Last Updated on November 13, 2023 EST by Jordan
Content Error or Suggest an Edit
Notice a grammatical error or technical inaccuracy? Let us know; we will give you credit!
Introduction
WordPress released version 6.4, which included a PR to the WordPress/Requests library.
A vast number of WordPress sites after updating to WordPress 6.4 had issues with anything that related to accessing external resources, such as WordPress updates, REST API, and the WordPress Site Health checker. The following error could be observed.
Error: RuntimeException: Failed to get url 'https://api.wordpress.org/core/version-check/1.7/?locale=en_US': cURL error 28: Operation timed out after 10000 milliseconds with 807 out of -1 bytes received.
Why did WordPress 6.4 break some sites and not all?
The core of the issue seems to be related to the version of curl that is running on some hosting providers; superficially, it looks as though cURL version 7.29 which was released 10 years ago.
curl version 7.29.0 was released on February 6 2013. The following 78 security problems are known to exist in this version.
Most of these hosting providers look to be running RHEL7 and CentOS7, which doesn’t have an end-of-life until June 2024. However, they’re still using an extremely out-of-date version of cURL.
Here’s the Github issue submitted to WordPress/Requests informing that pull request #657 breaks downloads towards https://api.wordpress.org and other functions and endpoints that rely on the WordPress/Requests library.
#657 breaks downloads towards https://api.wordpress.org/ and many other sites when using Curl 7.29.0 (and perhaps other versions)
Error: RuntimeException: Failed to get url 'https://api.wordpress.org/core/version-check/1.7/?locale=en_US': cURL error 28: Operation timed out after 10000 milliseconds with 807 out of -1 bytes received.
It also causes issues with the REST API in Site Health with the error:
REST API response: (http_request_failed) cURL error 28: Operation timed out after 10005 milliseconds with XXX out of XXX bytes received”
It also prevents WordPress plugin and core updates, basically anything that relies on the internal Curl handler in WordPress.
Adding back
Connection: Close
solves the issue. Please revert #657 ASAP and push the fix to WordPress 6.4If you are just looking to fix the cURL timeouts issue in WordPress 6.4 Read here:
To fix the issue, replace
https://github.com/WordPress/Requests/issues/838/wp-includes/Requests/src/Transport/Curl.php
with the following file: Curl.php.zip or see #838 (comment)
The submitted tomsommer is the creator of simply.com the largest webhosting provider in Denmark.
There’s also adrian-enspired who looks to work for nexcess.net
You can see a couple of posts down that tomsommer states that RHEL7/CentOS7 are affected by this bug.
Who wasn’t impacted and why?
It’s hard to tell, but a fair guess would be any hosting provider running a Linux distribution that ships with a curl version above 7.29. So, let’s see which providers aren’t affected.
Hosting Providers and Control Panels, Running cURL Greater Than Version 7.29
Attention
Turning of your systems swap could potentially cause issues if your system runs out of memory at the same time.
Hosting Providers
- Siteground (curl 7.85.0)
Control Panels
- GridPane (Depends on OS, See Operating Systems)
- Runcloud
Operating Systems Running a Modern Version of cURL
Ubuntu
- Ubuntu 22.04 LTS – “Jammy Jellyfish”: EOL is expected to be in April 2027 – cURL 7.81
- Ubuntu 20.04 LTS – “Focal Fossa”: EOL is expected to be in April 2025. – cURL 7.68.0
- Ubuntu 18.04 LTS – “Bionic Beaver”: EOL is expected to be in April 2023 – cURL 7.58.0
CentOS
- CentOS 8 – EOL was December 31, 2021. CentOS shifted its focus to CentOS Stream, starting with version 8. – cURL 7.61
- CentOS 7 – The full updates ended in Q4 2020, and the maintenance updates are expected to end on June 30, 2024 – cURL 7.29.0 AFFECTED.
- CentOS 6: EOL was November 30, 2020. – cURL 7.19
Debian
I didn’t have time to provide this at this time.
My GitHub Issue Comments Screenshot Backup
I’m putting this here as a backup and to make it easier for folks to read instead of going to the Github issue.
Conclusion
I’ve said my peace on the GitHub issue. Keep your version of cURL up to date, period. Ensure you’re using a modern operating system that ships with the latest software versions and provides necessary security updates, whether as a self-hoster, utilizing a control panel like GridPane or a massive outfit like the ones mentioned above.
Everyone here has a lesson to learn; this could have been done better. I’m not going into details, but I think it’s essential that WordPress looks at setting the required version of cURL to be at least the latest version for all versions of PHP. Ignoring how hard it is for hosting providers to accomplish this, instead provide a timeline.
Changelog
- 11-13-2023 – Added the original error message that was seen.
Last Updated on November 13, 2023 EST by Jordan