Hours after WordPress 4.9.3 was released, the WordPress development team followed it up with 4.9.4 to fix a critical bug with the auto update process. The bug generates a fatal PHP error when WordPress attempts to update itself.
This error requires WordPress site owners and administrators to manually update to WordPress 4.9.4 by visiting your Dashboard and clicking the Update Now button on the Updates page. Alternatively, you can update by uploading the files via SFTP or by using WP-CLI.
Dion Hulse, WordPress lead developer, says managed hosts that apply updates automatically for their customers will be able to update sites as they normally do. This may explain why some users have reported that sites running 4.9.3 have automatically updated to 4.9.4 without issue.
The bug stems from an attempt to reduce the number of API calls made when the auto update cron job is run. Unfortunately, the code committed had unintended consequences. “It triggers a fatal error as not all of the dependencies of
find_core_auto_update() are met,” Hulse said.
A postmortem will be published once the team determines how to prevent this mistake from happening in the future. “We don’t like bugs in WordPress any more than you do, and we’ll be taking steps to both increase automated coverage of our updates and improve tools to aid in the detection of similar bugs before they become an issue in the future,” Hulse said.
While WordPress 4.9.3 and 4.9.4 do not include any security fixes, it’s important to note that in order to receive automatic security updates in the future, sites using the 4.9 branch must be running at least 4.9.4. Older branches are unaffected.