Updates on CyberSecurity, WordPress and what we're cooking in the lab today.

WordPress Update Breaks Future Auto-Updates. Manually Update Now!

This entry was posted in WordPress Security on February 8, 2018 by Mark Maunder   49 Replies

[Update at 10:50am PST: Based on the comments we’ve received below, it sounds like this problem only affects certain sites.  We have received several reports of successful updates, although some of these may be the hosting provider updating WordPress installs manually. Overall this looks like good news for the WordPress team who reported this as a severe bug. If you have been impacted by this, let us know in the comments.]

In an unfortunate turn of events, WordPress 4.9.3 was released earlier this week and it included a bug which broke WordPress auto-update. Millions of sites auto-updated from 4.9.2 to WordPress 4.9.3 and it broke their ability to auto-update in the future.

What Broke?

WordPress 4.9.3 included a bug that causes a fatal PHP error when WordPress tries to update itself. This interrupts the auto-update process and leaves the site on 4.9.3 forever.

The core developers tried to reduce the number of API calls that occur when an auto-update job is run. According to the WordPress core development blog:

#43103-core aimed to reduce the number of API calls which get made when the autoupdate cron task is run. Unfortunately due to human error, the final commit didn’t have the intended effect, and instead triggers a fatal error as not all of the dependancies of find_core_auto_update() are met. For whatever reason, the fatal error wasn’t discovered before 4.9.3’s release – it was a few hours after release when discovered.

Only Actively Maintained Sites Are Affected

WordPress has included the capability to auto-update since WP version 3.7, which was released four years ago. The WordPress auto-update function only updates minor versions by default. That means that only releases that change the number to the far right of your WP version will auto-update. In other words, if you were on 4.9.3 and 4.9.4 is released, your site will auto-update. But If WordPress 5.0.0 is released, your site will not auto-update by default.

It’s important to understand that WordPress works this way, because that limits the number of sites that auto-updated to the version that broke auto-update. Only WordPress sites running 4.9.2 would have updated automatically to 4.9.3, which broke auto-update.

This is important because A) It means that the population of websites that now have a broken auto-update is smaller than ALL WordPress sites and more importantly B) The sites that have a broken auto-update would have been manually updated by the site owner when WordPress 4.9 was released.

This means that every site affected by this was manually updated to WordPress 4.9 “Tipton” after November 16, 2017 when 4.9 was released. So, while this bug is unfortunate, the good news is that, for the most part, it only affects actively maintained sites that have been manually updated by the admin within the last 3 months. If a site was not updated to WordPress 4.9 during that time, it will still be on an older track and will not have received the broken auto-update.

The sites that we are most concerned about are sites that are unmaintained. If auto-update broke on those sites, they may not receive another update for several years, until someone remembers the site exists and does an update. Those unmaintained sites are not affected by this and will continue to auto-update.

For example, we have an unmaintained test website that is currently on WordPress version 3.9.23 and it has been steadily receiving auto-updates without any updates from us. That site is not affected by this bug and it received it’s most recent auto-update on January 16th.

Update Your Site Manually Now

Some of you will find that your hosting company has taken care of this for you, especially if you are on a ‘Managed WordPress’ plan. If you are now stuck on WordPress 4.9.3, you will need to manually update your site to continue receiving auto-updates. To update manually and get past this broken auto-update issue, simply sign into your WordPress site as your admin user and visit Dashboard → Updates and click “Update Now.”

After the update, make sure that your core version is 4.9.4. You can scroll down and check the bottom right of your admin panel and it should say “Version 4.9.4”.

Please share this info with the WordPress community to help make them aware than they will need to sign into their sites and do the manual update to get past version 4.9.3 and this issue.

Did you enjoy this post? Share it!


3.91 (32 votes) Your rating:

49 Comments on "WordPress Update Breaks Future Auto-Updates. Manually Update Now!"

Sal February 8, 2018 at 9:43 am • Reply

I have about 30 WordPress sites and ALL of them were automatically updated to the 4.9.3 AND 4.9.4...

Sal C.

