Sometime in the next couple of years, your Joomla sites will be updating automatically.
I believe this is awesome news. I've been in favor of auto-updates since 2014 and finally they are here.
Many people will probably disagree, but we shouldn't be afraid of change. Auto-updates are a very helpful tool to keep sites safe and they're proven to be reliable.
Here's an introduction to why auto-updates are awesome, and how you can use them to protect your sites.
Why are auto-updates good?
Auto-updates are a very helpful tool to keep sites safe.
When Drupal revealed a major security flaw in 2018, it took hackers less than five hours to start exploiting the flaw. In a situation like this, auto-updates are one of very few effective solutions.
And, with time, we can expect hackers to get even faster. It's not unusual for some security websites to immediately publish detailed tutorials on how to exploit the flaws.
The vast majority of users just can not update their sites inside five hours, so we need automated solutions.
What's happening with Joomla auto-updates?
Joomla users have wanted auto-updates for years and people have experimented with different ideas. There was even an auto-update extension released back in 2015, although it never got much traction. Finally, however, things are changing.
In November, we held the Joomlashack Conference and one of the key speakers was George Wilson from the Joomla team. You can watch George's video here.
In the video, George mainly talks about Joomla 4.0 but he also looks ahead to Joomla 4.1 and 4.2. He mentions that the Joomla team is working on a new auto-update feature for the Joomla core:
"We're working in a cross-CMS group, with Google as well, on an auto-update feature (opt-in, obviously)."
So by the time Joomla 4.1 or 4.2 arrives, we could have the option to enable auto-updates for the Joomla core. At the moment, the team are looking for volunteers.
Over at Watchful, you can already auto-update the Joomla core, plus extensions and templates. We've been using Watchful to automatically update Joomlashack.com for a couple of months now, and it has made our life a lot easier. Just in case anything goes wrong, we also use Watchful to take a daily backup, but we haven't had to use it yet.
The Watchful approach is to allow you to enable auto-updates one-by-one. You can see the "Enable autoupdate" button in the image below:
Watchful checks for updates every hour, so you won't ever be waiting longer than 59 minutes for a security update. They've already been running auto-updates for customers for several months. You can trust auto-updates to keep your sites safe.
Who else is providing auto-updates?
WordPress is the platform that has pushed hardest for auto-updates. WordPress has been using auto-updating with security fixes for six years now, since version 3.7 in 2013. They're now working on the next steps:
- Provide a way for users to opt-in to automatic plugin and theme updates
- Provide a way for users to opt-in to automatic updates of major Core releases
These were two of the major WordPress initiatives for 2019, and although they are not complete yet, we can expect these improvements to be available soon.
In the WordPress world, many hosting companies now offer auto-updates. Either they write their own update scripts, or they rely on hosting services such as Plesk that also provide auto-update tools.
Over in Drupal, automatic updates are a major priority. The "Automatic Updates Initiative" is in full flow and should be added to the core sometime in 2020. Here's a video showing the current progress on Drupal auto-updates:
Auto-updates are coming to Joomla
Don't be afraid: auto-updates are a proven, trustworthy and helpful way to keep your sites safe.
You can try auto-updates right now by using Watchful, or you can wait for the official solution to arrive with Joomla 4. This is a long overdue improvement to the Joomla ecosystem and will create a safer environment for Joomla users.