Why Some Sites Automatically Updated to WordPress 4.1.3

Since WordPress 4.2 was released, some users are questioning why their sites have automatically updated to WordPress 4.1.3. There’s no information about the release on the Make WordPress Core site or the official WordPress news blog. However, this Codex article explains what’s in 4.1.3 and the reason it was released.

Fix database writes for esoteric character sets, broken in the WordPress 4.1.2 security release. Neither UTF-8 nor latin1 were affected. For more information, see ticket #32051.

The ticket contains a lengthy technical discussion of a critical bug and what was done to fix it. In addition to 4.1.3, the patch was merged into the following versions:

  • 3.7.7
  • 3.8.7
  • 3.9.5
  • 4.0.3

Since these are point releases, sites running WordPress 3.7 and higher will automatically update unless the server doesn’t support it or they’re disabled. If you’re running an old version of WordPress, I highly encourage you to update to 4.2. Not only does it have some nifty new features, but it also fixes 231 defects.


48 responses to “Why Some Sites Automatically Updated to WordPress 4.1.3”

      • I am at a loss with updating to 4.2.1. my site was automatically updated in the background to 4.1.3. Now, US-Cert has a critical security notice saying that any version prior to 4.2.1 is vulnerable and needed to be updated to version 4.2.1.

        One-click update says my site has been updated to 4.2.1 BUT the version that shows up on the update page still says 4.1.3??? huhhh???

        I also went through the hassle of manually updating my site by downloading 4.2.1 and following exactly what the manual update instructions say; Sadly, even the manual update did not even work!?

        At this point, the ONLY update that seems to work is the automatic background update that wordpress runs on my site.

        Is there a fix for this???

        • Looking at it like any other piece of software, there are sometimes reasons you can’t run the latest minor version (where format is ..). On linux distributions you see this where they backport fixes because a ‘stable’ release can’t update a bunch of dependences just because of a security breach.

          With WordPress there may be some sites running with custom coded plugins who have made the choice to stick with 4.1.x, or 3.9.x because it would cost them a bunch of money or pain to upgrade straight away. They may be working on porting but need some lead time to update parts of their code.

          It’s fantastic that WordPress are backporting security fixes into older versions for these situations. For those not used to the way versioning works in software it might be confusing, but I imagine 99% of users will have no issue in upgrading to 4.2 and leaving it at that.

    • Pull the entire site down local to xampp or mamp. Do manual updates. Rename your online folder where the install resides or if in the root move it to a subdirectory. FTP the manually updated site back up to the server.

      Make sure you’ve done a backup or export of the Database via a plugin or PHPAdmin

    • To be fair, there was supposed to be a post which covered these releases on the Make Blog, but it was forgotten about amidst everything else that was going on. Expect to see a post on either the Make WordPress Core site or on the WordPress news site later today.

    • Wow. Even if the order doesn’t confuse, there’s still those that don’t understand greater than / less than. It shouldn’t be that confusing to puzzle out what number is bigger than the other if you know basic math but I’ve been repeatedly surprised how many people don’t. I would have thought it a non issue but ignorance apparently prevails. Too many people asking me about this. Lol.

      • I don’t think that’s fair, or kind. Everyone asks “stupid” questions when they have to operate in a domain that’s unfamiliar to them.

        Can you honestly say that you’ve never asked a doctor, mechanic, etc a question that would have seemed obvious to them? Would you want them to dismiss you as ignorant, or to be gracious and help you understand what you need to know?

  1. Well, it crashed my site, I can’t install the plug ins that go with the theme. It’s not fun and after 10 years of WP, I’m off to look for another who doesn’t pull this crap. Yes, I am very angry at the moment. You access my site and you get “Under maintenance” message because I can’t fix it. Nothing installs right. It’s not stable.

    • It’s time to stop this automatic update crap. There was an uproar against it when it was announced, and it was promised that it would only be used for well tested security fixes and would _never_ cause any problems. Now an automatic update fix for automatic update fix bug is crashing a site.

      Everytime I see “automatic update” I feel like I need to drop everything and check if anything broke.

          • Well. Considering I can’t get the damn WP to work with anything, I’m not losing much. And my concrete site is well on the way to being done. I’m just adding my content to the pages now.

            Why would I use a paid wordpress theme on a Concrete5 site? Do you think I’m stupid or did you think I would try that or were you trying to be insulting?