Florin February 8, 2018 at 9:46 am • Reply

My wordpress based website was updating alone from 4.9.2 to 4.9.3 and yesterday the same automatically to 4.9.4 , i did nothing manually .

Mark Maunder February 8, 2018 at 10:13 am • Reply

It seems that only some sites are affected by this. We have no data on what percentage at this time.

Larry Sanford February 8, 2018 at 9:52 am • Reply

Well, I tried to log into the admin panel for one of my WP sites, and I got "WordPress . Error" on the browser tab, and the message "Not available." on the page. Is this being caused by the issue discussed? Don't remember what version of WP my site is on right now, nor do I remember if I have auto-update turned on. I will try one of my other sites, but I need some help on this ASAP. Thanks in advance.

Larry Sanford February 9, 2018 at 2:39 am • Reply

Can someone from WordFence at least COMMENT about the issue I am having logging into my WordPress admin panel (The "Not available" error). I have a sneaking suspicion this has something to do with the auto-update issue. Thank you in advance.

Mark Maunder February 9, 2018 at 11:34 am • Reply

Sorry Larry, we don't provide customer support here and this sounds like a WP issue, not a Wordfence issue.

Gordon February 8, 2018 at 9:52 am • Reply

Unless you were lucky enough to install updater plugin by Bestwebsoft. My sites have already dealt with the issue.

Wordfence and Updater, my two main "go to" plugins.

Larry Sanford February 8, 2018 at 9:53 am • Reply

I forgot to mention that the URL that is shown in the browser address bar when I get the "Not available" error is "http://www.sanfordandsonrc.com/wp-admin/admin-post.php". Hope that helps.

Tamara February 8, 2018 at 9:56 am • Reply

I am stuck on 4.9.2 when 4.9.3 came out I manually updated and was told I have the latest version, 4..9.2. Then when I got the alert for 4.9.4 I tried to manually update to that and again was sent to the page saying I have the latest version but it still says 4.9.2.

Do I need to reinstall?

Tamara February 8, 2018 at 2:54 pm • Reply

Anyone have an answer to my situation? It's great to read all the comments about how everything updated just fine.And they get responses. But nothing for those of us that it is not working for?

Mark Maunder February 8, 2018 at 3:56 pm • Reply

Hi Tamara,

It doesn't sound like this is an issue that affects your ability to update. It sounds like it may be something else. Also we don't really do support in our blog comments and in general issues that relate to your ability to manage your WP site should be referred to your host. This bug would not affect your ability to update from 4.9.2.

Regards,

Mark.

Tamara February 8, 2018 at 8:22 pm • Reply

" To update manually and get past this broken auto-update issue, simply sign into your WordPress site as your admin user and visit Dashboard → Updates and click “Update Now.”

Ah, so the comments are just for the people to share that things are working properly. I mistakenly thought it might be of interest to know that for some of us, they are still not updating properly.

Apologies.

Larry Sanford February 9, 2018 at 2:42 am • Reply

I cannot even log into my WordPress admin panel any more. I get an empty page with the message "Not available".

Michael February 8, 2018 at 9:59 am • Reply

I use a third-party management plugin called WP Remote that lets me manage all of my customer's WordPress sites in one panel. It picked up on the 4.9.4 update and I was able to push them all without any issues. Oddly enough I got email notifications that some of the sites updated on their own before I pushed them thru this panel, so I wonder if there are certain conditions where the bug may have not triggered during auto-update?

Mark Maunder February 8, 2018 at 10:12 am • Reply

Hi Michael,

As I've indicated to other commenters, we're seeing the same thing on our test servers.

Mark.

David Riviera February 8, 2018 at 10:04 am • Reply

Oddly enough, a few select sites automatically updated to 4.9.4 without intervention. Others did not.

Mark Maunder February 8, 2018 at 10:11 am • Reply

We're seeing the same thing David.

Larry Sanford February 8, 2018 at 10:08 am • Reply

I was able to log into two of my other sites and was able to manually update from 4.9.3 to 4.9.4, but got the same "Not available" error on two other sites. I think the two sites where I did NOT have the problem, may have auto-update turned off, while the sites that are having the issue have been auto-updating. Not 100% sure though.

