Skip to content
Naked Security Naked Security

WordPress users – do an update now, and do it by hand!

The automatic update to WordPress 4.9.3 broke automatic updating, so the emergency update to 4.9.4 means you need to click a button.

WordPress just announced a most embarrassing bug.
Earlier this week, the world’s most widely used blogging and content delivery platform pushed out its Version 4.9.3 Maintenance Release.
There weren’t any critical security patches in this one, but there were 34 bug fixes, and who doesn’t want bugs fixed promptly?
And for more than four years, updating WordPress has been pretty easy – you haven’t had to type a single word or press a single button.
As Naked Security’s Mark Stockley wrote, back in October 2013 when WordPress 3.7 came out:

We’ve all become quite used to the idea of the software on our desktops, tablets, laptops and smartphones silently patching itself in the background and it’s good to see popular web software catching up – it’s long overdue.
What makes background updates for WordPress such a significant step is the software’s sheer popularity. Nobody is quite sure how many of the world’s websites are running on WordPress but the consensus seems to be that it’s about 15% to 20%.

These days, some estimates put the WordPress website share even higher, in the upper 20% range, so automatic updates are even more important than they were back in 2013.

The Catch 22 bug

Unfortunately, the WordPress 4.9.3 update introduced an updating bug: after auto-updating to 4.9.3, WordPress will no longer update automatically.
The good news is that 4.9.4 is already out, published as an emergency fix just one day later…
…but the bad news is that you’ll have to pretend it’s 2012 all over again and update by hand. (Sadly, you’re only pretending, so you won’t be able to pick up a pocketful of bitcoins for $10 each while you’re there.)
Once you get 4.9.4, autoupdating will be restored, so when 4.9.5 comes out, it should take care of itself as you’d expect.

What to do?

WordPress has published an explanation of the bug and detailed instructions for “handraulic” updating; the TL;DR version is:

Simply visit your WordPress Dashboard → Updates and click “Update Now.”

Don’t delay – do it today, so you don’t risk forgetting about it and getting caught out down the road.
If someone else hosts your WordPress server for you, ask them to confirm that they’ve completed this week’s double update, unless they’ve notified you already.


My site was updated automatically…….
I just checked and it’s on 4.9.4


Some sites have updated and I’ve narrowed it down somewhat to sites which have language packs installed. Do you mind if I ask: Is your WP instance something other than `en_US` locale?


WordPress occasionally has these severe bugs, but it seams very popular.
Are the competing products worse?


WordPress has very few severe bugs in my opinion, and I think that the WordPress security team have shown themselves to be highly competent, this issue notwithstanding. WordPress is the 800lb gorilla in the CMS space so its bugs are bigger news than its competitors’.
Part of the software’s success is down to the ecosystem of tens of thousands of plugins that can extend its functionality. They’re made by third party developers and the quality of code and support varies wildly. That pool of plugins provides a steady stream of bad news that has little, if anything, to do with the WordPress core and the security team that maintain it.
My advice to small and medium businesses is that there is little to choose between the major, open source Content Management Systems – WordPress, Drupal and Joomla. They’re very similar, free, open source, actively and competently maintained, have a mature approach to security, can be extended by third party plugins, are easy to migrate from and to, aren’t hard to lock down and have a vast pool of developers ready to work on them.
Of course, they’re complex pieces of software and they all have problems from time to time. I don’t think any of them are a bad choice though and I think you need an extremely good reason to look elsewhere.
I edge towards WordPress because of its automatic updating and its maker’s preference for small, frequent, backwards compatible updates over large, impressive and infrequent updates.


As far as I understand the bug report only auto-updates for non-core releases – like themes – were broken. So 4.9.4 should be rolling out without any issue. If someone has any further information please let me / us know.


That is indeed how the initial bug report frames it. However, the official statement from WordPress on the 4.9.4 maintenance reads:
“This maintenance release fixes a severe bug in 4.9.3, which will cause sites that support automatic background updates to fail to update automatically, and will require action from you (or your host) for it to be updated to 4.9.4.”


WordPress’s notification is, as Mark say, unequivocal about this. I wonder how many people who now find themselves at 4.9.4 without expecting it just happened to “get lucky” with the timing of their update checks, or had what turned out to be a fortunate network glitch along the way, and skipped 4.9.3 altogether? It wasnt out for very long…


All my installs are on 4.94 and all from 4.93 automatically. I am not seeing this issue reported by which is a really good resource for all wp sites. If you are not using word fence you are not protected. Naked!


WordPress users, do NOT update now, just walk away and look for something else.
In two days when the next issue comes around, you can lay back and smile.


I don’t think this is the sort of super-bad bug that should be enough to make anyone decide to jump ship.
If you’re thinking of switching platforms, be sure to take a much deeper look. See Mark Stockley’s well-informed comment above, talking about WordPress, Drupal and Joomla…


DasJan, four months late, this comment will be here for posterity–just as yours is.
I once found WordPress abhorrent. In hindsight a large portion of my concern was after reading forums where “the blind leading the blind” was not entirely inaccurate, such as:
just chmod 777, LOL
My opinion was less than complimentary and based on what I perceived as an egregiously lax stance on security. While maybe five years ago security wasn’t as much of a focus, this was still a less-than-fair, projected assessment of the dev team. While I wouldn’t mind a bit more structure in the who-we-allow-to-build-plugins department, I’m far more willing to use WordPress than I once was.
Lastly, if you have shell access, WP administration gets even better/smoother/cleaner with wp-cli. Check it out.


Interesting to reflect that if you had walked away and looked for something else, high on your list would have been Drupal. If you’d chosen that in February you’d have found yourself dealing with the two “Drupalgeddon” bugs that cropped up since then, while there’s been little excitement on the WordPress front.
Which is not to say that WordPress is good or Drupal is bad, only that if you want a piece of software as complex, useful, maintainable, extensible and widely deployed as either then you need to have a better strategy for dealing with security than running for the hills when serious bugs turn up.


Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!