            I wiped all WP out. The really neat thing is the Concrete is going to look very much like that theme.

          • Not trying to be insulting. Just pointing out that one way or another you’re going to need to change your theme.

            Look at it this way. If someone installs a new theme or plugin and WordPress breaks, then obviously there’s a problem with that theme or plugin. But if someone installs a WordPress update and WordPress breaks, people tend to blame WordPress — even though it’s very likely still a problem with a specific theme or plugin.

            Anyway, hope Concrete5 works out for you.

          • Strange that my theme worked very well through all the last editions of WordPress and last night and this morning when I install the WP update, the damn thing crashed all plugins [paid for and WordPress free] and corrupted my pages so I got an error when I tried to view any of them. And the theme and the plugins had not been changed or updated since the last time which worked just fine. And the sad thing is it’s a popular theme and popular plugins esp the WordPress free ones. So if the only thing that changed was WordPress and the site crashed? It’s wordpress.

          • I use one click install for Concrete5. I just clicked [like WP one click] used their information pages to learn what I was doing [they have a great information section]
            Currently, I have everything done except the graphics that need resized by my Graphic Designer. She does all that as well as my bookcovers but after working today, the rest of the site is ready to roll.

            The major problem I had was understanding the editing in blocks. Once I got the handle on how that worked and the general layout of the controls? It actually was fun. And I can design any page I want. Plus they have some really neat free functional addons I had to pay for in WP.

            I’m liking this.

          • Ooochie…. Manual updates? How absolutely barbaric. LOL.

            What about performance? Memory abusage? I mean usage. Does it have workflows?

            I was doin’ a little memory checking on WP other night. A pretty much base install with a theme is about 500KB to 1 MB per session. I plan sometime here within next few weeks to take a look at the CPU munchies see where thats at.

          • If you do some test, then don’t forget to share it, sure with essay around that process :D comparison with Joomla or other historical system will be nice too :)
            I did not go so far with concrete, while uploading these files, I close filezilla somewhere in the middle :) if something is crapy on the beginning I don’t continue usually.

          • Hi Peter,

            Why not try a local install with Xampp or Wamp or Mamp or or… well… you get the idea.

            Lots of files can be a “good thing” or a “bad thing”.

            99% of web applications are stateless. That is to say they have no idea whether a user has just went someplace else, shut off their PC, closed the browser .vs. a Mac or PC app which is always aware of state (short of oops, power went out! but can even bounce back in recovery), like Adobe PhotoMotoShop does. ;)

            Instead Web apps do little pieces of work. You should see what an enterprise level web app looks like, like the Onsale code I did for their now long since dead third party B2C auction site. As I recall it was on the order of 3000 or 4000 executable files. Imagine eBay! LOL.

            Not bringing into memory functions not used is a good thing. On the flip side of the coin having to bring in gobs of files has a cost as hard disks are mechanical and not fast at all compared to caching them in system memory or slapping them on SSD.

            For sites where things are gettin’ slow with a PHP app thats exactly what I recommend. Put the site on an SSD drive at a host firm and the client will instantly see a wonderful performance increase of 200% or better. If the Database also sits on an SSD Yippie!

            The smart cache I mentioned in a few posts does that. Its not just an “output cache” that is to say, when a page is rendered storing it so the next time its loaded it can just be sent out .vs. being rendered all over again until it changes and is invalidated.

            Instead, it also allows for a prioritization of input files. Then based on “hits” unto those files it will on its own move them into system memory or keep them on an SSD drive.

            Its not brain surgery. Not like I’m a Whiz Wonder. Just a great way to increase performance. The more system RAM we throw at caching input files in RAM the better the performance. The more “output cache files (pages already rendered)” that store unto an SSD drive, the faster. SSD can be an order of magnitude of 200-400% faster than a mechanical hard drive. This is why I tend tell people who are like running a client based firm in web design/development go with a dedicated server at a great host.

            Great hosts are flexible. “We want add a 512GB SSD”. Thats a TON of space and its an instant performance gain without basically doing a thing especially when the database also sits on it or another SSD. The DB is another bottleneck atop the bottleneck of a mechanical hard disk.

            My Windows PC via hard disk takes about 1.5 minutes to get completely booted up with things such as Comodo Internet Security etc etc. On SSD its about 35 seconds.

            Those types of benchmarks I also need run. WP on HD .vs. WP on SSD.

