Taking back control of your Joomla & WordPress Core updates

Both WordPress and Joomla now push automatic updates without asking. That sounds great until a security patch breaks your site at 3am or a Joomla update jumps you to a major version you weren't ready for.

This week WordPress screwed up with their update, crashing some sites globally, when automatic updates were pushed out to WordPress. I've written a detailed blog post about it. You must upgrade to 6.9.4 to remain secure — 10 security fixes were applied in that version.

This week I also published four in-depth guides covering exactly how to manage this — for WordPress and for Joomla (including a deep dive into the TUF security model behind Joomla's new auto-update system). The Astroid Framework vulnerability post has been updated with new findings, and there's a new guide explaining those uptime alerts you've been getting.

All guides are free to read on the blog

New series of posts about automated updates

WordPress shipped three security releases in two days – what exactly went wrong

WordPress 6.9.2 fixed 10 security vulnerabilities but crashed some sites with incompatible themes. 6.9.3 fixed the crash but forgot to include some of the 10 security fixes. 6.9.4 completed the patches that were missing. If you haven't updated yet, do it now.

Updated

Astroid Framework vulnerability – latest info

The Astroid Framework post from last week has been updated with the latest information on CVE-2026-21628 (CVSS 10.0). If you use Joomla with the Astroid template framework, check the updated post for current patching guidance and indicators of compromise.

Need help with your site? Phil Taylor – Fixing websites since 2004

Found something wrong with your Joomla or WordPress site? If it were simple, you'd have fixed it already. I offer same-day expert help at a flat rate of £120 per incident. No hourly billing surprises.

If I can't add value, you don't pay