How to Disable WordPress Auto Updates (Plugins & Manually)

Become a WordPress Buff
Why It May Be a Good Idea to Disable WordPress Auto Updates
Share on twitter
Share on email
Share on facebook
Share on linkedin

Keeping the WordPress core — and all the plugins and themes you use on top of it — up-to-date is an important part of any website security or speed enhancement plan. These software updates are pushed out to WordPress websites for a number of reasons.

Developers can push out brand new features or performance enhancements in updates. When bugs or other technical glitches are detected, developers can also use updates to quickly issue patches. There is also the case for using updates to resolve vulnerabilities found in the software.

Regardless of what part of WordPress needs an update, or the reason for it, these updates need to be done in a timely manner… and it’s not like you c

an expect WordPress to implement them for you, can you?

Actually, you can.

woah face wow GIF

WordPress has the ability to automatically push certain updates to its users’ websites. Some of these auto updates have become an inherent part of each WordPress installation, too.

Which is why it may be a good idea to disable WordPress auto updates. Now.

This post will cover why auto updates aren’t the best idea for many websites. Then, we’ll give you some ways to disable WordPress auto updates and tips for more efficiently handling them going forward.

Our team at WP Buffs helps website owners, agency partners and freelancer partners perform safe WordPress updates every single week. Whether you need us to manage a 1 website or support 1000 client sites, we’ve got your back.

Why Aren’t WordPress Automatic Updates a Good Idea for Your Website?

Part of Sucuri’s Hacked Website Report focuses on how many outdated instances of WordPress were found in infected websites. Although 2017 saw a major decrease from 2016 in terms of how many outdated WordPress installations were detected, there were still roughly 40% of websites running on old software.

outdated platforms from 2017

That’s a big problem. WordPress updates are issued for good reason. For instance:

  • WordPress 4.9.6 was a privacy and maintenance release. It gave us a new GDPR privacy setting and page.
  • WordPress 4.9.5 was a security and maintenance release. Three vulnerabilities in the software were fixed in addition to 25 bugs patched.
  • Then, you have a major release like WordPress 4.9. This update brought along feature enhancements that users usually don’t see in minor updates that focus on performance and security problems.

Even if you or your clients don’t understand what the purpose of each update is, or don’t have time to spend learning more about it, that’s fine. The update still needs to be made. And this goes for plugins and themes, too.

The Truth About WordPress Automatic Updates

🔐 Updates are an essential part of maintaining performance and security. You can't hide from this fact. #WordPress Click To Tweet But if this is the case, why am I not telling you to go ahead and automate them? After all, WordPress must have configured automatic background updates for a reason, right?

automatic WordPress updates

Starting with version 3.7, WordPress automated minor updates. The Codex elaborates:

By default, only minor releases – such as for maintenance and security purposes – and translation file updates are enabled on most sites. In special cases, plugins and themes may be updated.

It expands on the plugin and theme point further:

[A]utomatic background updates only happen for plugins and themes in special cases, as determined by the WordPress.org API response, which is controlled by the WordPress security team for patching critical vulnerabilities.

There are indeed benefits in automating WordPress updates:

  • They’re an essential part of fortifying a WordPress site, so this simplifies some of that work you have to do to keep it safe.
  • They ensure your site always has the latest and greatest version of all software, so it can run at its level best.
  • For you or the person responsible for managing the site, automated updates also happen to be quite convenient, leaving you with less work to do in maintaining your site.

However, when updates are left automated, there is a chance your site could break somewhere down the road as a result. Imagine what that might mean for a huge ecommerce client whose site goes down sometime around midnight and you only notice it when you log in at 9 a.m. the next morning. Yikes.

Let’s also not forget the fact that WordPress users don’t typically receive notifications when WordPress or a plugin or theme automatically updates. Realistically, that means you could be walking into a white screen of death and not actually know that an automated update was the cause of it.

Not only could an update take down a website, but it could result in time spent troubleshooting the issue. In that case, what makes the most sense?

Disable WordPress updates and rest assured that when you log in each day, the site is still online and running at peak performance.

Or

Enable automatic updates and hope that conflicts between the core, plugins, and/or themes don’t somehow break the site somewhere along the way.

