The WordPress development team, in a series of missteps, pushed out a flawed update that made it impossible to install new WordPress sites. They paused the update rollout in an attempt to fix that update but that created even more problems, requiring an emergency update to fix all the problems.
Flawed WordPress 5.5.2 Security Update
The fiasco began on October 29, 2020 with a routine update meant to address critical security issues. WordPress 5.5.2 was meant to prevent issues like Cross Site Request Forgeries, XSS (Cross Site Scripting) attacks and more.
Unfortunately, the update also introduced a bug that caused new WordPress installations to fail. This is how WordPress explained the bug:
“WordPress 5.5.2 …makes it impossible to install WordPress on a brand new website that does not have a database connection configured. This release does not affect sites where a database connection is already configured, for example, via one-click installers or an existing wp-config.php file.”
In order to fix that problem, WordPress stopped version 5.5.2 from rolling out to more sites. And that’s when a rogue update pushed itself out automatically.
WordPress Alpha Update Accidentally Pushed Out
WordPress put the brakes on further updates. But while the WordPress team was busy getting WordPress 5.5.3 ready in order to fix the previous bug, WordPress auto-updates began pushing an update all over again.
But because Version 5.5.2 was unavailable, the automated WordPress system selected an Alpha version of WordPress to be downloaded and installed. This Alpha version was not meant to be pushed out through auto-updates.
What Went Wrong
The problems were introduced by the development team because there was no formal documentation on how to stop a WordPress update. Because of that, the WordPress team stopped the update in a way that opened the door for the Alpha version to begin rolling out.
This issue has been addressed so that this scenario won’t happen again.
According to the official technical details post:
“…that won’t be done again. Now seems like a good time to document a correct and proper way of “stopping” a release in progress, which honestly had not been attempted before. Stopping a release is actually pretty simple if they had made the correct change, so while their attempt was a reasonable assumption to make, it turned out to be wrong.
The release system is complicated, and trying to do things with it that haven’t been anticipated and documented led to unexpected results. This will be improved through documentation and better code and management of the release system itself.”
WordPress 5.5.3 Alpha Bugs
The issue with the WordPress Alpha installation was that it introduced additional WordPress themes and installed Akismet.
There is supposedly nothing wrong with those themes. But publishers who choose to not delete them will be burdened with having to keep them updated. Failure to update those themes could in the future pose a security risk.
According to the WordPress announcement:
“Earlier today the auto-update system for WordPress updated some sites from version 5.5.2 to version 5.5.3-alpha. This was due to an error caused by preparations being made for the 5.5.3 release.
The 5.5.3-alpha version at this point was functionally identical to 5.5.2 as no development work had been started on 5.5.3, however the following changes may have been made:
The default “Twenty” themes installed as part of the pre-release package. The “Akismet” plugin installed as part of the pre-release package.”
A web page, apparently for the Alpha release, was published on October 29, 2020, apparently erroneously labeled as Version 5.4.3. I say erroneously because WordPress 5.4 was released in March 2020 and it doesn’t make sense to go backwards from WordPress 5.5 to a 5.4 version.
The latest update, Version 5.5.3 is everything version 5.5.2 was meant to be, only without the associated problems. WordPress 5.5.3 fixes all the problems introduced in the 5.5.2 version.
“This maintenance release fixes an issue introduced in WordPress 5.5.2 which makes it impossible to install WordPress on a brand new website that does not have a database connection configured. This release does not affect sites where a database connection is already configured, for example, via one-click installers or an existing wp-config.php file.
If you are not on 5.5.2, or have auto-updates for minor releases disabled, please manually update to the 5.5.3 version by downloading WordPress 5.5.3 or visiting Dashboard → Updates and click “Update Now.””
Check Your WordPress Installation
Publishers are encouraged to make sure that they are updated to Version 5.5.3. Versions prior to 5.5.2 contain security issues, so it’s very important to be updated to the latest version.
The WordPress 5.5.3 maintenance release contains no apology for the issues, only “thanks and props” to the development team for fixing the problems that they introduced.