WordPress 4.9.4 Fixes Critical Auto Update Bug in 4.9.3

Hours after WordPress 4.9.3 was released, the WordPress development team followed it up with 4.9.4 to fix a critical bug with the auto update process. The bug generates a fatal PHP error when WordPress attempts to update itself.

This error requires WordPress site owners and administrators to manually update to WordPress 4.9.4 by visiting your Dashboard and clicking the Update Now button on the Updates page. Alternatively, you can update by uploading the files via SFTP or by using WP-CLI.

Dion Hulse, WordPress lead developer, says managed hosts that apply updates automatically for their customers will be able to update sites as they normally do. This may explain why some users have reported that sites running 4.9.3 have automatically updated to 4.9.4 without issue.

The bug stems from an attempt to reduce the number of API calls made when the auto update cron job is run. Unfortunately, the code committed had unintended consequences. “It triggers a fatal error as not all of the dependencies of find_core_auto_update() are met,” Hulse said.

A postmortem will be published once the team determines how to prevent this mistake from happening in the future. “We don’t like bugs in WordPress any more than you do, and we’ll be taking steps to both increase automated coverage of our updates and improve tools to aid in the detection of similar bugs before they become an issue in the future,” Hulse said.

While WordPress 4.9.3 and 4.9.4 do not include any security fixes, it’s important to note that in order to receive automatic security updates in the future, sites using the 4.9 branch must be running at least 4.9.4. Older branches are unaffected.


21 responses to “WordPress 4.9.4 Fixes Critical Auto Update Bug in 4.9.3”

  1. And here we are again suffering from things that just should not have been in a minor release in the first place. Was it really that important to push such a change right now? unlikely., but this is not the first minor release to which features that are neither security fixes or major bug fixes are being pushed, a policy change that was never publicly discussed anywhere out of slack.

    • Agreed. This is directly related to the “WordPress 5.0 won’t ship until Gutenberg” directive. There is absolutely no reason Gutenburg couldn’t have shipped with 5.1 or 5.2. Since 5.0 has been delayed, we’re now seeing larger features being rolled out in minor releases. For what? So we can have a 5.0 label along with Gutenberg? Makes no sense at all. Are we really making technical decisions based on marketing benefits?

      • The “suffering” from this meant the grief of making one extra mouse click (to update from the Dashboard).

        And if I don’t go to that great trouble of clicking the button? My host automatically updates it within 24 hours.

        If this is “suffering” for you, I fear for you if something truly difficult would come into your path.

  2. This is an embarrassing bug for the WordPress core team and shows that they’re rushing to get updates out without proper testing. 4.9.3 should never have gone out, and now anyone that was automatically updated has to waste their time manually updating to 4.9.4. Whoever is leading the project now should be removed.

    • I agree with a lot of the concerns expressed here but I have a very different philosophy on the notion that mistakes like this should result in firing (at the WordPress scale or some of the much larger scale things we see in the news every day).

      In my experience managing people, someone who has made a mistake like this is the last person that will ever make another mistake of similar magnitude. They’ll be extremely cautious for a long time to come having suffered this embarrassment.

      Put a new person on the task and you start the timer all over again on waiting for their first mistake. It’s not if, it is when.

  3. I guess this doesn’t affect every site. Mine automatically updated itself as usual. I received the standard email this morning.

    Your site has updated to WordPress 4.9.4

    Howdy! Your site at [removed] has been updated automatically to WordPress 4.9.4.

    No further action is needed on your part. For more on version 4.9.4, see the About WordPress screen

    I was definitely on 4.9.3 before this. I’m looking at the notification email for that auto-update right now and remember logging in to confirm it yesterday.

    I’m not on a managed WordPress host. It’s a VPS with cPanel and I didn’t install WordPress using an auto-installer. I installed it manually.

    • Same here: I’m on a VPS and I manage the contents of the server myself, and I had several blogs auto-update from 4.9.3 to 4.9.4 before I had a chance to update them manually.

      If it only fails under certain circumstances, that might explain how the bug was missed during QA.

    • Same as usual: You click the button and it updates to 4.9.4.

      The bug isn’t in the updater, it’s in the job that automatically runs the updater without you having to tell it, and it’s in 4.9.3, not in the service. If you’re still on an older version, you’re not affected for two reasons:
      1. Your site doesn’t have the buggy code.
      2. Your site isn’t using automatic updates to begin with, or it would have updated to 4.9.3 by now.

  4. Has anyone had any issues with the auto update failing and their site going down? A client of ours has a site that tried to update to 4.9.4 and it failed due to directory creation issues and now they’ve lost all plugins and theme files. The database still seems intact.


Subscribe Via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

%d bloggers like this: