[SingCERT] Alert on WordPress Auto-Update Policy
13 August 2019
The WordPress development team will introduce a new auto-update policy that affects WordPress versions v3.7 to v4.6 to address security issues affecting about 11.7% of all WordPress sites.
At present, the oldest secured version is v4.7; older versions are susceptible to multiple vulnerabilities such as the injection of malicious scripts.
The implementation plan will be rolled out in incremental phases. WordPress targets to auto-update v3.7 to the minimum supported version v4.7 first, and subsequently versions v3.8 up to v4.6. Site owners will be given the option to opt out of this auto-update policy and manually update their respective sites.
If a website fails to auto-update properly, it will roll back, and the site owner will receive an email notification from WordPress informing them to manually update to the latest version.