I have had a number of customers ask me how to keep applying WordPress 4.9.x security updates now that 5.0 has dropped.
Since WordPress 5.0 has been released you may have noticed that the only option you have to update WordPress core to is the 5.0.x branch.
So, if you are running 4.9.x and WordPress releases a security update (which has just happened with the release of 4.9.9) how do you update the WordPress 4.9.x branch without having to update to 5.0?
Method 1 – Zip files
You can manually download the security point release from WordPress.org.
Remember that you will have to unzip the download on local to get rid of the /wordpress/ folder that all WordPress core downloads are packaged with.
Upload your new zip archive point release to your server’s WordPress root folder and unpack the archive.
This can be done with File Manager if you use cPanel or Plesk, or by manually using FTP, sFTP then unzip on the command line.
The new WordPress files will automatically overwrite the previous ones, leaving your wp-config.php file untouched.
Delete the zip file you uploaded afterwards.
Method 2 – Force Minor Updates
If you’re not comfortable with uploading, downloading, FTPing and unzipping there is another way to for the WordPress to update in 4.9.x and do it automatically.
Add the following line in your wp-config.php, above the “done editing” line.define( ‘WP_AUTO_UPDATE_CORE’, minor);
Have a look in your wp-config.php file beforehand to make sure that line doesn’t already exist.
Many hosting providers added define( ‘WP_AUTO_UPDATE_CORE’, false); to WordPress configuration files to stop WordPress automatically updating to 5.0.
The “minor” parameter is telling WordPress to only update minor updates, that’s the last number in the semantic versioning 4.9.x.
This means WordPress will only automatically update to 4.9.9, 4.9.10, 4.9.11, 4.9.12 …. 4.9.99. You get the idea.
Once you have added that to your wp-config.php file and saved, you need to trick WordPress into performing an automatic update check.
You’ll need access to the command line or File Manager in cPanel/Plesk to do this part.
In the WordPress root folder (the one with wp-config.php), create a file, call it anything, but with a .php extension e.g. update499.php
Add the following lines to that file and save.<?php
require( dirname(__FILE__) . ‘/wp-load.php’ );
Then visit your website URL, appending the filename you created, including the .php extension.
For this site, e.g. https://zeropointdevelopment.com/update499.php
WordPress will run the code and a few minutes later you can check the dashboard and you should be updated to 4.9.9 (or higher if you are reading this at a later date).
You should delete the file you created after WordPress has been updated, or rename it, removing the .php extension so that nobody else can run the script.
Method 3 – WP CLI
If you are managing multiple WordPress installations then it’s likely you are running WP-CLI on your server to speed up management.
If not, you should really take a look at it!
Assuming you have WP-CLI installed, navigate to your WordPress root folder and enter the following command:wp core update –minor
If you are a few releases behind, WP-CLI allows you to specify a specific version to update to. The command you would use is:wp core update –version=VERSION_NUMBER –force
Replace VERSION_NUMBER with the actual version number you want to update to, so if you were running 4.9.8 and wanted to update to 4.9.9 the command would be:wp core update –version=4.9.9 –force
You only really need the –force parameter if you are downgrading.
Sticking With 4.9.x
Not everyone is able to update to 5.0 straight away and at the same time you need to make sure that your site is secure.
Hopefully you’ll be able to implement one of the methods above to keep your WordPress 4.9.x branch safe and secure.