The update to WordPress 6.4 on November 7, 2023 highlighted exactly why it’s important to have a good-quality hosting company and especially why it’s important to have someone in charge of your site maintenance rather than relying on auto-updates.
Quickly after the update to WordPress 6.4, users started to have problems with plugins and core functionality that relied on a specific operating system library called cURL. It caused errors like “cURL error 28: Operation timed out”, “Error: RuntimeException: Failed to get url”, “Add Connection:close header only when needed”, and others. It affected the Stripe API relied on for eCommerce transactions, WP-Admin for administering WordPress content, and site performance.
Thankfully the WordPress open source “Make” team responded quickly by releasing the 6.4.1 patch (which also resolved three other issues besides). Ironically, site owners that had auto-updated to 6.4 will experience issues auto-updating to 6.4.1 since the issue will block them from doing so. They’ll have to manually update by downloading WordPress 6.4.1 and then uploading the files directly to the server.
Download WordPress 6.4.1 to fix cURL 7.29.0 problems
What is cURL?
cURL is a command-line tool and operating system library for transferring data with URLs. It plays a significant role in various web-related operations. While it is a tool primarily used by developers, sysadmins, and technical users, non-technical WordPress website owners should care about cURL.
Here are several down-to-earth reasons why:
- WordPress relies on cURL: When your WordPress site communicates with external services like APIs, it often uses cURL to fetch data.
- Plugin and theme functionality: If cURL is disabled or not working correctly, plugins and themes may not function as expected.
- Updates and data retrieval: If cURL is not functioning, your site might miss important updates and leave your website vulnerable to security issues or bugs.
- Security: cURL makes secure HTTPS connections, which is vital for protecting sensitive data, such as user login credentials and payment information.
- Troubleshooting: cURL may be involved in troubleshooting connectivity problems, data retrieval issues, and more.
- Performance: Efficient data retrieval and external API requests can impact how quickly your web pages load and how responsive your site is to user interactions.
What was wrong with cURL 7.29.0?
The problem was with a specific version of cURL, 7.29.0. It was released on February 6, 2013. That’s right, over 10 years ago as of this writing. It currently has 78 security problems. The various plugin and security problems with WordPress 6.4 occurred mostly with version 7.29.0 of cURL and not with updated versions of it. Right now, the latest version of cURL is 8.4.0. The cURL changelog shows there are a LOT of bug fixes and security holes patched between 7.29.0 and 8.4.0.
Who messed up the WordPress 6.4 update?
Was it the fault of the WordPress Make team that is responsible for creating new versions and patches of WordPress? It would be satisfying for haters of WordPress to put the blame on them. Some blame can be cast due to some problems (that I won’t go into) overseeing the code management process. But it wasn’t entirely their fault.
The blame for this issue lies with the hosting companies that neglected to update their server operating system versions and to patch security vulnerabilities.
It’s also the fault of companies that update, distribute, and maintain distributions of Linux-based operating systems. For example, the CentOS/RHEL distribution maintains an old version of Linux that includes cURL 7.29.0. The end-of-life for support of this version doesn’t end until June 2024. That means a full 11 years will have to pass before they decide to sunset cURL 7.29.0 as part of the release.
That seems insane. Especially for websites that rely on highly-secure transactions for eCommerce.
Now, these companies do “backport” security fixes to bring more current patches into old versions of the OS. But, that’s where hosting companies pick up their portion of the blame. If they’re not tending to the backports to ensure updates are included in their server images, problems like the one WordPress 6.4 had will pop up.
But why would a hosting company neglect such a glaring problem? Well, a big reason is profitability. It takes a lot of time and effort by a lot of people to keep servers upgraded. Not all updates are applied right away, or even at all, because they aren’t always straightforward. And, they can cause other problems.
For example, if you have a lot of website owners who have not updated their plugins and WordPress core in years, and who still rely on unsupported PHP versions to operate, those sites are more likely to break. And then you have a whole new set of problems to deal with on the customer side.
The OS update juice isn’t always worth the customer complaints squeeze.
Also, until November 7th, hosting companies have gambled on the fact that cURL vulnerabilities were handled downstream by coders writing WordPress plugins and themes by inserting functions to check for and manage issues.
But when the WordPress 6.4 update dropped, a lot of those fixes broke or were no longer relevant. The cURL 7.29.0 vulnerabilities were more exposed.
The solutions going forward
Hosting
The best solution, in the short term AND the long term, is to move to a hosting company that takes better care of its server software. Which one to move to is a matter of choice and budget, and is the subject for a future blog post (or, check out our VPS hosting guide). The rule of thumb in hosting (as with web design) is “you get what you pay for”.
By that, I mean if you’re paying $1.99 per month for a slot in shared hosting where you’re on a server with 1,000 other websites, you simply cannot expect the same level of stability as when you pay $89/month for a high-powered, up-to-date VPS or dedicated server elsewhere.
You have to budget for these things, especially if your site is a mission-critical component of your business. Do a risk analysis and ask yourself what it would cost in lost revenue if your site were to be down for one or more days while the WordPress 6.4 and cURL 7.29.0 problem is resolved. If it’s more…or considerably more…than what you pay for hosting each month, it’s time to upgrade your hosting.
Webidextrous can help you select better hosting. Our main concern is getting you into the best hosting position possible even if it’s not with one of our partners.
Maintenance
With a car maintenance is like insurance against the risk that something bad will happen in the future. You can do that maintenance yourself (if you have the skills, time, and interest in such things). Or, you can take your car to a mechanic and have it done professionally so you can avoid hassle and focus your time on other things that matter more.
It’s the same with website maintenance. A major benefit of outsourcing your WordPress website maintenance is that you have a team of professionals whose whole organization and sole focus is the past, present, and future of what is going on with your website infrastructure.
They’re monitoring every aspect of what makes your site’s gears turn, including updates that are coming down the pipeline and what the updates are likely to fix (or break).
And even if a surprise “zero-day issue” appears, they’re positioned to act quickly and restore your site to normal working order.
In the case of this update, if your website was set to auto-update to WordPress 6.4 and your host was running an outdated version of cURL, you likely found yourself scrambling to figure out how to roll back the update. However, if your site was under maintenance, once this zero-day issue emerged, your maintenance team could have rolled back to the prior version of WordPress that still worked and then worked with your hosting company to figure out how to get cURL updated ASAP. Or, to buy time until the WordPress Make team devises a patch release as a workaround.
Webidextrous can take this and future issues off your hands. If your site broke due to the WordPress 6.4 update, or any other problem, just fill out our emergency WordPress help form and we’ll call you right away to begin working on it.
If you want a more proactive approach, sign up for our WordPress maintenance plan right now.
0 Comments