WordPress 4.9.3 introduced a bug that causes a fatal error during automatic update attempts — effectively preventing future minor updates triggered by WordPress.org’s update system. The only way to fix it is to either manually upgrade or hosts to take action across their platforms to fix the issue.
Site owners can still update via the button in the admin, via WP-CLI, and manually, but if someone runs a service that plugs into the cron job that errors out, then they will need to use an alternative method. Once sites get onto 4.9.4, it’s business as usual again — it’s the gap from the 4.9 series releases that is the concern — and some sites will probably remain on 4.9.3. However since learning this didn’t affect past releases, I’m encouraged that the number of sites affected for the long term will be much smaller. You had to be on the latest version already, meaning you are more likely to be actively managing your site. I got this wrong in the prior version of the email.
Still, it’s a blow to automatic updates, which have been in WordPress since 3.7 — and frequently deployed, for all minor WordPress version updates for maintenance and security, as well as sometimes for vulnerable plugins and themes.
It will take some time to fully realize the consequences, and depends on host willingness to help rectify the situation, and how many sites actually received the update. My presumption is that most hosts are ready and willing to make things right. My fear is for the long tail of hosts that just don’t pay much attention, and especially fully unmanaged hosting instances.
WordPress updates go out really fast these days, and my understanding is that 4.9.3 got out pretty far and wide before the issue was discovered several hours after the incident.
I’m looking forward to follow-up from the core team about how this will be addressed — including outreach, hopefully to all site owners and hosting companies that can be found, so that they can be updated.
Only with some time will we find out what percentage of sites will be locked out from future auto updates, but we can probably assume that segment will now exist.
I’d recommend reading Dion’s summary of the issue in full. Thank you to Aaron Campbell for the quick correction.