In the past week, WordPress has updated the version of WordPress to versions 4.9.2 and version 4.9.3 for security and bug fixes. WordPress 4.9.3 was released earlier this week and unfortunately, it broke the auto-update mechanism in WordPress. Sites running 4.9.2 were auto-updated to 4.9.3 and will no longer be auto-updated unless you perform a manual update.
According to the news of the updates of WordPress, Wordfence put out a post regarding what happened.
WordPress 4.9.3 included a bug that causes a fatal PHP error when WordPress tries to update itself. This interrupts the auto-update process and leaves the site on 4.9.3 forever.
The core developers tried to reduce the number of API calls that occur when an auto-update job is run. According to the WordPress core development blog:
“#43103-core aimed to reduce the number of API calls which get made when the auto-update cron task is run. Unfortunately, due to human error, the final commit didn’t have the intended effect and instead triggers a fatal error as not all of the dependencies of find_core_auto_update() are met. For whatever reason, the fatal error wasn’t discovered before 4.9.3’s release – it was a few hours after release when discovered.”
Only Actively Maintained Sites Are Affected
WordPress has included the capability to auto-update since WP version 3.7, which was released four years ago. The WordPress auto-update function only updates minor versions by default. That means that only releases that change the number to the far right of your WP version will auto-update. In other words, if you were on 4.9.3 and 4.9.4 is released, your site will auto-update. But If WordPress 5.0.0 is released, your site will not auto-update by default.
It’s important to understand that WordPress works this way because that limits the number of sites that auto-updated to the version that broke auto-update. Only WordPress sites running 4.9.2 would have updated automatically to 4.9.3, which broke auto-update.
This is important because A) It means that the population of websites that now have a broken auto-update is smaller than ALL WordPress sites and more importantly B) The sites that have a broken auto-update would have been manually updated by the site owner when WordPress 4.9 was released.
This means that every site affected by this was manually updated to WordPress 4.9 “Tipton” after November 16, 2017, when 4.9 was released. So, while this bug is unfortunate, the good news is that, for the most part, it only affects actively maintained sites that have been manually updated by the admin within the last 3 months. If a site was not updated to WordPress 4.9 during that time, it will still be on an older track and will not have received the broken auto-update.
The sites that we are most concerned about are sites that are unmaintained. If auto-update broke on those sites, they may not receive another update for several years, until someone remembers the site exists and does an update. Those unmaintained sites are not affected by this and will continue to auto-update.
For example, we have an unmaintained test website that is currently in WordPress version 3.9.23 and it has been steadily receiving auto-updates without any updates from us. That site is not affected by this bug and it received it’s most recent auto-update on January 16th.
Update Your Site Manually Now
Some of you will find that your hosting company has taken care of this for you, especially if you are on a ‘Managed WordPress’ plan. If you are now stuck on WordPress 4.9.3, you will need to manually update your site to continue receiving auto-updates. To update manually and get past this broken auto-update issue, simply sign into your WordPress site as your admin user and visit Dashboard → Updates and click “Update Now.”
After the update, make sure that your core version is 4.9.4. You can scroll down and check the bottom right of your admin panel and it should say “Version 4.9.4”.
Please share this info with the WordPress community to help make them aware that they will need to sign into their sites and do the manual update to get past version 4.9.3 and this issue.
Read the full article by Wordfence “WordPress Update Breaks Future Auto-Updates. Manually Update Now!”
If you need help with updates, security or other WordPress questions, feel free to contact the Secure Hosting WP Team.
The security industry has a habit of using terms like “ever-advancing” and “always-evolving” in relation to security threats like malware. After a while those terms seem more like throwaways considering the frequency of use.
But then 2017 happened, and those descriptive words became more relevant.
We’ve seen more victims and breached records, more attack vectors, and a lot more money being extorted. Equifax lost 143 million consumer records in a single data breach, all because they weren’t patching software on a regular basis. The number of records breached at Yahoo! alone may hit 3 billion when it is all sorted out.
In other words, cybercriminals had a banner year in 2017 – financially and otherwise – and it doesn’t look like there’s a bust for this boom anywhere on the horizon.
Case in point, according to Cybersecurity Ventures’, the financial damage caused by cybercrime may hit $6 trillion by 2021. If you think that number is staggering, consider the fact that the estimate has doubled since just last year. On the flip side, according to Gartner, cybersecurity technology spending will hit $86.4 billion this year while Cybersecurity Ventures predicts a cumulative spending of $1 trillion from 2017-2021.
