You can implement the security update by automatically updating Jetpack to the most recent version, using the automatic update links in your WordPress Dashboard. If you’re unable to automatically upgrade your Jetpack install through your Dashboard, you can manually upgrade via your Dashboard or via FTP using further instructions provided below.
We released a very important security update to Jetpack on April 10, 2014. While we encourage you to update to the most recent version of Jetpack, we recognize that your site’s configuration may prevent you from doing so right now. For those cases, we have provided individual security releases for prior Jetpack versions that maintain the version setup but close security holes.
This support document covers:
- How to determine if you need to update.
- How to automatically update to the most recent version of Jetpack.
- How to find out which version of Jetpack you’re using.
- Where to download the security update for your version of Jetpack.
- How to manually install the security update through your Dashboard.
- How to manually install the security update through FTP.
- Frequently Asked Questions.
How to determine if you need to update.
When you log in to your site’s Dashboard, you will be notified of pending updates by alerts in three areas of the Dashboard:
- Admin bar, top of the screen: a refresh icon shows the number of updates that are pending site-wide. Note that this number includes updates to WordPress core, themes, and plugins.
- Updates menu item, Dashboard menu: a red icon shows how many updates are pending site-wide.
- Plugins menu item, Dashboard menu: the same red icon will show how many updates are pending specifically for plugins.
If you see any updates pending for Jetpack, you must update.
How to automatically update to the most recent version of Jetpack.
We strongly recommend upgrading to the most recent version of Jetpack (2.9.3). In addition to having the latest bug fixes and features, automatically updating through the WordPress Dashboard will allow you to retain your existing Jetpack settings and customizations.
1. To update Jetpack, visit the Plugins → Installed Plugins tab of your Dashboard and locate Jetpack in your plugins list.
If Jetpack needs an update, you will see a notice:
Note: All screenshots show WordPress 3.8.2. If you are using an older version of WordPress, your Dashboard may differ slightly.
2. To upgrade Jetpack to the most recent version (2.9.3) regardless of your current version, click the “update now” link highlighted in green above.
Note: to update to the latest version of Jetpack, your site must be using WordPress 3.7 or 3.8. If your site is not using WordPress 3.7 or 3.8, you will need to use the specific version of Jetpack that is compatible with your current WordPress version. If possible, we urge you to update WordPress to the most recent version.
How to find out which version of Jetpack you’re using.
Although we encourage everyone to use the most current version of Jetpack, we recognize that your site’s configuration may prevent you from doing so at the moment. In that case, we’ve provided security updates for older versions of Jetpack that you can install manually via your Dashboard or FTP by following the instructions below.
First, determine which version of Jetpack you’re using. Going to Plugins → Installed Plugins in your Dashboard, find Jetpack in your plugins list, and locate the version number just below the plugin description:
Check the first two digits of your version against this list of updated point releases to see if your installed version matches a version with the security fix. Once you locate the update for your version, look at the third digit. If yours is lower than the listed update, you need to upgrade. For example, if your version is 2.2.4, you will need to update to version 2.2.7. If it’s 2.9.2, you will need to update to version 2.9.3.
If your version does not match any of the versions listed above, you must upgrade Jetpack.
Downloading your Jetpack security upgrade by version.
Once you have determined which update you need, download the corresponding update .zip file:
- 1.9.4 – for versions 1.9.x
- 2.0.6 – for versions 2.0.x
- 2.1.4 – for versions 2.1.x
- 2.2.7 – for versions 2.2.x
- 2.3.7 – for versions 2.3.x
- 2.4.4 – for versions 2.4.x
- 2.5.2 – for versions 2.5.x
- 2.6.3 – for versions 2.6.x
- 2.7.2 – for versions 2.7.x
- 2.8.2 – for versions 2.8.x
- 2.9.3 – for versions 2.9.x
Again, we strongly encourage you to upgrade to the most recent version of Jetpack (2.9.3). The updated prior versions above are available to you in case you’re unable to do so at this time.
How to manually install the update via the Dashboard.
Now that you have a .zip file, you can install it:
NOTE: A manual upgrade will delete all current Jetpack settings and customizations. If you have Custom CSS or any other settings that are crucial to your site, please ensure you copy or note those settings so you can recreate them once Jetpack has been reinstalled.
1. Disable and delete the existing Jetpack plugin. Go to Plugins → Installed Plugins, and click the “Deactivate” link in the Jetpack module. After the screen refreshes to confirm the deactivation, click the red “Delete” link to delete the plugin. On the next screen, you will see a “Delete Plugin” confirmation option:
2. Click “Yes, Delete these files and data” to remove the current Jetpack install from your site.
3. Return to Plugins → Add New and click the “Upload” menu link, then the “Choose File” button to select your .zip file. Click the “Install Now” button to begin the plugin upload and update.
4. Once the update finishes processing, you will see the following confirmation screen. Click “Activate Plugin” to activate Jetpack.
Troubleshooting for manual updates via Dashboard:
I try to install and I get this error: The uploaded file exceeds the upload_max_filesize directive in php.ini.
Speak to your web host and ask them to increase the
upload_max_filesize value for you.
I get a “Destination folder already exists. Plugin install failed.” error when I try to install.
This happens because the server has not set the correct permissions for WordPress to be able to install and update plugins (along with themes and core files). You need to contact your web host and ask that they set the permissions so WordPress can run this update. This is an easy change for them to make and has no security implications.
How to manually install the update via FTP.
If you have trouble updating through the WordPress Dashboard, you can use FTP (File Transfer Protocol) to delete the Jetpack folder from the plugins directory and upload the new security fix version.
For these instructions, we assume you already have/know the following:
- A familiarity with how FTP works.
- An FTP client for your computer.
- Your FTP login information – contact your host if you don’t have this.
1. Download the correct update .zip file to your computer, then unzip the file to prepare it for uploading to your hosting server.
2. Log in to your server using FTP and navigate to your
/wp-content/plugins/ folder. Find the existing
jetpack folder and delete the
jetpack folder completely.
Note: if you rename the folder and leave it on your server, the security vulnerability will remain. If you want to retain that folder, please download it to your local machine first, then delete it from your server.
3. Upload the new, unzipped
jetpack folder from your computer in its entirety to the
/wp-content/plugins/ folder on your server.
4. Once the new Jetpack folder is uploaded, return to your site’s WordPress Dashboard and go to Plugins → Installed Plugins, find Jetpack in the list, and activate it. Once activated, you will be prompted to connect to WordPress.com.
Frequently Asked Questions
Please visit our Security Update FAQs page for more information.
If you have trouble with upgrading Jetpack to the latest version, please contact us and we’ll be happy to help!