In WordPress 4.7.0, a new API was introduced that turned out to be insecure.
The new REST API, which is enabled by default in all WordPress 4.7.0 releases, can be used to modify posts without having administrator rights.
This is every hacker’s dream! With automated injections, modifying posts could lead to millions of sites displaying unwanted text, advertisements, and links.
Silence is golden
The WordPress developers were informed of the vulnerability by a major security company. From that moment on, the developers worked tirelessly to test and fix the vulnerability.
To prevent hackers from gaining an advantage, they kept knowledge of the vulnerability quiet and implemented a forced update. It was only a week after the update was released to millions of sites that the news became public.
What is a forced update?
This forced update is different from any regular update. Normally, you can choose whether you want to update WordPress automatically or not.
This update to 4.7.2 was forced and applied even to websites with “automatic updates” turned off.
Who disables automatic updates?
You would expect that automatic updating only has advantages. You don’t have to pay attention to updates yourself, and your website never falls behind.
But sometimes, the plugins you use are not up to date, or there are no more updates provided for the plugins.
At that moment, the new WordPress release may conflict with your plugin, causing the plugin to stop working or display errors on your website.
And if you don’t notice it because the update was done automatically…
What does WPbeveiligen do with updates?
For websites with 2-5 plugins, it is relatively safe to allow automatic updates. However, when it comes to websites with 8-20 plugins, we prefer to perform updates manually, especially for plugins. While updating, we check the website to ensure everything is still functioning correctly. If an error occurs, we can immediately identify the cause.