Putting this all into perspective, here’s a list of events and evolving trends that made 2017 stand out from the pack, for better or for worse:
1. Cybercrime is Great for the Job Market
Sometimes a very bad thing can bring about a good opportunity. More cybercrime and ever-advancing (see?) attack vectors mean more IT and security personnel will be needed to defend against it all. It’s already hard enough to find security pros to fill open posts, and the growing need will only serve to triple the number of unfilled jobs in security – rising to 3.5 million by 2021, according to Cybersecurity Ventures.
Cybersecurity has never been a bad career move, especially given that this particular segment of the job market has a zero percent unemployment rate.
2. The Growth of the Human Attack Surface
More people on the Internet means more opportunity for cybercriminals. According to TNW magazine, by the end of 2017 more than half (51%) of the world’s 7 billion people will be Internet users. That’s up nearly 100% in two years.
Cybersecurity Ventures goes on to predict that 75% of the world’s population will be Internet users in just four years, with 90% predicted to be online by 2030. In other words, the human attack surface is growing.
3. Cybersecurity Officially Becomes a U.S. Government Entity
Just this week the U.S. House of Representatives passed legislation that will change the designation of the Department of Homeland Security’s National Protection and Programs Directorate (NPPD) as the Cybersecurity and Infrastructure Security Agency (CISA).
The legislation assures that the agency will be “headed by a Director of National Cybersecurity and Infrastructure Security to lead national efforts to protect and enhance the security and resilience of US cyber-security, emergency communications, and critical infrastructure.”
These changes go beyond the U.S., as the European Union announced their own regulation around data protection in 2016 (GDPR) that is fast approaching the enforcement date of May 2018.
4. Governments Move to Ban Suspicious Security Software
Earlier this week the U.S. also passed legislation that officially bans the use of security software produced by Moscow-based Kaspersky Labs within civilian and military agencies. This follows concerns back in September that the technology has fallen under questionable influence by the Russian government.
In early December, the U.K. government started to make similar moves to ban Kaspersky software. It will be interesting to see if other security vendors will fall into this no-fly-zone in 2018.
5. Ransomware Goes Big
It’s well known by now that ransomware largely represents the biggest advance in cybercrime this year. Perhaps not the coding itself, but more through the scope and depth of its damage. Cybersecurity Ventures predicts the financial costs of global ransomware in 2017 will exceed $15 billion. Two years ago it was merely one-fifteenth of that amount.
Healthcare organizations have seen some of the biggest impact and it may only get worse. The numbers are high, but they are not hard to believe if you consider Danish shipping company Maersk will pay about $350 million to fix the damage caused by the NotPetya malware attack in late June.
6. Passwords Can Only Protect When They are Used
According to Verizon’s DBIR, a full 81 percent of confirmed breaches are due to weak, reused or stolen passwords. In our own research on the psychology of passwords, 91 percent of respondents understood the risk of reusing a password, yet 61 percent of them still do. It seems like the fear or forgetting a password outweighs what might seem like a remote chance of getting hacked.
These stats ring true when you read about New York’s Stewart International Airport whose backup systems were discovered to have no password protection. Exposed server data showed that airport staff, over an unknown period of time, did not have access to the TSA’s “No Fly” list. Ouch.
Another example involves Data analytics firm Deep Root Analytics that was hired by the Republican National Committee to gather political information about U.S. voters. A cyber analyst discovered that personal data representing nearly 200 million American citizens was kept on an Amazon cloud server without password protection for nearly two weeks.
Deloitte, HBO, Mandiant and several others had a particularly bad year when it came to password security hygiene. Perhaps a better password management system would have helped brace these firms against these breaches.
7. System Not Responding
An anonymous hacker successfully yanked down one-fifth of the dark web in February after he hacked Freedom Hosting, the company that hosts thousands of dark web domains. This gave me great satisfaction to know that cybercriminals around the world were dealing with a whole lot of 404 error messages while their sites went boom.
8. Bitcoin Valuation Cuts Both Ways
We’re ending the year on a different note. The super-fast increase in Bitcoin valuation (now about $16,500 per coin) presents both a plus and a minus for cybercriminals. For those who have already had a good run, collecting bitcoins along the way as ransom or just to run their businesses, it’s a big win.
For those who use Bitcoin as a means to pay ransom for data held hostage, they are going to have to adjust their approach or else paying ransom is going to be too expensive for almost everyone, and not just the modestly-sized school system or hospital.
Read the full article here at the Source: 8 Reasons Why Cybercrime Had a Banner Year – The LastPass Blog