If you’re still not convinced that disabling WordPress auto updates is the best choice, let me clue you into something that happened in 2016 that will likely scare you away for good:

Wordfence’s Auto-Update Discovery

WordPress uses api.wordpress.org to handle the release of automated updates to users. This is how the process works:

Normal view of the Wordfence API auto-update

While this makes the process of automatically updating sites much easier for WordPress, it’s not a totally failsafe system. Think about it:

When a website has auto-updates enabled, that means it recognizes api.wordpress.org as a trusted source and accepts any and all updates from it. So, what happens if an infection gets into the core?

Here’s what that scenario would look like:

Compromised view of WordPress API auto update

Because WordPress is open-source and because the auto-update API has a publicly available GitHub webhook, you can imagine the development team has to be very careful about what goes into the code on the server. That’s why GitHub submissions go through rigorous checks and balances on the backend to ensure they’re coming from a legitimate source (i.e. a WordPress developer).

Despite how strong security seems here, Wordfence detected a serious vulnerability on one of the weaker hashing algorithms of the webhook.

Essentially, the poorly constructed hashing mechanism made it significantly easier for a brute force attacker to crack the code and get inside api.wordpress.org. If a hacker had been able to do this, any infection added to the server would’ve been distributed to every website with auto-update enabled.

While WordPress quickly fixed the issue (only after Wordfence notified them about it), this should still give anyone considering automated WordPress updates serious pause.

WordPress is a great content management system to work in and we are lucky to have some of the world’s best developers contributing code to it. That said, websites are highly valuable to hackers that can get their hands on them, which means you have to do everything in your power to keep them out.

How to Disable WordPress Auto Updates

Security threats from the API or not, WordPress updates should be handled with care.

WordPress updates

Unless you work with a single theme and plugin developer who carefully codes and syncs each of their tools with one another, there’s always a chance that the code in one piece of software will conflict with another. And it could come from a plugin or theme you’ve had for months or even years. Just one imbalance between two elements could take down your site.

The disabling of WordPress automatic updates is the clear solution.

Once you disable WordPress auto updates, you can take full control over the process. This means testing every new core, plugin, or theme update in a safe testing environment away from your live WordPress site.

If anything should happen, then no big deal. Your staging site took the brunt of the abuse and you know that it’s not safe to proceed on the live site.

If everything goes smoothly, then all it takes is a few clicks to push a new update through.

manual plugin updates

So, let’s talk about how to disable WordPress auto updates. As usual, you have two options:

  1. The manual approach that requires some light coding.
  2. The plugin approach.

It’s important to note that, with either option, you have some flexibility in what you disable. For instance, let’s say you want to completely disable WordPress auto updates for the Core, but want to allow for plugin security updates to go through. There are ways to mix-and-match your disable settings.

1. Disable WordPress Auto Updates Manually

To disable WordPress auto updates for the Core files, log in to your control panel. Navigate to your SFTP or File Manager to edit files at the root of your database.

File Manager

Locate the wp-config.php file.

Highlight it and click Edit.

edit wp-config

Inside the file, add the following lines based on what you want to do:

This will disable WordPress auto updates for every aspect of your site:

define( 'automatic_updater_disabled', true );

This will only disable WordPress auto updates for the core files:

define( 'wp_auto_update_core', false );

Although you can disable WordPress auto updates for translation files, minor updates, major updates, themes, and plugins, it requires the use of add_filter() calls. The wp-config.php file isn’t really capable of handling them, so WordPress advises finding another method for disabling those elements.

There’s also the fact that you can’t effectively switch off automatic updates on themes or plugins unless you create child versions of them. Since any future updates will automatically override any code you insert into the functions file, this may be an additional step you’re not prepared to handle.

theme functions

In that case, if you really want to get granular in disabling automatic updates, use a plugin.

Disable WordPress Auto Updates with a Plugin

Easy Updates Manager

Easy Updates Manager is the go-to plugin for disabling automatic updates–and you can do this for one site for a Multisite network. Here is how to use it:

In your WordPress dashboard, go to Plugins > Add New. Locate Easy Updates Manager.

locate plugin

Click Install Now. Then, when done, click Activate.

From your plugins list, locate Easy Updates Manager and click Configure.

configure easy updates

The General tab allows you to set all conditions for how you want to manage and receive notifications about updates.

manage updates

Options here include:

  • Disabling all automatic updates.
  • Enabling automatic updates.
  • Default leaves WordPress’s settings in place.
  • Yes allows for all updates to be automated.
  • No allows for no updates to be automated.
  • Custom allows you to apply automatic updates to different parts of WordPress. For instance:

custom updates

Disabling/enabling automatic plugin updates.

