We’ve had an interesting month reviewing the impact of the WordPress 4.9.3 update. For those who are not completely aware of the situation, the security release for over 30 vulnerabilities, brought a critical new complication for future WordPress auto updates. It broke the built-in auto updating mechanism.
So where millions of sites that utilize the built in auto update tool received WordPress patches that they needed, they will never be able to get an update again via the WordPress auto update.
So what’s the world to do?
The next WordPress release 4.9.4 fixed the issue. But because of the 4.9.3 issue it will not be applied automatically by the WordPress auto update mechanism – it needs to be installed manually. This means that every single WordPress website owner has to dive into the administrator and click “Update Now” or their website will run the old version forever increasing exposure to all sorts of hacks and attacks.
And while individuals will probably not realize all of this exists the reality is that this issue falls onto the shoulders of hosting companies. Especially those offering WordPress hosting. For example Bluehost triggered an update to WordPress 4.9.4 on all WordPress websites on their servers. But obviously not every hosting company has tools to do that.
Hosting companies who use Perfect Dashboard Auto Updater were spared since we roll out updates outside of the normal workflow. It’s the first time this has happened with WordPress core, but similar things happen with commercial plugins which use custom update mechanisms. It’s an important reminder that the tool which updates itself is always a single point of failure and at a minimum having a backup method of applying mass updates is something that hosts should review.