WordPress update breaks future updates

An update to WordPress' content delivery platform issued this week introduced a bug that prevents WordPress from updating automatically to any new versions in the future.

The company's version 4.9.3 maintenance release pushed out earlier this week contained fixes for 34 bugs, but also broke the software's ability to auto-update to future versions, Paul Ducklin of Sophos' Naked Security team revealed.

"A bug went undetected during the 4.9.3 development cycle, and was only discovered hours after 4.9.3’s release. The bug causes a PHP Fatal error to be triggered when WordPress attempts to update itself," WordPress said.

It said the update had intended to reduce the number of API calls when the autoupdate cron task is run, but "human error" meant the final commit inadvertently triggered the fatal error.

While the company jumped on the issue and published version 4.9.4 the following day as an emergency fix, users will need to install the update manually.

"Unfortunately this means that WordPress administrators will need to proceed with a WordPress update themselves, through the WordPress administration panel (just hit update now under updates), using WP-CLI, or via FTP," WordPress said.

"Hosts who apply updates automatically on their customers behalf will also be able to continue to update sites as normal."

The update fixes the bug, meaning users should be able to auto-update to 4.9.5 when it is released, Ducklin said.

"We’ll be making a follow up post after we’ve been able to determine how to ensure that this never happens again," WordPress said.

"We don’t like bugs in WordPress any more than you do, and we’ll be taking steps to both increase automated coverage of our updates and improve tools to aid in the detection of similar bugs before they become an issue in the future."