As anticipated following the release of WordPress 3.6 a few weeks ago, WordPress 3.6.1 is released today. The patch contains some security fixes and other tightening up of the latest WordPress version.
Critical Update
This update is being called “critical” so those of you doing your own updates should apply this update as soon as possible. Be sure to backup your site before doing the update, of course.
Those of you in my Website Management Program will be seeing your sites updated over the course of the next few days. As with all major releases of WordPress, extensive testing needs to be done to ensure that the update doesn’t reveal any issues with existing themes and plugins.
This Is Why We Test
A client of mine discovered the hard way why we test updates before applying them. She saw that WordPress 3.6 was available and applied the update. Everything appeared to go smoothly until she logged out and visited her site. A PHP warning message was displayed near the top of every post on her site.
After a bit of research, I found an article by one of the WordPress developers explaining what the warning was about. Without going into excruciating detail, suffice to say that developers have access to an entire library of database functions provided by WordPress in their core framework. One of these functions is designed to prevent a certain type of attack against the database.
Temporary Inconvenience, Permanent Improvement
This function has been around for years and is widely used by developers. Unfortunately, many of them use it incorrectly. The net result is that it doesn’t do what it’s supposed to do even though they think it does. Up until now there has been no visible indication that the usage was incorrect. The function didn’t bomb out or throw errors or anything else to indicate that it wasn’t actually fulfilling its purpose.
So, in WordPress 3.6 the developers decided to output a warning if they detected that the function wasn’t being used properly. This decision wasn’t reached lightly as it would potentially affect many sites and cause widespread consternation among users who had no idea what the message meant.
Well, my client’s theme contained its own function to read the database and return the number of comments for a given post. The database function it uses from the WordPress library is the one we’re discussing and it was used incorrectly. As a result, every time someone displayed a post from the site, they got this obnoxious geek-speak warning message displayed.
Fortunately, the fix is detailed in the article I found and her site was quickly back up and running. The function is now doing what it’s supposed to do and all is right with that section of the world.
What About My Site?
You may well ask “What about my site?” Well, the answer is: we won’t know until we test it. The theme my client uses is fairly popular so there are likely hundreds if not thousands of copies of it deployed across the web all of which will break in exactly this way when their respective sites are upgraded to WP 3.6. No doubt there are many other themes and plugins that have made this same coding error.
There is a possibility that your theme or a plugin will contain the problem, but you won’t see the warning message. This would occur if you have warning messages turned off on your site. There are several ways to do this and some hosts are configured with warnings off. Even with warnings turned off, though, they should show up in your error log. If you’re not up to spelunking your error log (it’s the file in your root directory named “error_log”), you may want to have someone do it for you just to be sure the warnings aren’t being issued silently.
Protected by WebARX
John — this is why I pay you to update WordPress for me! Thanks for letting us know about this issue.