In addition to disallowing plugins to be automatically updated, you could also handpick which ones you want those settings applied to.

automatic plugin updates

I’ll show you where to apply those individual settings in just a minute.

Disabling/enabling automatic theme updates.

Same configurations apply as with plugins.

Enabling of core automatic updates.

This is if you continue to use auto-updates.

You can also turn off updates altogether for different parts of the site:

turn off all updates

Below this, you’ll see that you can deactivate the browser nag that reminds you when something needs to be updated, too.

I would strongly advise against applying any of these disabling settings. While it’s one thing to disable WordPress auto updates, it’s another to turn off updates altogether. They’re a critical part of your site’s security and performance. To do without them will put your site at risk for some pretty terrible things.

Now, under the Plugins tab, you can go through each plugin individually and choose if you want to enable or disable WordPress auto updates. You can also switch off updates, but, again, I think that’s a bad idea. Just use this tab to personalize automated updates if you still want to use them.

individual plugin updates

Under Themes, you only have the choice to enabling or disabling updates. There’s nothing here related to automatic updates.

individual theme updates

So, be careful if you mess around in this tab or else you could lose valuable updates that come from your theme developer.

Wrapping Up

As you can see, there are very good reasons why you should disable WordPress auto updates. And, with the process of doing so being so easy, there’s really no reason why you shouldn’t do it… right?

I’m sure some of you might be worried about how much time this will add to your daily workload.

If you’re no longer relying on automated updates to run in the background, this means you have to log into the website frequently to check for new updates–especially those urgent security releases–and then test them on a staging server before implementing on the site. And this becomes exponentially more work based on how many websites you manage.

But don’t let this discourage you from learning how to disable WordPress auto updates (or having someone else do it for you). Just because you’ve taken the onus off of WordPress to handle updates doesn’t mean it has to fall on you.

If you’re already signed up for a WordPress maintenance plan with WP Buffs, you’re in luck as we include WordPress Update Services in every Care Plan. And if you’re not working with us yet, think about how much time and how many headaches you could save by having us worry about how to disable WordPress auto updates. Learn how to become a partner, today.

Want to give your feedback or join the conversation? Add your comments 🐦 on Twitter.

Share this post:
Share on twitter
Share on email
Share on facebook
Share on linkedin
Did you enjoy this post? Subscribe for more

Register for our next live WP AMA event!

🏆Chance to win weekly giveaways

📆 Instant invites to our Weekly WP AMA

🙋 First access to submit questions

💻 Direct links to all of our events

WP Buffs, LLC is committed to protecting and respecting your privacy, and we’ll only use your personal information to administer your account and to provide the products and services you requested from us. From time to time, we would like to contact you about our products and services, as well as other content that may be of interest to you. If you consent to us contacting you for this purpose, please enter your name and email address above.

You can unsubscribe from these communications at any time. For more information on how to unsubscribe, our privacy practices, and how we are committed to protecting and respecting your privacy, please review our Privacy Policy. By clicking submit above, you consent to allow WP Buffs, LLC to store and process the personal information submitted above to provide you the content requested.

Read about how we increased Rigorous Digital's profit margin by 23% and helped remove all website issues for MEP Publishers and their 3 complex websites.

Case study eBook cover (MEP Publishing)
No thanks, I don't need more profit and I can tackle all my WordPress issues myself.
Case study eBook cover (Rigorous Digital)

WP Buffs, LLC is committed to protecting and respecting your privacy, and we’ll only use your personal information to administer your account and to provide the products and services you requested from us. From time to time, we would like to contact you about our products and services, as well as other content that may be of interest to you. If you consent to us contacting you for this purpose, please enter your name and email address above.

 

You can unsubscribe from these communications at any time. For more information on how to unsubscribe, our privacy practices, and how we are committed to protecting and respecting your privacy, please review our Privacy Policy.

By clicking submit above, you consent to allow WP Buffs, LLC to store and process the personal information submitted above to provide you the content requested.

Which care plans best fit your websites (or client sites)?

