Updates on WordPress security, Wordfence and what we're cooking in the lab today.

Wordfence Blog

Emergency WP 5.5.3 Release

This entry was posted in WordPress Security on October 30, 2020 by Matt Barry   26 Replies

The WordPress core team has released an emergency release of WordPress 5.5.3, just one day after the release of version 5.5.2. This emergency release was done to remedy an issue introduced in WordPress 5.5.2 making it impossible to install WordPress on a brand new website without a database connection configured. In preparing for this emergency release, a second issue caused a number of sites to be erroneously updated to version 5.5.3-alpha.

According to the release notes, between approximately 15:30 and 16:00 UTC on October 30, the WordPress auto-update system updated some sites from version 5.5.2 to 5.5.3-alpha. This occurred because the WordPress Core team disabled the download of the 5.5.2 release in an attempt to prevent new users from using this version. By disabling the download for 5.5.2, the wordpress.org API returned the alpha version 5.5.3-alpha-49449 as the version to which WordPress should update.

An analysis of the 5.5.3-alpha-49449 release found little difference between the WordPress 5.5.2 release and WordPress 5.5.3-alpha-49449 as much of the core functionality is the same. No reported site functionality was lost due to the error. However, with that autoupdate, a number of additional Twenty- themes were installed along with the Akismet plugin.

To fix both issues, the Core team initially re-enabled download 5.5.2 to prevent sites from updating to the alpha version followed by the emergency release of WordPress 5.5.3 to address the issue which prevented new installations.

What Should I Do?

If your site was updated to WordPress 5.5.3-alpha, you may have additional themes installed on your site. You might also have Akismet installed. These themes and plugin were not activated if installed as a part of the pre-release package. Check your themes and plugin installations. No other plugins would have been installed or removed.

Update your sites normally to WordPress 5.5.3, just as you would for any other WordPress update. If you are allowing your site to autoupdate, the 5.5.3 version may already be installed.

If you had not yet updated to WordPress 5.5.2, updating to 5.5.3 is essentially the same update with a minor fix. Updating your site is safe to do.

Did you enjoy this post? Share it!

26 Comments on "Emergency WP 5.5.3 Release"

Jeff Kee October 30, 2020 at 3:29 pm

So does this mean that our sites that were auto-updated need to get the twenty[whatever] theme folders removed AGAIN manually???

Kathy Zant November 2, 2020 at 5:39 am

IF you got that alpha update, you may need to manually remove those themes. Doing so via FTP rather that wp-admin is definitely easier.

Josephine Isaac October 30, 2020 at 3:29 pm

Thanx for the info.

Jeff October 30, 2020 at 3:35 pm

Thanks, noticed that today, was very strange...Downloaded 5.5.2 and worked just fine. Kudos for the WP team to react so fast!

B.Bergman October 30, 2020 at 4:11 pm

I have updated manually to 5.5.3, but Wordfence doesn't seem to recognize it. It's complaining about an unknown core file version. I'm assuming you're just a bit behind the official 5.5.3 release, but thought I'd put that out there just in case.

Kathy Zant November 2, 2020 at 5:37 am

That happens for a few minutes as our systems update to the new version.

Blkcatgal October 30, 2020 at 3:40 pm

Did they stop auto updating sites to 5.5.2 because of this? My site never updated to 5.5.2. I wonder if they stopped the process when they discovered another update was needed.

Kathy Zant November 2, 2020 at 5:38 am

That is a possibility. Updating to 5.5.3 should be just fine for you.

John Mfon John October 30, 2020 at 3:47 pm

Nice Proactive Update from the Wordpress Core Team

NH54 Guest House October 30, 2020 at 3:48 pm

Greets - Giving a " big up " to the Wordfence team & those who work tirelessly on their machines to keep the world's wordpress sites ticking over day / night.

Lucas October 30, 2020 at 3:54 pm

You are so good, thanks for the info.

bluestemmedia October 30, 2020 at 3:58 pm

Thanks for this update!

Chris October 30, 2020 at 4:12 pm

Thank you for the info. I check my mail as usual and found this email from Wordfence, checked my WP Dashboard, and boom, the 5.5.3 update. BTW, WordPress development is really awesome. Thumbs up to the teams.

Michael Kelly October 30, 2020 at 5:29 pm

So Wordpress made an update that made it impossible for new users who didn't have a configuration file already to install WordPress. This problem didn't affect existing websites. But they made it that way by pulling the update so existing sites would install an alpha update. Not that anything was affected except to install a possible theme and plugin that site owners may not have wanted. But it could have been worse being an alpha version.