Judith Newman February 8, 2018 at 10:08 am • Reply

I'm now at WP 4.9.4 on all my sites - seems to have happened automatically because I didn't do the update manually. Am I still stuck as well? Do I need to keep an eye on this and manually update beyond this version? "In other words, if you were on 4.9.3 and 4.9.4 is released, your site will auto-update. But If WordPress 5.0.0 is released, your site will not auto-update by default." It's not clear to me whether my sites will automatically update to the next version.

Mark Maunder February 8, 2018 at 10:10 am • Reply

You're fine. We had this happen too. The update actually succeeded on a few of our test sites. So I don't think it's broken across the board.

Ben Rosenthal February 8, 2018 at 10:15 am • Reply

Within 24 hours after one of my sites got updated to 4.9.3, it got updated to 4.9.4, no intervention from me. However, another site went to the former but not the latter, so I just updated it manually.

I get that sites won't upgrade to WP 5.0 automatically, but if there are other minor updates between now and then, will they be automatic?

Mark Maunder February 8, 2018 at 10:17 am • Reply

Once you get past this, they will update minor versions automatically.

Your hosting provider may have done that update for you.

Christina February 8, 2018 at 10:11 am • Reply

Thanks for the heads up but I find strange that all my WP sites (12) got updated either automatically or by myself to WP core version 4.9.4 after having been on 4.9.3 for just one day or so. Did WP manage to fix the issue?

Mark Maunder February 8, 2018 at 10:14 am • Reply

Actually it just occurred to me that your host may have updated your sites.

Rich Stern February 8, 2018 at 10:13 am • Reply

I am finding that 4.9.3 did not definitively break automatic updating. I have found at least a half-dozen examples of sites which updated from 4.9.3 to 4.9.4 without any manual action.

I am the only WordPress admin for those sites, and I am also the admin for the servers they are hosted on, so there was no manual intervention.

Haven't found any common denominators yet for sites that automatically updated vs. ones that have not auto updated.

Jack February 8, 2018 at 10:33 am • Reply

I had one hosting client that had TWO WordPress domains installed in his hosting account. Both domains use the same set of themes and plugins. One of the domains was manually updated by me (as the hosting company), but the other domain updated on its own. Since the only difference between the two sites is the actual content, I'm at a loss to explain how it happened.

Rich Stern February 8, 2018 at 11:27 am • Reply

I think it's pretty clear that, while the WordPress folks did find a serious bug, they didn't do enough analysis before rushing out the 4.9.4 patch with too-broad an explanation.

Hoping they sharpen the pencil and offer more details.

Trevor February 8, 2018 at 10:23 am • Reply

I checked my websites and they're already on 4.9.4. Apparently they managed to update on their own after all.

Mark Maunder February 8, 2018 at 10:29 am • Reply

Your host may have done that for you. Some of our test boxes have successfully updated. Not all.

Andy February 8, 2018 at 10:25 am • Reply

So I am a little confused. I believe all of my sites have been auto updating for at least a year but I seem to remember possibly doing some updating manually, I just don't remember which site or exactly when because I don't keep a log.

Is there any other way of check if the auto update is broken other than waiting until the next update and seeing if it works?

Thanks,

Andy

Mark Maunder February 8, 2018 at 10:28 am • Reply

Yes. Check if you're running 4.9.3. If you are then auto-update to 4.9.4 and you're done. If you're already on 4.9.4 or do not have a 4.9.x site or have auto-update disabled, then you don't have to worry.

Gigi February 8, 2018 at 10:31 am • Reply

I had auto-updated enabled for all of my sites, and they all auto-updated from 4.9.3 to 4.9.4. Four of my sites are with one host, and the other site is with another host.

I'm also not sure if my site auto-updated or if the host was involved. I do get emails from the auto-update process, and the email I received indicated an auto-updating had happened: "Your site at ___ has been updated automatically to Wordpress 4.9.4." etc.

