Did you know that WordPress can automatically update your website? Yes that include plugins and themes too. Despite the security benefits, there is a slight chance that it can break your website. In this article, we will show you how to disable automatic background updates in WordPress.
Note: This post was originally published on Oct 25, 2013, but we have updated it to add more insights and make it more comprehensive.
Background auto updates were introduced in WordPress 3.7 in an effort to promote better security. By default it is limited to only minor releases however in special cases WordPress may update your plugins and themes.
If you are one of the millions of websites that are using Yoast WordPress SEO plugin, then your site was automatically updated about a week ago without any notification!
Automatic updates are great for WordPress security because many users never update their plugins or their WordPress installs. However it can break your site which we will highlight below.
First let’s take a look at how to disable WordPress auto updates.
Configuring and Disabling Automatic WordPress Updates
The easiest way to do this is by installing and activating Disable Updates Manager plugin.
Go to Settings » Disable Updates Manager to configure your settings.
Alternatively, you can disable automatic updates in WordPress by adding this line of code in your
define( 'WP_AUTO_UPDATE_CORE', false );
This will disable all automatic WordPress updates.
However if you want to receive minor core updates, but disable theme and plugin updates, then you can do so by adding the following filters in your theme’s functions.php file or in a site-specific plugin.
Disable automatic WordPress plugin updates:
add_filter( 'auto_update_plugin', '__return_false' );
Disable automatic WordPress theme updates:
add_filter( 'auto_update_theme', '__return_false' );
Now that you know how to disable automatic updates in WordPress, the question is should you disable it?
On our sites, we have disabled automatic plugin and theme updates while keeping the minor core updates enabled.
We are listing the pros and cons of automatic updates below to help you make the decision that’s best for you.
You don’t have to worry about updating minor WordPress releases which are pushed out for maintenance and security purposes.
This is something that you only got if you paid for managed WordPress hosting, but now it’s available for everyone (at least for minor releases).
You also have the benefit of knowing that if there was a crucial security issue with WordPress or a popular plugin, then WordPress will automatically update even if you are on a vacation, so your site is secure.
There is a slight chance that automatic updates can break your site. In our experience, the minor releases haven’t broken any of our sites yet.
But that’s because we are following the best practices and not modifying any core files. If you modify WordPress core files, then these automatic updates can override them.
Although it hasn’t happened yet, but if WordPress ever felt necessary to push a security update for a theme you are using, then there is a chance that it will break your website specially if you have modified your theme files.
Similar to that, automatic plugin updates can break your site as well because there are just too many variables (different server environments, plugin combinations, etc).
Now it’s important to know that these updates will not break majority of websites, but considering WordPress powers millions of websites, a small percentage can still be a lot of sites.
For example, the recent Yoast SEO update broke two of our sites: WPBeginner and ThemeLab.
On WPBeginner, the issue was very edge-case. For some odd reason, our permalinks broke. That meant every page except our homepage was returning a 404 error. One of our users reported it, and we fixed it fairly fast. All we had to do was go to Settings » Permalinks and click Save Settings to rebuild permalinks.
On ThemeLab, Yoast SEO was deactivated without our knowledge. Apparently when the auto update happened something went wrong with the process which caused the plugin to deactivate.
Since this was such a subtle change which didn’t affect the site’s functionality, we didn’t catch it for a few days. Yoast SEO is crucial for search engine optimization because it handles your meta information, sitemaps, etc. All of that functionality was gone.
Google Webmaster Tools was showing a sitemap error because our sitemap URL now returned a 404.
Worst, our broken meta titles started being indexed which we are not sure how long it will take to recover from.
This issue was reported by several users in the comments of Yoast’ blog post.
The worst part about this update was that the core team did not communicate with site-owners. So there is a very good chance that some people haven’t even realized that their SEO is at risk because of a security update that possibly deactivated their main SEO plugin.
WordPress automatic updates for core is new, and automatic security updates for plugins has only been done TWICE … ever!
Normally when WordPress core updates, there is an announcement that follows with it.
However with the past two automatic plugin updates, we haven’t seen a blog post or an email from WordPress.
We fully support the efforts of improving security, but site owners should be notified of every change that is made to their site.
It would be nice to have the WordPress team send an email when they push out security updates to a plugin. Also there should be a way to notify the site owner if the update wasn’t successful, so they can fix the issues as soon as possible.
We hope that there is better communication and more transparency in these security updates in the future.
What are your thoughts automatic updates? Would you keep them enabled or use the above method to disable them? Let us know by leaving a comment below.