​WordPress's broken automatic update function

Thanks to a bug, you must manually patch WordPress 4.9.3. Unless you do, you'll be stuck on WordPress 4.9.3 and vulnerable to the next WordPress attacks.
Written by Steven Vaughan-Nichols, Senior Contributing Editor

Video: Hotspot Shield flaw gives away network name and location

Twenty-nine percent of all websites use WordPress. With 60 percent of the content management system (CMS) market, WordPress outdistances all other CMSs, So, when there's trouble with WordPress security, many of us are in trouble. In its latest release, 4.9.3, WordPress shot itself in the foot by disabling its ability to be automatically updated.

According to WordFence, a WordPress security site, "WordPress 4.9.3 was released earlier this week and it included a bug which broke WordPress auto-update. Millions of sites auto-updated from 4.9.2 to WordPress 4.9.3 and it broke their ability to auto-update in the future."

This bug causes a fatal PHP error when WordPress tries to update itself. This interrupts the auto-update process and leaves the site on 4.9.3 forever. If you, like most smart WordPress administrators, have WordPress automatically patch itself, your site will be locked on 4.9.3, and it won't be updated to newer versions to avoid further WordPress security problems.

Dion Hulse, a WordPress lead developer, explained: "#43103-core aimed to reduce the number of API [Application Programming Interface] calls which get made when the autoupdate cron task is run. Unfortunately due to human error, the final commit didn't have the intended effect, and instead triggers a fatal error as not all of the dependencies of find_core_auto_update() are met. For whatever reason, the fatal error wasn't discovered before 4.9.3's release -- it was a few hours after release when discovered."

To fix it, you need to manually update your WordPress software by one of the following methods:

  • Through the WordPress Administration area: Visit your WordPress Dashboard > Updates and click "Update Now."
  • With WP-CLI: If you have command line access to WordPress, and WP-CLI installed, wp core update will update your site just as quickly as before.
  • Manually by FTP: If you prefer, you can update by downloading the latest ZIP and using FTP to upload it to your site. The only changed files expected are wp-includes/update.php and wp-includes/version.php.
  • With PHP: If you have command line access, you can also update WordPress simply by running wp_maybe_auto_update() inside of WordPress. For example: php -r 'include "wp-load.php"; wp_maybe_auto_update();'. This is also how we suggest hosts who don't have WP-CLI installed proceed with automated updates for their customers.

Thanks to its popularity, WordPress sites are often attacked. Relying on automatic updating alone can -- and it has here -- come back to bite you. Instead, you must keep an eye on your site and make sure it's updated. As ZDNet's David Gewirtz pointed out, to protect your WordPress-based site, you should:

  • If you are unwilling to do any maintenance or management whatsoever, either use the hosted WordPress.com service or hire someone to manage your site.
  • If you want the ability to customize your site, you need to keep everything updated regularly. It is well worth investing in either managed hosting or a maintenance service to make that easier.
  • If you try to cheat the game by downloading commercial plugins or themes for free from "off-brand" sites, you will get hacked. Worse, you will likely deliver malware to your site's visitors.

Not all WordPress sites have fallen prey to this update hiccup. By default, WordPress auto-update function only updates minor versions. Only WordPress sites running 4.9.2 would have updated automatically to 4.9.3, which broke auto-update.

Finally, not all websites have reported seeing this bug. Some have automatically updated to 4.9.4. At this time, no one has found a common denominator for the sites that have automatically updated successfully.

Still, it's far better to be safe than sorry. Check your site, and if it's still on 4.9.3, manually update it using one of the methods described above.

Related stories

Editorial standards