Google Webmaster Tools Fixes Confusing Messages About Updating WordPress

In 2009, Google announced it would send notifications via Webmaster Tools to site owners that new versions of software are available E.g. Joomla, Drupal, or WordPress.

WordPress 4.7.2 was released at the end of January. It patched a critical security vulnerability with the REST API that is being actively exploited in the wild. Site owners who updated to 4.7.2 are receiving Google Alerts that their sites are out of date.

Recommended WordPress update available forhttp://www.example.com/

To: Webmaster of http://www.example.com/,

Google has detected that your site is currently running WordPress 4.7.0 or 4.7.1, an older version of WordPress. Outdated or unpatched software can be vulnerable to hacking and malware exploits that harm potential visitors to your site. Therefore, we suggest you update the software on your site as soon as possible.

Following are one or more example URLs where we found pages that have outdated software. The list is not exhaustive.

https://www.example.com/123/

https://www.example.com/456/

https://www.example.com/789/

Some of the people who received notices thought the email was a phishing attempt as WordPress is misspelled using a lower-case p. Others expressed confusion and anxiety receiving notices despite having already updated their sites.

WordPress powered sites contain a meta generator that Google uses to detect which version is running.

< meta name=”generator” content=”WordPress 4.7.1″ />

However, Google does not monitor pages in real-time. If a site owner updates to WordPress 4.7.2 but the page indexed by Google is running 4.7.1, they’ll receive a notice.

Juan Felipe Rincón, Webmaster Outreach at Google, responded to the forum thread and confirmed the issues reported by users, “Definitely a problem on our end,” Rincón said.

“We’re sorry for causing confusion in the messaging and for the swirl this created for many of you and your users or client base.”

Google was aware that notices would be sent to site owners who already updated but chose to send them anyway due to the seriousness of the vulnerability.

“However, we underestimated the number of sites that had already patched, and our messaging gave no room for interpretation or letting website owners know that if they had already upgraded they could ignore the message safely,” Rincón said.

Google has implemented the following changes to improve its update notification system:

  • Messages have stopped being delivered for now but will resume shortly.
  • The messages have been reworded to be clearer.
  • Additional checks have been added to reduce the number of notifications sent to owners who already updated.

If you’ve updated WordPress to 4.7.2, you can safely disregard the notices.

3 Comments


  1. My favourite comment is:

    we underestimated the number of sites that had already patched

    It is nice to think that the sites were so quickly updated.

    Report


    1. The security team is working on establishing a line of communication there, so that we can hopefully more accurately target this sort of thing in the future. Google did this on their own this time, hopefully we’ll be able to provide better information and thus help more people in the long run.

      Report


  2. “Google was aware that notices would be sent to site owners who already updated but chose to send them anyway due to the seriousness of the vulnerability.”

    This actually has the opposite effect, in the long run, than what they intended. People who get false reports tend to ignore them in the future — when they count.

    Report

Comments are closed.