If you use WordPress, and you allow strangers to register for WordPress accounts (which isn’t usually a good idea, but some plugins require it), it’s possible to accidentally configure it so that those new users get created as WordPress administrators. That can happen simply by doing this:
We don’t think it’s reasonable to ever create new users as “Administrators” by default, regardless of whether you have “anyone can register” turned on. (Even if “anyone can register” is turned off now, it would be easy to turn it on later without remembering to change the default role back.)
To make sure our customers’ sites stay secure, we’ve added some protections against this:
Setting the “New User Default Role” to “Administrator” is blocked at the Web Application Firewall (mod_security) level on our servers, whether from the WordPress dashboard or from any other web request;
If it somehow gets set anyway, our security systems will detect it as part of the daily security scan we do of every site;
If your site already had this setting as of today, we’ve restored it to the default “Subscriber” role.
Nobody should notice any changes as a result of this, but as always, don’t hesitate to contact us if you have any questions or difficulties.
If you’ve previously installed an older version of WordPress, you should update it from within your WordPress Dashboard.
One great new feature of WordPress 5.5 is that it adds automatic updates of plugins and themes. We strongly recommend enabling this feature to improve the security of your site. To do that, just click “Enable auto-updates” for all your plugins and themes:
That’s all it takes to prevent most “hacker” attacks on your site.
If you have a WordPress site, and you use both the WP Super Cache plugin and the Cloudflare content delivery network, the latest version 1.6.8 of WP Super Cache may not properly cache your pages by default.
This is because of a quirk of the update: A new setting makes it think all Cloudflare visitors are “known users” because they have a “cookie” set. If you had the old “disable caching for known users” option turned on before the update, it won’t cache pages for Cloudflare visitors after the update.
The same thing can happen if you have a WordPress plugin that sets a “cookie” for each visitor for some other reason.
This problem is easily fixed by changing the new WP Super Cache “Cache Restrictions” setting from “Disable caching for visitors who have a cookie set in their browser” to “Disable caching for logged in visitors. (Recommended)”. We’ve updated our WP Super Cache page to reflect this change, and if we notice that a site hosted on our servers suddenly has higher CPU resource usage because of this, we’ll update the setting for you to make it work as it did before.
If you’ve previously installed an older version of WordPress, you should update it from within your WordPress Dashboard.
One thing to note is that WordPress 5.0 comes with a new default editor called Gutenberg. Some people like Gutenberg and some people don’t; if you don’t, you can install the Classic Editor Plugin to continue to use the old editor.
One of the nice things about WordPress is that it automatically updates itself for important security and bug fixes. For example, if you installed WordPress 4.9.1, it would have automatically updated itself to version 4.9.2 on January 16, and to version 4.9.3 on February 5.
The WordPress 4.9.3 to 4.9.4 update is trivial (it fixes only this bug, after which automatic updates will work again), so we’ve updated every customer copy of WordPress 4.9.3 on our servers to version 4.9.4, just as if it had happened automatically.
Customers should not notice any change as a result of this — but as always, don’t hesitate to contact us if you have any trouble.
