How to disabled Automatic Updater?

[yggdrasil]

We where told repeatedly in this forum and in the blog comments by WHMCS that the auto updating feature was optional and could be disabled.

 

Yet I cannot seem to find this information anywhere:

http://docs.whmcs.com/Automatic_Updater

 

How exactly do you disable the Updater? There surely is no option in the GUI not to use it or how to uninstall it or disable it.

 

I have many changes and I do not want the updater enabled. I do not want someone to click it by mistake and update the live the site and I also don't want this for security reasons.

 

If the updater cannot be disabled then I think I will be forced to pass v7 completely. While I think some people really asked this and WHMCS seems to advertise this as the best invention after butter, personally I find it worthless. The updater itself warns to have a proper backup, so it means it still requires manual IT intervention in particular to make sure everything is fine, and there is no way a computer system will know what files have changed or new code is required to make it compatible, since most modules will require manual changes as well templates the updater WILL break functionality, there is absolutely no other way it can work unless you are running WHMCS out of the box without a single change. In my case I have plenty of code and modules which require a lot of manual changes on each update, so its not like the updater will save me even one minute, as I still have to manually merge all the changes and SVN repository.

 

The fact it also requires write permissions in your installation is also the reason why I think this is a very bad idea. Why would I want WHMCS remote servers to have write permissions to our servers? No way.

 

Please tell us how to disable this. By disable I mean that I don't want it working, not even if someone tries to use it from the admin area by mistake.

Edited October 12, 2016 by yggdrasil

[WHMCS ChrisD]

Hello yggdrasil,

 

Thanks for your post.

 

The way the automatic updater has been designed is that we check for new versions several times a day and provide an in-app prompt you still need to manually click the "Update Now" function to start the installation, the system will then download the new version, extract it into your updater path and then install the new version.

 

In regards to disabling it simply go into Setup -> Administration Roles and untick "Update WHMCS" from the list of permissions for each of your roles to remove it from the permission set.

[twhiting9275]

This is probably another one of those things not thought out terribly well, much like the 'updater settings' being buried in the updater itself.

There should be a way to manually disable all updates, not simply using admin roles to do this.

[visiba]

There should be a way to manually disable all updates, not simply using admin roles to do this.

Why? You still have the choice: you either upgrade automatically using the new feature in WHMCS or you choose to manually upgrade your WHMCS. The updater will NEVER automatically overwrite your files without you knowing it.

[yggdrasil]

Why? You still have the choice: you either upgrade automatically using the new feature in WHMCS or you choose to manually upgrade your WHMCS. The updater will NEVER automatically overwrite your files without you knowing it.

 

Did you even read what you posted?

 

I asked how to disable the feature, not how not to use it.

 

Giving me the choice to use it or not, means it still there in the installation. This is like telling you: No, you cannot uninstall or disable this module, just don't use it.

 

This is not remotely close to what I asked and WHMCS said months ago. They said this feature was optional and we could disable it.

 

If its still active it means its checking WHMCS remote servers every day and it mean those servers can download files to your server and write files into your site. This is the biggest security hole you can open in a server. And WHMCS does not has the best security reputation here, their own website and even this forum where hacked before (more than once if I remember correctly).

 

What guarantees me that their remote updating servers is not going to be compromised in the future sending rogue files to every single WHMCS installation in the world?

 

I will not use this feature so why can't I disable it? This is not a licensing checking feature and I'm not trying to bypass or break anything. I just want to make sure my WHMCS installation cannot remotely install files. Or should I erase files or block WHMCS servers with the firewall? (which is then going to cause licensing problems...)

 

The permission restriction is just denying access to that staff. Its not actually disabling this functionality in your installation.

[brian!]

you might be able to effectively prevent it from working if you gave it an invalid temporary path to upload the files to, or the path had 0 webspace allocated to it...

 

as I understand the process, it's downloading the files to a temporary folder (defined by you) and then it's extracting from there to the WHMCS installation... but ultimately, if you want to avoid the updater, then not upgrading to v7 is probably the only viable option.

[yggdrasil]

you might be able to effectively prevent it from working if you gave it an invalid temporary path to upload the files to, or the path had 0 webspace allocated to it...

 

as I understand the process, it's downloading the files to a temporary folder (defined by you) and then it's extracting from there to the WHMCS installation... but ultimately, if you want to avoid the updater, then not upgrading to v7 is probably the only viable option.

 

I know, but we should not be relying on hacks for something basic, not as paid customers at least. This is not some open source software but a commercial one.

 

Not upgrading to v7?

 

No, that is not a choice we have. WHMCS has an EOL policy, this means v6 will eventually be dead, no security patches, no updates. Nobody here has the option not to upgrade to v7. Eventually everyone has to upgrade. It's a forced upgrade. And that is ok. But a major version should not be a downgrade but an upgrade.

 

I think they rushed v7.

 

I'm not even sure why they called it v7 when it has nothing new for existing customers. The wizard is for new users, not existing users. The domain spinner seems again, based for Enom only. And the auto updater is not something anyone with even some modifications will use. I'm trying to figure out what exactly v7 has for existing customers. Reading the logs they even disabled some things like PHP in templates and many other things which are going to break my integrations. So far it seems more like a pain to upgrade. Usually someone should be happy when a new version comes out. I just hope that v8 will not come at least in 2-3 years. I do not want new versions anymore, they only cause customers work and frustration when fixing things, in particular if there is nothing new. This should be a minor upgrade not a major upgrade. Everyone else agrees on that if you read the comments, and other forums. Nobody agrees that it should be a major new version as it adds very little.

 

This would be fine if WHMCS offered versioned upgrades, which they did in the past. But they decided for some strange reason to take that away from customers as well. Now it's a full installation which means you have to merge and compare every single diff. In the past they always offered versioned upgrades so you could only apply the changed files. And since they are now releasing a major version very frequently this means more time between upgrades.

[brian!]

I know, but we should not be relying on hacks for something basic, not as paid customers at least. This is not some open source software but a commercial one.

 

Not upgrading to v7?

 

No, that is not a choice we have. WHMCS has an EOL policy, this means v6 will eventually be dead, no security patches, no updates. Nobody here has the option not to upgrade to v7. Eventually everyone has to upgrade. It's a forced upgrade. And that is ok. But a major version should not be a downgrade but an upgrade.

well I look at things differently - WHMCS EOL policy is irrelevant for me... one of my live licenses is happily running a v5.3.14 installation - for the limited job it is required to do, there was no point in upgrading it to v6 and risking some bug creeping in and i've seen nothing in 7 that makes me want to rush to upgrade it.

 

the fact that WHMCS won't be producing any patches for it I see as a bonus - they can't break it with an update!

 

although you're absolutely right, at some point it will have to be upgraded - but not yet... and i'll decide when that is, not WHMCS.

 

there's no rush to update our v6 sites yet either - at least not until I get my head around the quirks and changes of v7... some of which look like they could be an absolute pain in the proverbial.

 

I think they rushed v7.

they always seem to release a major update before it's really ready... been that way since I bought my first license... never changes... I assume v7.0.1 will be released this month to fix the bugs found since launch.

 

I'm not even sure why they called it v7 when it has nothing new for existing customers. The wizard is for new users, not existing users. The domain spinner seems again, based for Enom only. And the auto updater is not something anyone with even some modifications will use.

in fairness to WHMCS, an automatic updater was one of their most popular feature requests - so i'm not going to criticise them for adding the feature... whether people choose to use it is up to them - i'm assuming they'll still be the incremental patches for those users... but from installing the first beta through to the full release, using the automatic updater has been smooth sailing... that said, it's on a clean installation with absolutely no custom templates... so I can quite happily update it without backing up - i'd be more cautious on a live site though.

 

I'm trying to figure out what exactly v7 has for existing customers. Reading the logs they even disabled some things like PHP in templates and many other things which are going to break my integrations. So far it seems more like a pain to upgrade.

PHP in templates was disabled by default in v6 (that's 15 months ago, so plenty of time to have had them converted) - they can be enabled from the settings, and that option is still there in v7 - but ultimately will be removed.

 

Usually someone should be happy when a new version comes out. I just hope that v8 will not come at least in 2-3 years. I do not want new versions anymore, they only cause customers work and frustration when fixing things, in particular if there is nothing new. This should be a minor upgrade not a major upgrade. Everyone else agrees on that if you read the comments, and other forums. Nobody agrees that it should be a major new version as it adds very little.

and I wouldn't argue with them... though I never get hung up over the version numbers WHMCS choose to give their software - v6 felt more like a v5.5 to me, and similarly v7 feels more like v6.5 - but with it now supporting PHP v7, it probably made commercial sense to call it v7.

 

way too early to say, but i'd still be expecting v8 towards the end of next year.

[yggdrasil]

So you run an insecure installation?

 

If you don't upgrade, how do you deal with security patches? Most of them are encoded, just like the rest of WHMCS files, so it not like you can patch them on your own.

 

v6 runs fine if you ask me. Stable and almost no bugs. Nothing critical at least.

[twhiting9275]

They said this feature was optional and we could disable it.

As it should be. Unfortunately, that's not how WHMCS sees things.

 

If its still active it means its checking WHMCS remote servers every day and it mean those servers can download files to your server and write files into your site.

Which is absolutely a concern, hence my own statement as well that this should be able to be disabled, not simply "removed from the admin group".

 

What guarantees me that their remote updating servers is not going to be compromised in the future sending rogue files to every single WHMCS installation in the world?

Nothing.

To be fair, the same can be said for your own servers. However, I'm pretty sure your own servers aren't uploading / downloading things to client servers.

 

I will not use this feature so why can't I disable it?

In short, because WHMCS said so. Not exactly the brightest implementation of this feature, unfortunately

[bear]

Which is absolutely a concern, hence my own statement as well that this should be able to be disabled, not simply "removed from the admin group".

Exactly right. Some things generally are acceptable to be autoupdated, like Cpanel itself. Most of the time it works fine and allows for rolling out things that need fixing quickly. No worries there. My billing system is a whole other ballgame. I didn't want or need the autoupdater, so would like the option not to have it run at all, not just having it hidden from my sight.

Frankly, it's the same with the cron change. I don't want to have to run that every 5 minutes and suppress notices. Once per day was fine. What could possibly have changed that would require that frequency of it running?

 

Not liking the direction here.

[vickyjohns]

Why? You still have the choice: you either upgrade automatically using the new feature in WHMCS or you choose to manually upgrade your WHMCS. The updater will NEVER automatically overwrite your files without you knowing it.http://vnco.net http://vtgh.vn/chuyen-lap-dat-phong-net-tron-goi/

 

if the account is set up to auto renew, your automatic reminder should just tell me that instead of leaving me thinking that I need to do something. This is wasting our time.

[brian!]

So you run an insecure installation?

not in the least - it's very secure... and as I say, it's doing a limited job for which v5 is adequate for now and to which I won't go into any detail about.

 

v6 runs fine if you ask me. Stable and almost no bugs. Nothing critical at least.

I absolutely agree, and if I was recommending to someone to install a WHMCS release today, then it would be v6.3.1 - not v5, and probably not v7 yet.

 

I have 3 installations happily using v6+, so i'm not advocating that everyone runs out and installs v5.3.14 and use it on their own websites - definitely not, it wouldn't be suitable any more... but for its specific task, and because I tend to think I know what i'm doing when it comes to WHMCS, i'm quite relaxed about using v5 in those limited circumstances.

 

anyway, this has nothing to do with the thread - I merely mentioned it to illustrate that you don't necessarily need to get in a panic if you don't want to run the latest version.

[dimitrifrom31]

I was fine with 5.3.14 but had a major issue that was NEVER solved until v7 as my registrar module was failing to register .fr domains (and being french that is an issue). Had a ticket open for 2 years with whmcs with no luck. Then they anounced v7 fixed that so I kinda had to upgrade to finally get rid of that painful issue.

But believe me upgrading is another pain. Lot of new bugs coming in, I have been fighting them for days now and got multiple tickets open with whmcs as well as third party modules providers (solusvm not to mention it got its module broken with v7 for example).

I still need to re work my customized template to be fully v7 compatible and eventually order a new one based on "six" template.

Once done with that I will eventually test whether or not the domain registration got fixed as I did not even have time to confirm it yet.

[WHMCS Edward]

The automatic update utility will not automatically apply updates so there's really nothing to disable. If you don't want the convenience and ease of using the auto update utility, you just don't go to it and click the Update button.

