Make WordPress Core

Opened 11 days ago

Last modified 8 days ago

#44568 new defect (bug)

Two concurrent post deletes results in invalid return values

Reported by: ajmccluskey Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version:
Component: General Keywords:
Focuses: rest-api Cc:


Steps to reproduce

Using the REST API:

  • Create a post
  • Run two deletes for created post concurrently:
    1. Force delete (query params: ?force=true)
    2. Delete without forcing (do not specify force query parameter)


One delete to return 200 OK and a valid return value. The other to return a 404 Not Found or 410 Gone depending on which one was successful.


  1. Force delete returns 200 OK and an empty post object (normally returns a JSON object including keys deleted and previous).
  2. Delete without force returns a post object full of null (see below)
    "id": null,
    "date": "",
    "date_gmt": "",
    "guid": {
        "rendered": null,
        "raw": null
    "modified": "",
    "modified_gmt": "",
    "password": null,
    "slug": null,
    "status": null,
    "type": null,
    "link": false,
    "title": {
        "raw": null,
        "rendered": ""
    "content": {
        "raw": null,
        "rendered": "",
        "protected": false
    "excerpt": {
        "raw": null,
        "rendered": "",
        "protected": false
    "author": 0,
    "featured_media": 0,
    "comment_status": null,
    "ping_status": null,
    "sticky": false,
    "template": "",
    "format": "standard",
    "meta": [],
    "categories": [],
    "tags": [],
    "_links": {
        "self": [
                "href": "http:\\/\\/\\/wp-json\\/wp\\/v2\\/posts\\/"
        "collection": [
                "href": "http:\\/\\/\\/wp-json\\/wp\\/v2\\/posts"
        "about": [
                "href": "http:\\/\\/\\/wp-json\\/wp\\/v2\\/types\\/post"
        "wp:attachment": [
                "href": "http:\\/\\/\\/wp-json\\/wp\\/v2\\/media"
        "curies": [
                "name": "wp",
                "href": "https:\\/\\/api.w.org\\/{rel}",
                "templated": true


  • WordPress is latest release version at time of writing (4.9.7)
  • Server OS is Linux (running in a VM with fresh install)
  • Default theme is installed
  • Basic-Auth plugin is the only plugin installed -- required for testing

Change History (1)

#1 @soulseekah
8 days ago

Hey there, welcome to Trac! Thanks for your ticket.

WordPress operations are non-atomic. WordPress on the whole is not thread-safe. This means that calling most of the APIs that interact with the database is risky.

If you need to protect your resources from concurrent operations you'll have to perform synchornization (mutexing) yourself.

Rewriting WordPress to be thread-safe means rewriting like 80% of its APIs... a very daunting task. To my knowledge there haven't been any attempts at even trying to include synchronization to API calls. Perhaps it's time...

Note: See TracTickets for help on using tickets.