Debwork February 8, 2018 at 10:34 am • Reply

Get this, I have a client with two websites that were on 4.9.3
same hosting account
same theme
same plugins
and as far as I know same settings.

One auto updated to 4.9.4 and the other did not (!)
Only difference is one is in a sub-directory.

WorkingHardInIT February 8, 2018 at 10:45 am • Reply

Auto update worked just fine from 4.9.3 to 4.9.4 for a self installed /managed Windows Server 2016 VM in Azure IAAS. I did not do it, works like before in this scenario as well it seems.

Imtiaz Epu February 8, 2018 at 10:47 am • Reply

My WordPress website was updating alone from 4.9.2 to 4.9.3 and then yesterday the new version 4.9.4 update automatically too..

EJ February 8, 2018 at 11:26 am • Reply

I received an automated alert that our site updated successfully from 4.9.3 to 4.9.4. Hosted on Hostmonster.

spid February 8, 2018 at 1:30 pm • Reply

I have 2 websites and both were updated to 4.9.4 without any intervention.

AbigailM February 8, 2018 at 1:46 pm • Reply

I saw most, but not all, of my sites, handle the update automatically -- but some sites have a single entry in the wp error log -- "PHP Fatal error: Uncaught Error: Call to undefined function request_filesystem_credentials"

All sites on the same server, same PHP version. I really don't know why some updated and some didn't -- as I was aware of the reported WP bug, I simply went ahead and manually updated the few sites that had not updated automatically, and didn't try to debug further.

Andrea D. La Vigne February 8, 2018 at 1:57 pm • Reply

The site I manage (only the blog page is WordPress) automatically updated to 4.9.3, and then I had to manually update to 4.9.4. So with the release of the 4.9.4 version, is that auto-update bug now fixed? It is unclear to me from this article.

Andrea D. La Vigne February 8, 2018 at 1:58 pm • Reply

Never mind--I just saw the comment that said that 4.9.4 is OK! :)

Steve February 8, 2018 at 3:54 pm • Reply

To echo others I've seen at least 20 sites update from 4.9.3 to 4.9.4 automatically. Can't tell if this is server-related or there's another factor causing some to do this and some not.

Arrunadayy February 8, 2018 at 9:10 pm • Reply

All my sites where Auto Updated to new version 4.9.4. So not affected by this issue.

Ashwin Singh February 9, 2018 at 12:09 am • Reply

All my sites got auto Updated to 4.9.4 but one of my sites was stuck on 4.9.3 and I needed to update it manually. So, I think it broke only a few sites not all.

Joe Berger February 9, 2018 at 4:35 am • Reply

All sites developed and maintained by HAL XXI's enterprise where Auto Updated to new version 4.9.4. No issues found!

Ben Nash February 9, 2018 at 4:40 am • Reply

Everyone, WP is ancient. Try Bolt CMS.

Wolf Kettler February 9, 2018 at 8:06 am • Reply

Mine is showing 4.9.4. Not sure if auto-updated or carried out by my hosting provider.

Marvin February 9, 2018 at 8:45 am • Reply

I first found out about the WP 4.9.4 update when I received notice one of the sites I manage had auto-updated. As I usually do, I checked to see what the updated entailed (in case it was a huge security issue like Drupalgeddon so I can manually update my other sites). I was surprised to see that it was an update to make sure auto-updates happen correctly. About 3 other sites updated on their own before I could manually do the rest. Perhaps the specific server setup or php version is playing a role here?

Rick Allen February 11, 2018 at 8:41 am • Reply

This issue hit one of my installs. When the server auto-updated 4.9.1 to 4.9.4 we got the errors described. We had to disable the plugin from FTP, then delete it from the WP dashboard, then re-install the 4.9.4 update, then re-install Wordfence. So far no other sites we manage have been affected.

Garry Tiedemann February 12, 2018 at 2:36 pm • Reply

All my sites auto-updated to 4,9,4-en_AU. Thankyou to Mark for the heads-up.

Get the latest WordPress security updates and news

Sign up for WordPress security alerts, Wordfence product updates and security news via email.