Keeping the WordPress core -- and all the plugins and themes you use on top of it -- up-to-date is an important part of any website security or speed enhancement plan. These software updates are pushed out to WordPress websites for a number of reasons.
Developers can push out brand new features or performance enhancements in updates. When bugs or other technical glitches are detected, developers can also use updates to quickly issue patches. There is also the case for using updates to resolve vulnerabilities found in the software.
Regardless of what part of WordPress needs an update, or the reason for it, these updates need to be done in a timely manner… and it’s not like you can expect WordPress to implement them for you, can you?
Actually, you can.
WordPress has the ability to automatically push certain updates to its users’ websites. Some of these auto updates have become an inherent part of each WordPress installation, too.
Which is why it may be a good idea to disable WordPress auto updates. Now.
This post will cover why auto updates aren’t the best idea for many websites. Then, we’ll give you some ways to disable WordPress auto updates and tips for more efficiently handling them going forward.
Why Aren’t WordPress Automatic Updates a Good Idea for Your Website?
Part of Sucuri’s Hacked Website Report focuses on how many outdated instances of WordPress were found in infected websites. Although 2017 saw a major decrease from 2016 in terms of how many outdated WordPress installations were detected, there were still roughly 40% of websites running on old software.
That’s a big problem. WordPress updates are issued for good reason. For instance:
- WordPress 4.9.6 was a privacy and maintenance release. It gave us a new GDPR privacy setting and page.
- WordPress 4.9.5 was a security and maintenance release. Three vulnerabilities in the software were fixed in addition to 25 bugs patched.
- Then, you have a major release like WordPress 4.9. This update brought along feature enhancements that users usually don’t see in minor updates that focus on performance and security problems.
Even if you or your clients don’t understand what the purpose of each update is, or don’t have time to spend learning more about it, that’s fine. The update still needs to be made. And this goes for plugins and themes, too.
Free Security eBook
[4 Pages] The 21-Step Checklist to
Ensure a 99.9% Secure WordPress Website
The Truth About WordPress Automatic Updates
🔐 Updates are an essential part of maintaining performance and security. You can't hide from this fact. #WordPress Click To Tweet But if this is the case, why am I not telling you to go ahead and automate them? After all, WordPress must have configured automatic background updates for a reason, right?
Starting with version 3.7, WordPress automated minor updates. The Codex elaborates:
By default, only minor releases – such as for maintenance and security purposes – and translation file updates are enabled on most sites. In special cases, plugins and themes may be updated.
It expands on the plugin and theme point further:
[A]utomatic background updates only happen for plugins and themes in special cases, as determined by the WordPress.org API response, which is controlled by the WordPress security team for patching critical vulnerabilities.
There are indeed benefits in automating WordPress updates:
- They’re an essential part of fortifying a WordPress site, so this simplifies some of that work you have to do to keep it safe.
- They ensure your site always has the latest and greatest version of all software, so it can run at its level best.
- For you or the person responsible for managing the site, automated updates also happen to be quite convenient, leaving you with less work to do in maintaining your site.
However, when updates are left automated, there is a chance your site could break somewhere down the road as a result. Imagine what that might mean for a huge ecommerce client whose site goes down sometime around midnight and you only notice it when you log in at 9 a.m. the next morning. Yikes.
Let’s also not forget the fact that WordPress users don’t typically receive notifications when WordPress or a plugin or theme automatically updates. Realistically, that means you could be walking into a white screen of death and not actually know that an automated update was the cause of it.
Not only could an update take down a website, but it could result in time spent troubleshooting the issue. In that case, what makes the most sense?
Disable WordPress updates and rest assured that when you log in each day, the site is still online and running at peak performance.
Enable automatic updates and hope that conflicts between the core, plugins, and/or themes don’t somehow break the site somewhere along the way.
If you’re still not convinced that disabling WordPress auto updates is the best choice, let me clue you into something that happened in 2016 that will likely scare you away for good:
Wordfence’s Auto-Update Discovery
WordPress uses api.wordpress.org to handle the release of automated updates to users. This is how the process works:
While this makes the process of automatically updating sites much easier for WordPress, it’s not a totally failsafe system. Think about it:
When a website has auto-updates enabled, that means it recognizes api.wordpress.org as a trusted source and accepts any and all updates from it. So, what happens if an infection gets into the core?
Here’s what that scenario would look like:
Because WordPress is open-source and because the auto-update API has a publicly available GitHub webhook, you can imagine the development team has to be very careful about what goes into the code on the server. That’s why GitHub submissions go through rigorous checks and balances on the backend to ensure they’re coming from a legitimate source (i.e. a WordPress developer).
Despite how strong security seems here, Wordfence detected a serious vulnerability on one of the weaker hashing algorithms of the webhook.
Essentially, the poorly constructed hashing mechanism made it significantly easier for a brute force attacker to crack the code and get inside api.wordpress.org. If a hacker had been able to do this, any infection added to the server would’ve been distributed to every website with auto-update enabled.
While WordPress quickly fixed the issue (only after Wordfence notified them about it), this should still give anyone considering automated WordPress updates serious pause.