✔️ White-label site management

✔️ $1,000+ of premium plugins free under our care plans
✔️ 24/7 website edits and priority support
✔️ Ongoing speed and security optimization
✔️ 24/7 website uptime monitoring
✔️ 4x daily cloud backups
✔️ Weekly plugin, theme and core file updates
✔️ Weekly reports detailing any on-site changes

No thanks. I can manage, speed up, secure, fix and grow websites myself.
Questionnaire
No thanks. I can manage, speed up, secure, fix and grow websites myself.

Schedule a private call with our team to discuss our 24/7 WordPress care plans for serious website owners or 24/7 white-label site management for agencies and freelancers

Finally, a WordPress newsletter you'll actually read every single month.

✔️ High-impact news

✔️ Actionable tutorials and videos

✔️ #WordPress Twitter highlights

✔️ Vote on receipient of $200 donation and WP Buffs merch giveaways

✔️ Fully curated so you only receive the best 5% of content

No thanks, I have other ways to stay updated with WP

WP Buffs, LLC is committed to protecting and respecting your privacy, and we’ll only use your personal information to administer your account and to provide the products and services you requested from us. From time to time, we would like to contact you about our products and services, as well as other content that may be of interest to you. If you consent to us contacting you for this purpose, please enter your name and email address above.

You can unsubscribe from these communications at any time. For more information on how to unsubscribe, our privacy practices, and how we are committed to protecting and respecting your privacy, please review our Privacy Policy. By clicking submit above, you consent to allow WP Buffs, LLC to store and process the personal information submitted above to provide you the content requested.

Finally, get your website 99.9999% secure and loading in under 1 second.

Our free eBooks and easy-to-follow checklists will have your website fully optimized in just a few hours.

No thanks, my website is as fast and secure as I want it.

WP Buffs, LLC is committed to protecting and respecting your privacy, and we’ll only use your personal information to administer your account and to provide the products and services you requested from us. From time to time, we would like to contact you about our products and services, as well as other content that may be of interest to you. If you consent to us contacting you for this purpose, please enter your name and email address above.

You can unsubscribe from these communications at any time. For more information on how to unsubscribe, our privacy practices, and how we are committed to protecting and respecting your privacy, please review our Privacy Policy. By clicking submit above, you consent to allow WP Buffs, LLC to store and process the personal information submitted above to provide you the content requested.

How to Sell Your Very First Care Plans Cover

Finally, an email list that helps make WordPress simple and effective for you.

Speed & security optimization tips and detailed how-to guides with advice you can implement today.

No thanks, I already know everything about WordPress.
Speed checklist eBook cover

WP Buffs, LLC is committed to protecting and respecting your privacy, and we’ll only use your personal information to administer your account and to provide the products and services you requested from us. From time to time, we would like to contact you about our products and services, as well as other content that may be of interest to you. If you consent to us contacting you for this purpose, please enter your name and email address above.

 

You can unsubscribe from these communications at any time. For more information on how to unsubscribe, our privacy practices, and how we are committed to protecting and respecting your privacy, please review our Privacy Policy. By clicking submit above, you consent to allow WP Buffs, LLC to store and process the personal information submitted above to provide you the content requested.

Case study eBook cover (Rigorous Digital)
Case study eBook cover (MEP Publishing)
How to Sell Your Very First Care Plans Cover

Honed and proven strategies we've used successfully 500+ times to help you sell your first care plans. Action steps you can implement in minutes.

No thanks, I can already sell as many care plans as I want.
How to Sell Your Very First Care Plans Cover

WP Buffs, LLC is committed to protecting and respecting your privacy, and we’ll only use your personal information to administer your account and to provide the products and services you requested from us. From time to time, we would like to contact you about our products and services, as well as other content that may be of interest to you. If you consent to us contacting you for this purpose, please enter your name and email address above.

 

You can unsubscribe from these communications at any time. For more information on how to unsubscribe, our privacy practices, and how we are committed to protecting and respecting your privacy, please review our Privacy Policy.

By clicking submit above, you consent to allow WP Buffs, LLC to store and process the personal information submitted above to provide you the content requested.

No thanks, I'm happy with my MRR

The WPMRR Virtual Summit! A free online conference 100% focused on helping you make monthly recurring revenue work for your WordPress business.

wpmrrvsblue

✔️ Attend every session and panel for free

✔️ Access to live event with all your WP friends

✔️ Free MRR merch giveaways

✔️ WP Buffs donation of $1 per registrant to Lawyers for Good Government

✔️ Make subscription revenue a core part of your business