[SingCERT] Alert on WordPress Auto-Update Policy

Published on 13 Aug 2019

Updated on 07 Jan 2020



The WordPress development team will be introducing a new auto-update policy that affects WordPress versions v3.7 to v4.6 to address security issues affecting about 11.7% of all WordPress sites.


At present, the oldest secured version is v4.7; older versions are susceptible to multiple vulnerabilities such as the injection of malicious scripts.


The implementation plan will be rolled out in incremental phases.  WordPress targets to auto-update v3.7 to the minimum supported version v4.7 first, and subsequently versions v3.8 up to v4.6. Site owners will be given the option to opt out of this auto-update policy and manually update their respective sites.


If a website fails to auto-update properly, it will roll back, and the site owner will receive an email notification from WordPress informing them to manually update to the latest version.


Affected Versions


Websites with WordPress Versions:

  • v3.7 to v4.6



Users and site administrators are urged to update your WordPress versions to the latest version once they are available. You may receive official updates from WordPress via email or you can access https://wordpress.org/news for more information.