WordPress just suffered from quite a bit of a human error yesterday. There was an update that was released (4.9.3) that included some erroneous code. This update may prevent future WordPress core automatic updates, by causing a fatal error during the auto-update script.
Does this affect me?
These automatic updates have been available since WordPress 3.7 and have kept many an install secure through regular patching and updating. The team behind WordPress has been able to keep day-zero bugs securely out of hackers reach by launching patches quickly and efficiently. However, with auto-updates effectively disabled on WordPress 4.9.3 sites, this security by auto-update is no longer available.
I own a small business and have a WordPress website set up to display my services, my products, and a simple contact form to allow potential customers to get in touch with me. I almost never log in, and rely on auto-updates to keep my site running smoothly. I used to have a web developer, but they seem uninterested in supporting my site further.
– Small business that’s about to be hacked (probably)
If you’re with a host that provides server side WordPress updates through chronological jobs running the WP-CLI, you’re not likely to face any issues. However, this is often not the case.
Regularly active WordPress application owners are likely going to see the patch and update (as most admins do). However, if you’re one of the many small businesses that run your marketing site on WordPress and log in once in a blue moon, you’re very unlikely to notice this issue. If you allow months (or even weeks, or days) to pass without updating to the patched 4.9.4 version, you could very easily miss future core security patches and updates that may make you vulnerable to horrific consequences.
What happens if I don’t update?
With hackers looking for vulnerable servers to host their bitcoin mining botnets, WordPress admins and site owners should be ever more vigilant with updates and security.
If you’re running on a server with limited resources, your website could hit those resource limits and be shut down altogether. In a less doomsday like scenario, your web server could be crippled in speed, causing intermittent errors and server failures, this may prove to be a nuisance for browsers on a marketing site, but critical to an eCommerce solution. There is even the possibility that hackers could rack up billing charges on your hosting account in the case you’re running on auto-scaling server infrastructure. This is a much more complicated setup, but possible nonetheless.
How do I fix the issue?
The simple answer is to update your WordPress core to 4.9.4 if it already hasn’t been.
The better answer is to turn on a security service like WordFence that automatically notifies you of issues like this, updates, and required updates. Obviously, after updating your installation. Make sure these notifications are sent to an email that you or your WordPress manager check often.
If you lack the time to update or maintain your WordPress website, hire a professional, and thank me for the advice later.