            Optimally the deal would be: All CSS, All Javascript and all PHP files on SSD as well as the mySQL database. Images dont need eat up space as they are on their own transport http://www.pookeyblog.com/img/meowmeow.jpg

            Though obviously if they are page to the user gets rendered faster. But to the application, say WordPress, that immaterial. What it wants to do is eat as little memory per session as it can and process the code and exit fast as possible. That equates to more sessions it can handle.

            An SSD is an instant solution to considerable speed/performance gains. Our cache simply intelligently (sorta stupid really) just watches how many times things are requested and will move files in high demand to RAM memory and swap things in a lower demand over to SSD. Pretty simple.

            Most hosts wont allow it. We have some hosting for example over at 1and1 and they went “nope. But if we buy a dedicated server well then….” Phht. Already gots one at Codero.


            In other news while sloshing down some Sam Adams with friends last night we talked about setting up a blog site as some have suggested and it appears that it will happen.

            So with that, probably be seeking some authors be that daily, weekly, monthly. Topics wise what was discussed was PHP, Databases, C#, Programming, CSS, HTML, Javascript, WordPress, .NET, Best of the best websites, wonderful computer software, reviews, using photoshop, gimp, corel draw, general technology chitter chatter and more. Pretty much technology oriented.

          • Well I have played with Concrete 5 for a few hours. It does take some time to install on Xampp, whoppin 253 tables on a base install to the database. It takes some getting used to and more study to be sure.

            Its completely drag and drop and in as far as “page design” goes for the most part its exactly what the TMT team here is saying. It’s base theme uses Bootstrap. The “theme” is exactly that at least from the webmaster perspective. You simply have areas for content, you can assign whatever you please to them. Layout is built in. So if on a row I want 3 boxes, layout, 3 boxes, done. Its all editable right from the front end.

            From my cursory look at it this beats Joomla hands down. It DOES have workflows which I have not yet messed much with. What it doesnt appear to have is a large community of developers. It is a VERY different user interface, sorta like a brain dead word processor / desktop publisher hybrid so it might not be brain dead but simply takes getting used to.

            CLEARLY in as far as a webmaster (or if workflows are granular and REALLY workflows) it affords alot more flexibility that WordPress in as far as the software itself goes.

            If it had the massive amounts of plugins it most assuredly would eat away at the “run my own show” marketshare.

            Of course, there is a caveat to “drag n drop” and page customization based upon such freedom (and it appears to have ALOT of freedom). What caveat?

            It means that the webmaster or if there is the ability to create truly fantabulous workflows has to pay very close attention to things NOT getting out of hand.

            “Isnt my website cool? I have a thousand pages!!!! My theme is AWESOME! Dont you think so?”

            How come every page layout looks different? It looks like 1000 grade schoolers got together each with their own idea for page design.

            If workflows allow for things such as “image lady”, “layout alien”, “writers”, “editors”, “publisher” with all the accept, reject, interactive communication between roles of these entities (and others) such as “event planner”, “chicken farmer”, “programmer”, etc etc. and those roles can be assigned granular enough to work smooth together as well as on pages and/or areas of pages, sections, categorical this/that. Then its a winner assuming its not, gee… I run 16 core server and can serve a whopping 100 users” It says it is enterprise capable sorta.

            Workflows are !important.

            If mamma is running her country cupcake grazing site no big deal. She is the workflow.
            But for say a information news site dealing with whatall… say WordPress… Workflow needs be one’s friend as otherwise one is fighting the platform to succeed .vs the platform making for smooth work, so folks can concentrate on writing, layout and getting the product (pages/information etc) to market (the web).

            Imagine your local newspaper or PeePle Magazine or The National unEnquirer. Organizations that are in Print media. They have workflows and assignments. Organized in a way that teams produce product (pages). Advertising folk who need sell space based upon that content. Department that does the feedback jibe to corporate about all content/sections.

            All very differing workflows.

            While these entities could use Jooml’r, WordPress, DriPal etc. what it all comes down to is workflows. Thats why I am anal on it. Been there, done that.

            In some respects it crackers me up on this theme stuff. I understand for example the need for a consistent end webmister/mistress having a consistent user interface. But if the moment a moderately complex workflow comes to need its, “Well… If you write it and dont publish it, then I can take that and move it here, and then she can edit things, then I can take it back, then I can add images and see if Julie approves of the way it looks”.