WordPress is a great content management system to work in and we are lucky to have some of the world’s best developers contributing code to it. That said, websites are highly valuable to hackers that can get their hands on them, which means you have to do everything in your power to keep them out.
How to Disable WordPress Auto Updates
Security threats from the API or not, WordPress updates should be handled with care.
Unless you work with a single theme and plugin developer who carefully codes and syncs each of their tools with one another, there’s always a chance that the code in one piece of software will conflict with another. And it could come from a plugin or theme you’ve had for months or even years. Just one imbalance between two elements could take down your site.
The disabling of WordPress automatic updates is the clear solution.
Once you disable WordPress auto updates, you can take full control over the process. This means testing every new core, plugin, or theme update in a safe testing environment away from your live WordPress site.
If anything should happen, then no big deal. Your staging site took the brunt of the abuse and you know that it’s not safe to proceed on the live site.
If everything goes smoothly, then all it takes is a few clicks to push a new update through.
So, let’s talk about how to disable WordPress auto updates. As usual, you have two options:
- The manual approach that requires some light coding.
- The plugin approach.
It’s important to note that, with either option, you have some flexibility in what you disable. For instance, let’s say you want to completely disable WordPress auto updates for the Core, but want to allow for plugin security updates to go through. There are ways to mix-and-match your disable settings.
1. Disable WordPress Auto Updates Manually
To disable WordPress auto updates for the Core files, log in to your control panel. Navigate to your SFTP or File Manager to edit files at the root of your database.
Locate the wp-config.php file.
Highlight it and click Edit.
Inside the file, add the following lines based on what you want to do:
This will disable WordPress auto updates for every aspect of your site:
define( 'automatic_updater_disabled', true );
This will only disable WordPress auto updates for the core files:
define( 'wp_auto_update_core', false );
Although you can disable WordPress auto updates for translation files, minor updates, major updates, themes, and plugins, it requires the use of
add_filter() calls. The wp-config.php file isn’t really capable of handling them, so WordPress advises finding another method for disabling those elements.
There’s also the fact that you can’t effectively switch off automatic updates on themes or plugins unless you create child versions of them. Since any future updates will automatically override any code you insert into the functions file, this may be an additional step you’re not prepared to handle.
In that case, if you really want to get granular in disabling automatic updates, use a plugin.
Disable WordPress Auto Updates with a Plugin
Easy Updates Manager is the go-to plugin for disabling automatic updates--and you can do this for one site for a Multisite network. Here is how to use it:
In your WordPress dashboard, go to Plugins > Add New. Locate Easy Updates Manager.
Click Install Now. Then, when done, click Activate.
From your plugins list, locate Easy Updates Manager and click Configure.
The General tab allows you to set all conditions for how you want to manage and receive notifications about updates.
Options here include:
- Disabling all automatic updates.
- Enabling automatic updates.
- Default leaves WordPress’s settings in place.
- Yes allows for all updates to be automated.
- No allows for no updates to be automated.
- Custom allows you to apply automatic updates to different parts of WordPress. For instance:
Disabling/enabling automatic plugin updates.
In addition to disallowing plugins to be automatically updated, you could also handpick which ones you want those settings applied to.
I’ll show you where to apply those individual settings in just a minute.
Disabling/enabling automatic theme updates.
Same configurations apply as with plugins.
Enabling of core automatic updates.
This is if you continue to use auto-updates.
You can also turn off updates altogether for different parts of the site:
Below this, you’ll see that you can deactivate the browser nag that reminds you when something needs to be updated, too.
I would strongly advise against applying any of these disabling settings. While it’s one thing to disable WordPress auto updates, it’s another to turn off updates altogether. They’re a critical part of your site’s security and performance. To do without them will put your site at risk for some pretty terrible things.
Now, under the Plugins tab, you can go through each plugin individually and choose if you want to enable or disable WordPress auto updates. You can also switch off updates, but, again, I think that’s a bad idea. Just use this tab to personalize automated updates if you still want to use them.
Under Themes, you only have the choice to enabling or disabling updates. There’s nothing here related to automatic updates.
So, be careful if you mess around in this tab or else you could lose valuable updates that come from your theme developer.
Free Security eBook
[4 Pages] The 21-Step Checklist to
Ensure a 99.9% Secure WordPress Website
As you can see, there are very good reasons why you should disable WordPress auto updates. And, with the process of doing so being so easy, there’s really no reason why you shouldn’t do it… right?
I’m sure some of you might be worried about how much time this will add to your daily workload.
If you’re no longer relying on automated updates to run in the background, this means you have to log into the website frequently to check for new updates--especially those urgent security releases--and then test them on a staging server before implementing on the site. And this becomes exponentially more work based on how many websites you manage.
But don’t let this discourage you from learning how to disable WordPress auto updates (or having someone else do it for you). Just because you’ve taken the onus off of WordPress to handle updates doesn’t mean it has to fall on you.
If you’re already signed up for a WordPress maintenance plan with WP Buffs, you’re in luck as we include WordPress Update Services in every Care Plan. And if you’re not working with us yet, think about how much time and how many headaches you could save by having us worry about how to disable WordPress auto updates. Learn how to become a partner, today.
Want to give your feedback or join the conversation? Add your comments 🐦 on Twitter.