It’s almost like clockwork: Every time a major update rolls out for a software platform or service provider, no matter how many bugs it fixes, a couple of others show up. It’s like a game of technological Whack-a-Mole sometimes.
Unfortunately, the latest WordPress update — the 4.4.2 security update — appears to be no exception.
What it fixes
The new update to the platform’s open-source blogging and content management system specifically deals with a couple of significant security holes.
The patch fixes a security vulnerability in the form of a possible Server-Side Request Forgery (SSRF) that can impact local addresses. Through an SSRF, a hacker or attacker can actually hide what he’s doing and how he’s modifying or accessing his target. Since this is a serious security issue, WordPress made it a priority to fix it with this update. This isn’t a first for WordPress, though, as it fixed a similar issue via the 3.5.2 patch way back in June 2013.
The other security issue that this patch fixes is an open redirection attack - an attempt to take advantage of Web functionality in terms of external site linking. To address this, Wordpress developed a new block of code that ensures enhanced validation - and thus, better security - of Web addresses used in HTTP redirects.
The WordPress 4.4.2 update also fixes 17 other bugs that have to do with the platform’s functionality. The first update, which was released on Jan. 6, included 52 bug fixes and a patch that fixes a scripting vulnerability.
What it doesn’t fix - or what it possibly breaks
Our clients have reported a number of issues with their WordPress sites:
While we have yet to determine for sure if it really was the update that caused these, it looks as if it’s an Occam’s Razor situation. Basically, since these issues started popping up after the users updated their sites with the latest version of the platform, it’s highly likely that plugin incompatibility with the new version caused most of the issues reported to us. As a result, most plugins need to be re-configured to the latest update in order to function properly.
So, what should you do?
We strongly advise you to upgrade to the new version after taking steps to check that your site is unlikely to suffer incompatibility issues. When you're ready, you can download WordPress 4.4.2 directly from the dashboard. If your site is configured to automatically update to new versions, it's likely that your site has already been updated.
In the meantime, if you have related questions or concerns, drop us a line! You can schedule time with one of our Client Relationship Managers here.