            *I* am the publisher for “The Dell Story”, “Harvey is the writer”, “Bob is the artist”, “Jan is the layout person”, “Julia is the copywriter”, “Bill is the council”, “Mary is the editor”, “Norma is assigned to the ad’s on this articles pages”, and lastly, “Gary is responsible for historical accuracy”.

            Our workflows might be:

            Harvey -> Gary -> Bill -> Mary -> Bill -> Jan


            Bob -> Jan

            Norma -> Jan
            Me , the publisher and goes live -> Julia Copywriter

            And it need be able to be changed on a dime if need be.

            In corporate it can vary wild. One reason that LifeRay (java based portal/cms) is used by some real heavies. GM US, GM China, GM Europe all have similar content they need put forth but quite a bit not similar as well. They all need communicate to one another about that global presence. All done under one application.

            Anyways… I need mess with it more and I am curious how session munchie it is. I wont do the full “9 yards” on performance. Just cursory stuff.

    • I’m with Phil Harrison.

      For those of using WordPress professionally these autoupdates and structural changes willy-nilly three times plus per year are ridiculous. We want security updates and an annual major update which requires monitoring (database changes, deprecation of old hooks).

      We have almost one hundred active sites under our care – what are we supposed to do? Cancel our week’s work?

  2. A site owner who doesn’t pay much attention to these things might hear that a new version was released, then get an email notification that their site was updated to 4.1.3. My guess is a huge percentage of those site owners will think their site is running the latest version. At least the ones I’m in contact with on a daily basis will.

  3. as soon as I got a notice from one site about going from 4.1.2 to 4.1.3 and then a second notice from a different site going from 4.1.2 to 4.2, I just hit all my sites’ wp-admin and upgraded them all to 4.2.

  4. “Fix database writes for esoteric character sets, broken in the WordPress 4.1.2 security release”
    In other words, despite the best efforts, expertise and experience of the WordPress team, inevitably an automatic update to WordPress broke some people’s websites and the cure was worse than the illness it was meant to prevent. It’s not surprising they want to keep this quiet and haven’t publicised it like all the other core automatic updates.

    All those calling for automatic updates to plugins should take note: If this can happen in the core, how much more will it happen in plugins.

    All automatic update systems in WordPress – be it core, plugin security updates published by the WordPress team or any future plugin automatic updates – should have opt-out tick boxes within the USER INTERFACE (so any WordPress owner can access it without needing technical knowledge) and make an informed decision for themself. WordPress can put whatever warnings or disclaimers on it they like, so long all WordPress users get a choice.

      • Why not? What makes you think adding a setting and giving people the option of an informed choice about THEIR website would lead to less updates? By having this feature it will draw attention to the fact that web based software needs to updated for security and help people consider how THEY want to manage that process. It could actually improve update rates by helping educate the user base. The large number of old versions isn’t because loads of people have opted out of automatic updates, it because they don’t how important it is to update – it’s about education.

        There seems to be a presumption (in software generally), that updates are always good and the latest version of anything is automatically the most secure. This is a fallacy. Whist, in theory, existing features should become more secure as issues are found and fixed, as more features get added (which is the main purpose of most plugin updates) the potential for vulnerabilities increase.

        No small business wants to be the guinea-pig testing new versions of software. That’s why there’s a lag with switching to the latest version of Windows that comes out (other issues aside).

        Maybe a ‘Delayed Automatic Update’ option would help in this, e.g a setting to automatically update, say, 1 week after the release, provided no patches been released since then.

        • This is 110% correct.

          I tend favor update prioritization in software. That is to say if a security update needs occur that is a priority. Push it. Anything else should be at a users discretion. It does require a different way of looking at updates in as far as codebase goes. For example, this is why with Windows you see lots of “KB” updates. Updates need be monitored on the installation on an update by update basis. It can be quite complex.

  5. This is so damn confusing.. Two of our sites got updated to 4.2.1 automatically, while the other 30+ sites got updated to 4.1.4. I was hesitant to update to 4.2 because of all the bugs being reported, and sure enough, our two 4.2.1 sites are exhibiting some of these same issues. :(

    I’ve been using WP for 10+ years, so I’m not exactly new to this, but this was by far the most confusing set of updates I can remember, with limited info out there on what exactly was going on. This post was a huge help in figuring things out, so thanks!


Subscribe Via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

%d bloggers like this: