Don’t Get Abandoned on WordPress 4.9.3
A pretty unfortunate and important issue happened when WordPress 4.9.3 was released a few days ago: it has an error that makes it impossible for WordPress to update itself again. After the error was understood, they stopped rolling out automatic updates. But that was after quite a few sites (speculatively: millions) had updated to it. That’s a problem. So, if you’re running 4.9.3 on any WordPress site, make sure that it (manually, perhaps) gets to WordPress 4.9.4. That’s crucial. Let’s explore why.
One of the best things that WordPress has done to enhance the security of itself, and thus the wider internet, is auto-updates. Out-of-date WordPress sites are probably the top cause of compromise, and while automatic plugin updates haven’t become de rigueur, automatic WordPress core updates fortunately are. The issue is that if you’re on 4.9.3, you’re back to the state of manually having to click the “Update” button for your site to be secure again. It’s not the end of the world–we lived like that for years–but it’s not the ideal security situation.
There are many ways you or another WordPress administrator may not need to click the button inside each site dashboard, even with this issue. Let’s highlight a couple of them:
- Many hosts who specialize in WordPress (including our favorite, SiteGround) are independently processing WordPress sites and doing minor version (4.9.x -> 4.9.y) on the regular. If these succeed, you’ll be fine.
- If you’re doing remote management of WordPress (ManageWP, MainWP, InfiniteWP, etc), it should update the site just be fine.
- If you’re in the habit of updating everything periodically–WordPress core, plugins, and themes–as you should be, you’ll eventually update from 4.9.3 easily. Fortunately neither 4.9.3 or 4.9.4 have any security implications, so you updating in the next few weeks is likely soon enough for your site to be safe.
It’s a pity, and highlights a process deficiency, that this sort of bug made it into a WordPress release. But it’s also not a disaster, which is something to both be grateful for and aware of. I’m sure the core team is seriously working on checks to make sure that this kind of thing doesn’t happen in the future, and I’ll definitely take that.