I got a frantic call from a client running a high-volume shop last week. Their server logs were absolutely ballooning, and their third-party ERP was getting hammered with duplicate webhooks. It was a total nightmare. After digging through the traces, I realized they were stuck in an infinite “sync-on-read” loop—a messy side effect of how High-Performance Order Storage (HPOS) handles modified dates. This is exactly why the WooCommerce security update in version 10.4.3 isn’t just a “nice to have”; it’s a site-saver.
My first instinct, and I’ve seen plenty of devs do this, was to just throttle the webhooks at the server level. Total mistake. Sure, it stopped the server from crashing, but it also killed legitimate order notifications and shipping updates. Not good. The real culprit was that HPOS sync was repeatedly re-enqueuing events because the posts table and the HPOS tables couldn’t agree on when the order was last touched. Version 10.4.3 finally puts a leash on this by disabling sync-on-read during heavy processes like Analytics imports.
Why the WooCommerce 10.4.3 Security Update is Mandatory
The headline for this release is the security patch for the Store API. If you’re running anything between version 8.1 and 10.4.2, you have a vulnerability where authenticated users could potentially peek at guest order data. In the world of GDPR and PCI compliance, that’s a massive red flag. This builds on the proactive approach I discussed in our WooCommerce Store API security patch checklist. Trust me on this: don’t wait for a data leak to start taking these dot releases seriously.
Aside from security, there’s the Bulgaria currency transition. If you’re operating in the EU, WooCommerce is now automating the BGN to EUR switch for January 1, 2026. It’s handled based on server time, so you won’t have to be awake at midnight on New Year’s Eve manually changing settings. It’s a clean bit of automation that shows the core team is actually thinking ahead for once.
/**
* A quick way to check if HPOS sync is currently restricted
* during sensitive operations in WooCommerce 10.4.3+.
*/
function bbioon_check_hpos_sync_status() {
if ( class_exists( 'ToolsUtil' ) && method_exists( 'ToolsUtil', 'is_sync_on_read_enabled' ) ) {
$sync_enabled = \Automattic\WooCommerce\Internal\DataStores\Orders\ToolsUtil::is_sync_on_read_enabled();
return $sync_enabled ? 'Syncing active' : 'Syncing throttled';
}
return 'Legacy storage active';
}The “Undo” Button is Back
Here’s the kicker: version 10.4.2 actually broke the “Undo” link in the cart shortcode. If a customer accidentally removed an item, the restoration data was being cleared before they could click the link. It sounds minor, but for a high-traffic store, that’s a direct hit to conversion rates. 10.4.3 reverts this regression. As I’ve mentioned before in my post about proactive plugin updates, these tiny regressions are why we always test on a staging environment first.
The full technical breakdown of these fixes is available on the official WooCommerce Developer blog, but the takeaway is simple: update now. Between the guest data exposure and the HPOS sync loops, staying on 10.4.2 is just asking for a midnight paging alert.
So, What’s the Move?
If you’re managing a shop, get onto 10.4.3 immediately. Focus on testing your checkout flow and any custom API integrations you’ve built, as the Store API changes might affect how you’re fetching guest data. And please, check your server logs for those sync loops if you’ve recently migrated to HPOS.
Look, this stuff gets complicated fast. If you’re tired of debugging someone else’s mess and just want your site to work without these technical headaches, drop my team a line. We’ve seen these exact loops and leaks a hundred times before.
Leave a Reply