Emergency WP 5.5.3 Release

Emergency WP 5.5.3 Release

The WordPress core team has released an emergency release of WordPress 5.5.3, just one day after the release of version 5.5.2. This emergency release was done to remedy an issue introduced in WordPress 5.5.2 making it impossible to install WordPress on a brand new website without a database connection configured. In preparing for this emergency release, a second issue caused a number of sites to be erroneously updated to version 5.5.3-alpha.

According to the release notes, between approximately 15:30 and 16:00 UTC on October 30, the WordPress auto-update system updated some sites from version 5.5.2 to 5.5.3-alpha. This occurred because the WordPress Core team disabled the download of the 5.5.2 release in an attempt to prevent new users from using this version. By disabling the download for 5.5.2, the wordpress.org API returned the alpha version 5.5.3-alpha-49449 as the version to which WordPress should update.

An analysis of the 5.5.3-alpha-49449 release found little difference between the WordPress 5.5.2 release and WordPress 5.5.3-alpha-49449 as much of the core functionality is the same. No reported site functionality was lost due to the error. However, with that autoupdate, a number of additional Twenty- themes were installed along with the Akismet plugin.

To fix both issues, the Core team initially re-enabled download 5.5.2 to prevent sites from updating to the alpha version followed by the emergency release of WordPress 5.5.3 to address the issue which prevented new installations.

What Should I Do?

If your site was updated to WordPress 5.5.3-alpha, you may have additional themes installed on your site. You might also have Akismet installed. These themes and plugin were not activated if installed as a part of the pre-release package. Check your themes and plugin installations. No other plugins would have been installed or removed.

Update your sites normally to WordPress 5.5.3, just as you would for any other WordPress update. If you are allowing your site to autoupdate, the 5.5.3 version may already be installed.

If you had not yet updated to WordPress 5.5.2, updating to 5.5.3 is essentially the same update with a minor fix. Updating your site is safe to do.

Did you enjoy this post? Share it!

Comments

26 Comments
  • So does this mean that our sites that were auto-updated need to get the twenty[whatever] theme folders removed AGAIN manually???

    • IF you got that alpha update, you may need to manually remove those themes. Doing so via FTP rather that wp-admin is definitely easier.

  • Thanx for the info.

  • Thanks, noticed that today, was very strange...Downloaded 5.5.2 and worked just fine. Kudos for the WP team to react so fast!

    • I have updated manually to 5.5.3, but Wordfence doesn't seem to recognize it. It's complaining about an unknown core file version. I'm assuming you're just a bit behind the official 5.5.3 release, but thought I'd put that out there just in case.

      • That happens for a few minutes as our systems update to the new version.

  • Did they stop auto updating sites to 5.5.2 because of this? My site never updated to 5.5.2. I wonder if they stopped the process when they discovered another update was needed.

    • That is a possibility. Updating to 5.5.3 should be just fine for you.

  • Nice Proactive Update from the Wordpress Core Team

  • Greets - Giving a " big up " to the Wordfence team & those who work tirelessly on their machines to keep the world's wordpress sites ticking over day / night.

  • You are so good, thanks for the info.

  • Thanks for this update!

  • Thank you for the info. I check my mail as usual and found this email from Wordfence, checked my WP Dashboard, and boom, the 5.5.3 update. BTW, WordPress development is really awesome. Thumbs up to the teams.

  • So Wordpress made an update that made it impossible for new users who didn't have a configuration file already to install WordPress. This problem didn't affect existing websites. But they made it that way by pulling the update so existing sites would install an alpha update. Not that anything was affected except to install a possible theme and plugin that site owners may not have wanted. But it could have been worse being an alpha version.

    I think if anything this whole incident highlights why auto-updates are a bad thing. Auto updates rely on trust in the development team to put out updates that are tested throughly and they have plans in place to deal with a bad update. Today Wordpress showed they could do neither.

    I don't understand why the problem for new users was not detected before this update was released. Is that a case that Wordpress feels that is not worthy of testing? But their actions after discovering the problem amount to a panic attack. Did they not consider what would happen if they reverted to 5.5.1, how sites with 5.5.2 already installed might react when auto-updating? Why not take the safer path of taking 5.5.1, repackaging it as 5.5.2. That way new users could install Wordpress and existing sites would not auto update since the version numbers match up?

    I just hope this doesn't get sweeped under the rug. But I am afraid it might because the damage done by it was minor. Until the procedures in regards to auto-updates are examined by Wordpress and I can put my trust in them again, then I will not be updating my sites by auto-update.

    • I'm certain we'll hear something from the core team at some point. Autoupdates started at version 3.7, and we've only seen a couple of cases of things going awry. We've benefited from safer sites with minor release autoupdating more than we've seen problems. And even with this mishap, the biggest problem has been additional themes/Akismet on a small percentage of sites. Even still, I'm certain the core team takes this very seriously and will be using this as a learning experience.

  • Thanks Wordfence - I love your reports on all things security and Wordpress, and more.
    Mistakes happen - so good on the Wordpress team for their pronto action.
    Thanks, and well wishes to all

  • Indeed, in the last days I noticed several automated updates.
    On one customers site, Wordfence noticed me about a login from Indonesia (I live in germany!) and some hours later, Wordfence informed me about three malicious or unsafe files:
    wp-content/plugins/xsid/kerz.php
    wp-content/plugins/xsid/mini.php
    wp-content/plugins/xsid/index.php

    After removing the Akismet plugin, the "xsid" folder was removed and the Wordfence scan showed no longer any problems.

    Next thing is to change the database password.

    I reviewed the PHP files shortly. I remember, that these files enables file uploads to attackers.

    Take care and review the contents of "wp-content/plugins/xsid/". There could me malicious code.

    All the best for you,
    stay healthy...
    Michael

    • Hi Michael, /xsid/ does not look like a valid plugin slug. If you had a malicious login prior, you may have had an admin account compromised and an upload of a malicious plugin zip file. Two-factor authentication is a great way to keep things protected if you do have a compromised credential situation.

  • Thank you!

  • Thank you. Your post was timely since I was scratching my head trying to work out why every single theme from TwentyTwelve to TwentyTwenty were suddenly installed on my website in addition to GeneratePress this morning.

  • Hi guys, Thanks for the info. However, I can't access my website by the admin dashboard. I use the two authentification and this doesn't work with Google Authenticator. I had deactivated wordfence in order to be able - maybe - access my site and nothing works. I also had a database too full which I deleted, but still the authentication doesn't work, and I can't access my website, even by deactivating ALL plugins. Hope someone will help on this matter. Thanks a lot.

    • Hi Gilles, please reach out to support at https://support.wordfence.com, or on the forums https://wordpress.org/support/plugin/wordfence/ if you're still using the free version. We're happy to assist.

  • Thanks for keeping us apprised Wordfence! You guys rock!

  • Urk.... :-( I normally install updates withing a day or two of them coming out and almost never see problems, but for some reason this update gets stuck at the "Verifying the unpacked files…" stage, and won't finish. I've been googling for a solution, but nothing working yet.

  • Thank you so much for always keeping us well informed.

  • Thank you so much for always keeping us well informed.