Screenshot of Bing search results for 'sheboygan hip hop cookout hit.' The top result is an article from Sheboygan Life about Curdy and the Cheese Heads' new hip-hop hit, with additional related links and video content. Bing's results also feature options to learn more about related topics and ask questions about the band.

cPanel 136 Security Updates Put WHM Patch Timing on the Checklist

cPanel documented security updates for version 136 in two July releases: build 136.0.28 on July 8, 2026, and build 136.0.29 on July 14, 2026. The later release updated cPanel Roundcube to 1.6.17 and listed fixes for CVE-2026-54432 and CVE-2026-54433 in the 136 Change Log.

That does not mean every WordPress site on a cPanel server was vulnerable or compromised. It does mean patch timing deserves a deliberate review when one server supports multiple customer sites, WooCommerce stores, email accounts, DNS services, and revenue-critical integrations.

For hosts, agencies, and site operators, the practical question is simple: which cPanel build is running, and does the server’s update policy match the risk and maintenance requirements of the sites it supports?

Need help checking this on your WordPress, Google Ads, Analytics, local SEO, or website setup? Splinternet Marketing can review the issue and help you prioritize the next fix.

Separate security updates from major-version planning

cPanel’s Update Preferences documentation says available security updates for the current major version are applied every hour by default. That hourly process continues even when version updates are disabled or scheduled manually, but it does not run when the server is configured to use a specific version. cPanel recommends leaving automatic security updates enabled so the server receives those updates as soon as they are released.

This is separate from broader major-version movement. Release tiers influence when a server upgrades to a subsequent major version, and cPanel documents a delay of several business days for some automatic upgrades on the RELEASE tier. A server can therefore have current-major security updates enabled while still following a controlled schedule for a broader version upgrade.

Check the running build, major version, release tier, and security-update setting in WHM or the relevant server configuration. Record the result for each production host rather than assuming every server is configured the same way. Pay particular attention to version pins or custom build settings, because those can change the expected update path.

The 136 change log also includes fixes involving areas such as PHP, mail, TLS, DNS, firewall behavior, cPHulk, transfer tools, and account services. That does not mean each update will affect every hosted environment, but it is a reminder that a successful control-panel update is not proof that every customer workflow continued working normally.

What to do next

  1. Confirm the patch state. Verify whether each server has reached the expected 136 build and whether current-major security updates are enabled. Review update results for failures, delays, or version pins.
  2. Confirm a restorable backup. Before changing a multi-account WordPress or WooCommerce host, verify that recent backups exist and that recovery has been tested. A backup that cannot be restored is not a reliable rollback plan.
  3. Use a canary path where practical. Test a representative account or staging server when the maintenance path allows it. Include a WooCommerce site, a form-heavy lead-generation site, and any account with custom PHP, cron, DNS, or mail configuration.
  4. Schedule production maintenance. Coordinate the update with customer support, marketing, paid-media, and operations teams. Make sure someone is available to investigate failed checkouts, form notifications, login problems, or mail issues.
  5. Run post-update checks. Test the homepage, WordPress admin login, PHP and PHP-FPM behavior, WooCommerce checkout, forms, scheduled tasks, page caching, TLS and AutoSSL, DNS resolution, mail delivery, firewall access, cPHulk behavior, and uptime or error monitoring.

Also review the supported-version roadmap. cPanel lists version 136’s approximate end-of-life date as August 2026 in Product Versions and the Release Process. That is a planning signal, not proof of an emergency deadline. Confirm the current support status and plan compatibility testing for PHP, plugins, custom code, mail services, backups, and customer maintenance windows before an upgrade becomes time-sensitive.

The practical lesson from the July 8 and July 14 releases is not to panic or treat a cPanel update as a WordPress incident. It is to make patch delivery observable, recovery real, and post-update validation part of normal website operations.

Sources

Need help checking this on your WordPress, Google Ads, Analytics, local SEO, or website setup? Splinternet Marketing can review the issue and help you prioritize the next fix.

This article is for informational purposes only and reflects general marketing, technology, website, and small-business guidance. Platform features, policies, search behavior, pricing, and security conditions can change. Verify current requirements with the relevant platform, provider, or professional advisor before acting. Nothing in this article should be treated as legal, tax, financial, cybersecurity, or other professional advice.

Editorial note: Splinternet Marketing articles are researched from cited platform, documentation, regulatory, and industry sources. AI may assist with drafting and review; final content is checked for source support, practical usefulness, and platform/date accuracy before publication.