WordPress users – do an update now, and do it by hand!

WordPress just announced a most embarrassing bug.

Earlier this week, the world’s most widely used blogging and content delivery platform pushed out its Version 4.9.3 Maintenance Release.

There weren’t any critical security patches in this one, but there were 34 bug fixes, and who doesn’t want bugs fixed promptly?

And for more than four years, updating WordPress has been pretty easy – you haven’t had to type a single word or press a single button.

As Naked Security’s Mark Stockley wrote, back in October 2013 when WordPress 3.7 came out:

We’ve all become quite used to the idea of the software on our desktops, tablets, laptops and smartphones silently patching itself in the background and it’s good to see popular web software catching up – it’s long overdue.

What makes background updates for WordPress such a significant step is the software’s sheer popularity. Nobody is quite sure how many of the world’s websites are running on WordPress but the consensus seems to be that it’s about 15% to 20%.

These days, some estimates put the WordPress website share even higher, in the upper 20% range, so automatic updates are even more important than they were back in 2013.

The Catch 22 bug

Unfortunately, the WordPress 4.9.3 update introduced an updating bug: after auto-updating to 4,9.3, WordPress will no longer update automatically.

The good news is that 4.9.4 is already out, published as an emergency fix just one day later…

…but the bad news is that you’ll have to pretend it’s 2012 all over again and update by hand. (Sadly, you’re only pretending, so you won’t be able to pick up a pocketful of bitcoins for $10 each while you’re there.)

Once you get 4.9.4, autoupdating will be restored, so when 4.9.5 comes out, it should take care of itself as you’d expect.

What to do?

WordPress has published an explanation of the bug and detailed instructions for “handraulic” updating; the TL;DR version is:

Simply visit your WordPress Dashboard → Updates and click “Update Now.”

Don’t delay – do it today, so you don’t risk forgetting about it and getting caught out down the road.

If someone else hosts your WordPress server for you, ask them to confirm that they’ve completed this week’s double update, unless they’ve notified you already.


from Naked Security – Sophos http://bit.ly/2EP9NDi
via IFTTT