I think if anything this whole incident highlights why auto-updates are a bad thing. Auto updates rely on trust in the development team to put out updates that are tested throughly and they have plans in place to deal with a bad update. Today Wordpress showed they could do neither.

I don't understand why the problem for new users was not detected before this update was released. Is that a case that Wordpress feels that is not worthy of testing? But their actions after discovering the problem amount to a panic attack. Did they not consider what would happen if they reverted to 5.5.1, how sites with 5.5.2 already installed might react when auto-updating? Why not take the safer path of taking 5.5.1, repackaging it as 5.5.2. That way new users could install Wordpress and existing sites would not auto update since the version numbers match up?

I just hope this doesn't get sweeped under the rug. But I am afraid it might because the damage done by it was minor. Until the procedures in regards to auto-updates are examined by Wordpress and I can put my trust in them again, then I will not be updating my sites by auto-update.

Kathy Zant November 2, 2020 at 6:27 am

I'm certain we'll hear something from the core team at some point. Autoupdates started at version 3.7, and we've only seen a couple of cases of things going awry. We've benefited from safer sites with minor release autoupdating more than we've seen problems. And even with this mishap, the biggest problem has been additional themes/Akismet on a small percentage of sites. Even still, I'm certain the core team takes this very seriously and will be using this as a learning experience.

TJ October 30, 2020 at 6:49 pm

Thanks Wordfence - I love your reports on all things security and Wordpress, and more.
Mistakes happen - so good on the Wordpress team for their pronto action.
Thanks, and well wishes to all

Michael October 30, 2020 at 7:12 pm

Indeed, in the last days I noticed several automated updates.
On one customers site, Wordfence noticed me about a login from Indonesia (I live in germany!) and some hours later, Wordfence informed me about three malicious or unsafe files:
wp-content/plugins/xsid/kerz.php
wp-content/plugins/xsid/mini.php
wp-content/plugins/xsid/index.php

After removing the Akismet plugin, the "xsid" folder was removed and the Wordfence scan showed no longer any problems.

Next thing is to change the database password.

I reviewed the PHP files shortly. I remember, that these files enables file uploads to attackers.

Take care and review the contents of "wp-content/plugins/xsid/". There could me malicious code.

All the best for you,
stay healthy...
Michael

Kathy Zant November 2, 2020 at 5:36 am

Hi Michael, /xsid/ does not look like a valid plugin slug. If you had a malicious login prior, you may have had an admin account compromised and an upload of a malicious plugin zip file. Two-factor authentication is a great way to keep things protected if you do have a compromised credential situation.

Abel October 30, 2020 at 10:39 pm

Thank you!

Jonathan October 30, 2020 at 11:06 pm

Thank you. Your post was timely since I was scratching my head trying to work out why every single theme from TwentyTwelve to TwentyTwenty were suddenly installed on my website in addition to GeneratePress this morning.

Gilles October 31, 2020 at 4:57 am

Hi guys, Thanks for the info. However, I can't access my website by the admin dashboard. I use the two authentification and this doesn't work with Google Authenticator. I had deactivated wordfence in order to be able - maybe - access my site and nothing works. I also had a database too full which I deleted, but still the authentication doesn't work, and I can't access my website, even by deactivating ALL plugins. Hope someone will help on this matter. Thanks a lot.

Kathy Zant November 2, 2020 at 5:34 am

Hi Gilles, please reach out to support at https://support.wordfence.com, or on the forums https://wordpress.org/support/plugin/wordfence/ if you're still using the free version. We're happy to assist.

Mark October 31, 2020 at 5:53 am

Thanks for keeping us apprised Wordfence! You guys rock!

Charles Tryon October 31, 2020 at 2:33 pm

Urk.... :-( I normally install updates withing a day or two of them coming out and almost never see problems, but for some reason this update gets stuck at the "Verifying the unpacked files…" stage, and won't finish. I've been googling for a solution, but nothing working yet.

Erna Braat October 31, 2020 at 2:55 pm

Thank you so much for always keeping us well informed.

Cocomelon Nursery Rhymes November 9, 2020 at 6:05 pm

Thank you so much for always keeping us well informed.

Follow Us

      


Protect your websites with the #1 WordPress Security Plugin

Get Premium
Over 150 million downloads

Wordfence Newsletter

Get WordPress Security Alerts and Product Updates