 

-Eddy

[twhiting9275]

The automatic update utility will not automatically apply updates so there's really nothing to disable.

 

You obviously don't understand the concern here, which is quite legitimate.

 

Just because you don't want to have it disabled doesn't mean it shouldn't be.

 

The fact is that something like this should never be placed in the system without a way to disable it, 100%. This is just planning for failure, absolutely.

 

I realize, you want to pass this off as 'everything is good', but it's not. Historically, WHMCS has been incredibly poor with security. Why, all of the sudden should we just open up our doors to an automatic updater, to something that checks automatically? That's just begging for abuse.

 

The point here is that this is something that needs to be disabled, globally, not just taken away through user groups.

[WHMCS Edward]

The team has put a lot of effort into ensuring the update infrastructure is secure. A recent Q&A with one of our senior engineers provides more details about it: http://blog.whmcs.com/?t=116379

 

-Eddy

[wsa]

Yes but your peoples should have a way that let YOUR clients to choose to Enable/Disable.

[twhiting9275]

Edward,

I think, again, you're failing to understand the problem here.

 

Yes, you claim that your team has 'spent a lot of time' here. Great. Well, your team has also 'spent a lot of time' on your software, and let me tell you, it's not perfect. In fact, honestly, it's far less than when it comes to implementation. This is a prime example of that. Email validation is another one.

 

Given the overwhelmingly poor security level of WHMCS over the years, you'd think that instead of arguing 'just trust us', you would have thought ahead here and said 'we should listen to what the customers are saying'.

 

Simply 'removing the option from the usergroup' is not an effective way to disable this. Nor does it give any assurance to your customers that this is 'secure', or efficiently coded. In fact, honestly, arguing about this does just the opposite. It shows that rather than listen, you continue to ignore what customers are saying.

[wsa]

Edward,

'we should listen to what the customers are saying'.

 

That the problem they dont listen to they clients that they one making this WHMCS big

[ditto]

I don't want and don't need the autoupdater, and I need to be able to completely disable the autoupdater before upgrading to v7.

[ditto]

Exactly right. Some things generally are acceptable to be autoupdated, like Cpanel itself. Most of the time it works fine and allows for rolling out things that need fixing quickly. No worries there. My billing system is a whole other ballgame. I didn't want or need the autoupdater, so would like the option not to have it run at all, not just having it hidden from my sight.

Frankly, it's the same with the cron change. I don't want to have to run that every 5 minutes and suppress notices. Once per day was fine. What could possibly have changed that would require that frequency of it running?

 

Not liking the direction here.

 

Regarding the five minute cron job. Is it a requirement for whmcs 7, or will I be able to run the cron job only once every day instead of every five minutes?

 

I feel really bad about whmcs 7 because of not being able to disable auto upgrader completely, and also this talk about running a cron job every five minutes. I feel sick in my stomach. Hope they will change these things.

[cloferba]

Regarding the five minute cron job. Is it a requirement for whmcs 7, or will I be able to run the cron job only once every day instead of every five minutes?

 

I feel really bad about whmcs 7 because of not being able to disable auto upgrader completely, and also this talk about running a cron job every five minutes. I feel sick in my stomach. Hope they will change these things.

Why don't you just disable allow_url_fopen??

 

 

• Automatic Updates require the allow_url_fopen setting to be enabled in your PHP configuration.
  

[twhiting9275]

Why don't you just disable allow_url_fopen??

 

 

• Automatic Updates require the allow_url_fopen setting to be enabled in your PHP configuration.
  

 

That would likely break other software.

Disabling useful PHP functionality because a software company can't lock its own software down appropriately is just backwards. Given the time they claim to have put into this, you'd think this would be already implemented.

[bear]

a software company can't lock its own software down appropriately is just backwards.

Many folks clamored for this, and they came up with a way. It's not a matter of WHMCS locking down this feature, it's that users want the choice to fully disable it. I know I do. I've seen in the past someone sneaking into a server and quietly adding something to scripts the author didn't catch in time and it gets pushed out. It happens, regardless of the amount of precautions that are taken. Billing scripts that also have server connections to exploit are a pretty juicy target, so I'd be *very* careful about auto updating, and would prefer there isn't any function to send something *to* my install. It makes me very uncomfortable.