A critical vulnerability in WooCommerce 2021 | how to update and fix it.

July 16, 2021 Beba Host

If you are a customer of BebaHost kenya or use worpress and woocomerce chances are you may have received an email warning about vulnerability. Woocommerce team of developers are working hard to releasing updates that add new features, fix issues, improve security and, in general, make your store better than ever. But how do you update WooCommerce without causing issues? We’ll cover a few of the common ways below, but first…

Backups

Any store powered by WordPress and WooCommerce has two places where data and content are stored. One is your wp-content folder, where your themes, plugins, and uploaded content is located. Another is the database that organizes and stores your product, order, post, page, etc…. data.

With this precious data and content stored in a few different places, how do you safeguard it all and keep it backed up?

Automatic backups

The most efficient and reliable approach is to use an automated site backup service, which we, of course, recommend Jetpack. Besides not having to do anything manually, you benefit from:

  • Unlimited storage space.
  • Automated regular backups of your entire site including your database, all content, plugins & themes, settings, and more.
  • Instant restores so you can revert to a previous version with one click.
  • Direct access to 24/7 expert support.

Manual backups

To take a manual backup, there are two parts to backing up your store:

  • Backup your database! There are multiple ways to do this, see the WordPress Codex for your options to back up your content. Both manual and plugin options exist.
  • Using SFTP head to your wp-content folder to backup your theme and plugin files. We strongly recommend making a backup of your theme files if you’ve made any customizations.

Testing Updates

Let’s now talk about keeping your site updated and making you money with the latest and greatest features. Just fair warning, this can sound technical and complex but don’t let it get to you! Working with a developer who is familiar with these tasks for you is also an option. We highly recommend seeking assistance from Codeable, or a Certified WooExpert.

Terms To Know

First, let’s review a few terms we’ll be using. Some may use other terms like a dev environment, testing environment, and live environments, but we’ll stick to the basic three:

  • Local – is on a personal computer, generally not accessible from the web.
  • Staging – is where you test updates. Should replicate the same server setup as the live site.
  • Production – is the live site. Where customers and users are visiting and purchasing.

Keep in mind this is a simplistic overview, and there are many tools and ways to do this. There aren’t absolutes in how you test updates, just as long as you generally do not test them on a live site. If you have a developer working on your site, ask them about their process for testing updates.

Local

Most developers will start with a local install. Meaning WordPress is set up on their computer and it acts as a server. Using a preferred code editor, one can then build, update, and test updates on their own computer. While working on a local install we highly recommend you start using version control if you aren’t. Whether that is Git, SVN, or something else it comes in handy in case you need to revert back to something that works, and can even make it easier to deploy a site to staging and production.

Staging

To test an update beyond a local site, it’s best to create a second WordPress install with your host and restore a backup of your live site to it. VaultPress can do this for you, and WordPress hosts often offer tools to set up a staging environment. This is a replica of your production site and a safe place to test updates. A staging site can also be shared with others for their help testing. Makes sure to test on different devices, load time, and so on.

Production

Should all go well during staging tests, then you are ready to update your live (production) site. You can do this however you prefer or arrange with your developer(s). One note: Put your site in maintenance mode to prevent people from checking out or making payments. If a transaction occurs during the update, orders may be lost. To update, some have Git set up to deploy from a master branch, or you yourself can click the Update button knowing you tested these updates and it’s safe for your site. Of course, your backups are on standby to restore in an instant if anything unexpected occurs. That way there’s no downtime or revenue lost. From here, figure out what tools and strategies work best for you and your team or developer(s), and put a good testing process in place. If you put the time upfront into testing updates, you save yourself both headaches and money in the end. Guaranteed!

Embedded Feature Plugins

In addition to the core plugin, every WooCommerce release includes a version of our feature plugins:

The embedded versions are updated with the core WooCommerce plugin and undergo the same rigorous testing process as part of the release. We use feature plugins to develop new functionality that isn’t yet ready for public release in WooCommerce, and none of the experimental functionality is part of the embedded release. Developing new features this way allows these plugins to release on their own while still including the completed functionality in WooCommerce.

Version Reconciliation

One interesting consideration of this is what happens when you have installed a feature plugin that is a different version than the one embedded in WooCommerce. We handle version reconciliation using the Jetpack Autoloader package, which will load the newest version. By installing and activating the feature plugin you have opted-in to the experimental functionality regardless of whether the embedded version or feature plugin is loaded. Here is an example scenario below

WooCommerce 5.0 embeds the 5.0 version of WooCommerce Blocks. If you install and activate a newer version of the WooCommerce Blocks plugin, such as 5.2, it will be used instead of the embedded one. If you install and activate an older version however, such as 4.0, then it will use the embedded version in WooCommerce but activate any experimental functionality.

You can review which version of a feature plugin is being used in your WooCommerce System Status Report.

Updating Extensions and Payment Gateways

From WooCommerce.com

To get updates on anything purchased from WooCommerce.com, go to WooCommerce > Extensions > WooCommerce.com Subscriptions and ensure that your store is connected to your WooCommerce.com account. More at: Managing WooCommerce.com subscriptions. Connecting your WooCommerce.com account to your WooCommerce site/store allows you to:

  • View status of WooCommerce, plus your extensions and payment gateways
  • Filter by Installed, Activated, Download, and Update Available
  • Determine which extensions and payment gateways have compatibility with what version/release of WooCommerce

For example: In the Plugin and Tested up to WooCommerce version columns, respectively, it might show that WooCommerce Stripe is known to be compatible up to WooCommerce 5.0 If you have WooCommerce 5.1+ installed, take caution and test on a Staging site as instructed above in Testing Updates.

From third-party developers

Plugins, extensions, payment gateways and themes not developed and maintained by our in-house WooCommerce team are from third-party developers. Third-party developers looking to add version check to their product can see: Adding Version Check Support to Your Plugin. Store/site owners must contact the third-party developer directly for support on updates and compatibility.

WooCommerce database update notice

  • Update WooCommerce Database starts the process of updating your database to match the plugin version you installed or updated to. The database organizes, contains, and stores your products, orders, posts, and pages. It is an essential process.
  • Learn more about updates will take you to this page to explain best practices pertaining to updating WooCommerce, extensions, and payment gateways, plus info on what is updated and in what order.

WooCommerce Database Update notice will display when you have upgraded/updated to a new version of WooCommerce and a database update is needed:

WooCommerce Update Required admin banner notice
WooCommerce Updating admin banner notice

Ensure you have a backup in place and click the “Update WooCommerce Database” button. The update process will start: Selecting View progress will take you to the Scheduled Actions section and show the Pending actions for the update.

Once it is completed, the next time you view an admin page you will see the dismissable update complete banner:

WooCommerce Database Update complete admin banner

Leave a comment