notes, the mechanism is meant for exceptional cases. Reasonable people can still debate: did this rise to that level?
I'm not sure if that makes me feel better or worse about the situation.
— Brad Williams (@williamsba) June 3, 2021
Correct me if I'm wrong, but the security issues seems directly related to a single feature in Jetpack, which we weren't using. I'd love to see the discussion where the decision was made to force this.
I initially conflated auto-updates and forced updates (mea culpa), but from an admin’s perspective it still feels like the platform is overriding an explicit choice. At minimum, forced pushes should come with transparency about the criteria and process behind them.
So this update was a forced update on WordPress sites even with auto-updates disabled?
— Brad Williams (@williamsba) June 3, 2021
We had this go live on a prod site at 2am last night that has auto-updates disabled for very specific reasons.
Not cool Jetpack. https://t.co/55upBmyeHp
We agree with the sentiment: it’s about respecting user intent. Features that can override that intent should push implementers to harden beyond WordPress hooks—e.g., server-level controls that prevent components from modifying themselves.
Concern for Platforms with the Ability to Force Action
While I was wrong to pin this on Automattic/Jetpack, the broader question stands: should a platform retain unilateral ability to push changes into production sites? History shows supply-chain risk is real (e.g., SolarWinds/Orion). Intent is the only difference between a safety valve and a backdoor.