WordPress security updates, the quick way

Larry Garfield
Director of Developer Experience
01 Nov 2017

Yesterday, the WordPress team along with security researcher Anthony Ferrara released a new version of WordPress, version 4.8.3 that fixes a significant security vulnerability. You can read more about the technical details of the exploit and the timeline of its report on Anthony's blog. The long and short of it is that if you're not already running WordPress 4.8.3, you need to upgrade.

If you're on Platform.sh, updating is simple and straightforward. There's 2 ways, depending on if you're using a vanilla WordPress download package or building it via a Composer-based variant.

Using Composer

If you're using one of the Composer-based WordPress installers, the process can’t be easier.

  1. Checkout your project from Platform.sh using Git
  2. Verify that your composer.json file is set to download WordPress 4.8. Look for the require line that downloads WordPress itself. It will probably look something like this:
    "require": {
        "johnpbloch/wordpress": "4.8.*"

    Make sure the version constraint is set to a value that includes 4.8.3. 4.8.*, ^4.8, ~4.8, and so on are all valid constraints. Update it if you need to, then save the file.

  3. Run composer update to update the lock file.
  4. Commit the changed composer.json and composer.lock files to Git.
  5. Push the new commit to Platform.sh.

You're of course free to try it on a test branch first. Platform.sh makes that easy for exactly cases like this one. Simply make a new branch before adding the changed files to Git, then activate the environment after it's pushed. As soon as you're comfortable that the update works, go ahead and merge it to master.

Vanilla download

If you are running WordPress as a simple download from WordPress.org, the way to update it is to simply copy files from a new download over your existing install.

  1. Checkout your project from Platform.sh using Git
  2. Download the latest version of WordPress from the download page and unzip the file.
  3. Copy all files from the download into your project, overwriting what's already there. Make sure that the wp-config.php file is not changed.
  4. Commit all changed and added files to Git. (Note there are some recently added files; be sure not to miss those.)
  5. Push the new commit to Platform.sh.

You can also test the update on a branch if you prefer. If everything is in order just merge the branch to master and you're done.