WordPress on AWS 3.0.0: A Major Modernization, Two WordPress Versions, and a Pile of Security Fixes

May 2, 2026

Our AWS Marketplace WordPress pattern now ships WordPress 6.9.4, jumping two major versions from 6.7.2 and pulling in a dozen security fixes from the 6.9.2 / 6.9.3 / 6.9.4 cycle. We also modernized the deployment tooling and switched to the AWS Marketplace Catalog API.

We just published version 3.0.0 of the WordPress on AWS by FOSSonCloud pattern to AWS Marketplace. The headline is a WordPress upgrade from 6.7.2 to 6.9.4 — two major versions of upstream releases plus the entire 6.9.x security catch-up — alongside a substantial refresh of the deployment tooling underneath the pattern.

What’s in this release

WordPress 6.9.4 (up from 6.7.2)

Between our 2.1.0 and 3.0.0, WordPress shipped two major releases (6.8 “Cecil” and 6.9 “Gene”) and a string of maintenance and security releases. The most important content here is the recent security cluster:

Security (6.9.2 / 6.9.3 / 6.9.4 — March 2026)

WordPress 6.9.2 addressed ten independently-reported security issues. 6.9.3 was a fast-follow that fixed a regression in template loading introduced by the 6.9.2 patches. 6.9.4 then re-issued a subset of the 6.9.2 fixes after the security team determined some of them weren’t fully applied the first time. The combined fix list:

  • Blind SSRF in core HTTP handling (reported by sibwtf and others)
  • PoP-chain weakness in the HTML API and Block Registry
  • Regex DoS in numeric character reference handling
  • Stored XSS in nav menus
  • AJAX query-attachments authorization bypass
  • Stored XSS via the data-wp-bind directive
  • XSS allowing override of client-side templates in the admin area
  • PclZip path traversal (re-applied in 6.9.4)
  • Authorization bypass on the new Notes feature (re-applied in 6.9.4)
  • XXE in the bundled getID3 library (re-applied in 6.9.4 after coordinated upstream fix)

Security (6.8.3 — September 2025)

  • Authenticated data exposure allowing access to some restricted content via the REST API
  • Authenticated stored XSS in nav menus

WordPress 6.9 “Gene” features (December 2025)

  • Notes — block-level commenting in the post and page editor for inline review workflows (this is the same feature whose authorization bypass had to be re-patched in 6.9.4 — a brand-new feature catching a brand-new security finding)
  • Expanded Command Palette — keyboard-driven navigation across the entire dashboard, not just the editor
  • Abilities API — standardized, machine-readable permissions surface intended as the foundation for AI-powered and automated workflows
  • New blocks plus a more visual drag-and-drop experience
  • Performance improvements across page loads

WordPress 6.8 “Cecil” features (April 2025)

  • bcrypt password hashing — automatic, no admin action required; replaces the long-standing phpass-based scheme
  • Speculative loading — preloads links before the visitor clicks, speeding up perceived navigation
  • Style Book restructured and now works with Classic themes
  • Database query caching and other performance work
  • 100+ accessibility improvements

Maintenance releases folded in

6.8.1, 6.8.2, and 6.9.1 collectively shipped roughly 84 bug fixes across Core and the Block Editor.

Pattern-level modernization (not from upstream)

The release also brings the deployment tooling forward:

  • aws-cdk-lib 2.120.0 -> 2.225.0
  • oe-patterns-cdk-common 4.2.4 -> 4.5.1 (EFS elastic throughput defaults from 4.2.4 are retained)
  • devenv image 2.5.5 -> 2.8.4 (Ubuntu 24.04 base; pip now requires --break-system-packages)
  • Packer scripts 1.6.0 -> 1.10.3 — fixes silent --install-efs-utils failures (rustup PATH under sudo -E, missing cmake and golang-go for the aws-lc-fips-sys build, and an explicit .deb existence check)
  • Versioned AMI parameter convention introduced — the AMI parameter is now AsgAmiIdv300 instead of bare AsgAmiId, so each release has a distinct CloudFormation parameter name and the platform can’t silently reuse the previous AMI on update
  • Marketplace publishing moved to the AWS Marketplace Catalog API (make marketplace-validate / marketplace-submit / marketplace-status); the deprecated plf_config.yaml spreadsheet flow is gone
  • Packer appinstall script now sets set -eux explicitly — Packer’s execute_command invokes the script as bash <path>, which treats the shebang as a comment, so without an explicit shell-options line a failing provisioner could silently ship a broken AMI
  • Playwright integration test scaffold added under test/integration/; make test-integration runs an end-to-end smoke test (install wizard -> admin login -> Gutenberg post -> public render) against the deployed dev stack
  • docker-compose.yml now mounts ~/.aws and forwards AWS_PROFILE, matching the Mastodon and Drupal patterns

Removed / cleanup

  • Dropped the dead DEFAULT_WORDPRESS_SOURCE_URL constant from wordpress_stack.py. The pre-2.0.0 CodePipeline + CodeDeploy + Lambda seed-bucket flow was removed in 2.0.0 but the constant lingered with no CfnParameter reading it.
  • Stripped stale PipelineArtifactBucketName / SourceArtifactBucketName / SourceArtifactObjectKey parameters from the taskcat configs — leftover from the same pre-2.0.0 pipeline flow.

Fresh deployments

Subscribe on AWS Marketplace and launch the CloudFormation template. You’ll need a Route 53 hosted zone and an ACM certificate ready in the target region — everything else (VPC, Aurora, ALB, EFS, SES SMTP, optional NLB-fronted SFTP) the template provisions.

What’s next

Upstream is already shipping 7.0 release candidates as of late March 2026 — we’ll be tracking 7.0 once it lands GA. We’ll also continue carrying security patches through point releases as they ship, on a faster cadence than the major version of this pattern itself.

If you hit anything in 3.0.0, please file an issue at github.com/ordinaryexperts/aws-marketplace-oe-patterns-wordpress.

— FOSSonCloud