When it comes to security, we know how important is to regularly update WordPress installations (core, themes and plugins), and how long the upgrade process could take to us, especially when we have installed a good number of plugins. It’s commonly recommended to follow these steps:

  1. Back-up files and database tables
  2. Disable plugins
  3. Update
  4. Enable plugins one by one
  5. Check the website

It could be a tedious task for a single website, and could be an annoying and complex job when we’ve to update five, ten or more websites.

With the specific purpose to improve the installation security and make the site administration easier, WordPress 3.7 introduced automatic updates. By default, this cool feature is enabled for minor releases (i.e. maintenance and security releases) and translation files, but it’s possible to customize any kind of updates. So, in this post, we’ll look at how to automate the upgrade process anytime a new version of WordPress core, theme or plugin is released. Let’s dive deep into WordPress automatic updates!

WordPress automatic updates
WordPress automatic updates

WordPress Automatic Updates

There are four typologies of updates and WordPress automatic updates:

  1. Core updates
  2. Plugin updates
  3. Theme updates
  4. Translation files updates

Core updates are divided into three sub-typologies:

  1. Core development (only available for development installations)
  2. Minor core updates (maintenance and security) – enabled by default in stable installations
  3. Major core updates

WordPress allows you to automate the update process for any of these typologies providing two wp-config.php constants and a good number of API filters.

Controlling Background Updates Through wp-config.php

WordPress provides a couple of wp-config.php constants that allow us to control auto-updates. Setting AUTOMATIC_UPDATER_DISABLED to true will disable any kind of automatic upgrade:

define( 'AUTOMATIC_UPDATER_DISABLED', true );

WP_AUTO_UPDATE_CORE allow us to control core updates (minor, major and development releases). This constant can be defined as follows:

# Disables all core updates:
define( 'WP_AUTO_UPDATE_CORE', false );

# Enables all core updates, including minor and major:
define( 'WP_AUTO_UPDATE_CORE', true );

# Enables minor updates:
define( 'WP_AUTO_UPDATE_CORE', 'minor' );

In development installations WP_AUTO_UPDATE_CORE defaults to true. In stable installations it defaults to minor.

For the sake of completeness, I should mention an additional constant that can be defined to disable auto-updates. However, setting its value to true will disable any file edits, even themes and plugin installations and manual updates.

define( 'DISALLOW_FILE_MODS', true );

Instead, you may prefer to define the DISALLOW_FILE_EDITS constant, which would disable the file editor, but keeping safe the installation and update functionalities.

Related tutorial: wp-config.php File – An In-Depth View on How to Configure WordPress

Controlling Background Updates Through API Filters

Configuration constants provide a general way to enable or disable auto-updates. But WordPress provides a number of filters which grant a deeper control over any kind of updates.

Note: Filters should be used within plugins, and “must use plugins” are a good option for background updates. mu-plugins reside in a specific folder inside /wp-content and are automatically enabled by WordPress. These plugins do not appear in WordPress Plugins Screen, so they could not be accidentally disabled or removed by the site admins. For a deeper view, refer to the Codex documentation

First, returning true through the automatic_updater_disabled filter has the same effect as defining the AUTOMATIC_UPDATER_DISABLED constant to true in wp-config.php:

add_filter( 'automatic_updater_disabled', '__return_true' );

We can control any of the update typologies through the auto_update_$type filters which enable or disable updates depending on the value of $type ('core', 'plugin', 'theme' or 'translation').

So, we can automate all core updates by returning true through the auto_update_core filter:

add_filter( 'auto_update_core', '__return_true' );

In the following example, we’re enabling automatic updates for themes, plugins and translations:

add_filter( 'auto_update_theme', '__return_true' );
add_filter( 'auto_update_plugin', '__return_true' );
add_filter( 'auto_update_translation', '__return_true' );

In the examples above we’ve just enabled auto-updates. But these filters give us a greater control over updates. In the following example we’re automating auto-updates for two specific plugins:

function cb_auto_update_plugins ( $update, $item ) {
	$plugins = array ( 'hello', 'akismet' );
	if ( in_array( $item->slug, $plugins ) ) {
		// update plugin
		return true; 
	} else {
		// use default settings
		return $update; 
	}
}
add_filter( 'auto_update_plugin', 'cb_auto_update_plugins', 10, 2 );

The callback function keeps two arguments:

  1. $update: a boolean which sets wether to update or not;
  2. $item: the update offer object.

The function checks wether the item to update is in $plugins array, then returns true or false accordingly.

Last, we can make difference between development, minor and major updates, by returning true or false through the following filters:

add_filter( 'allow_dev_auto_core_updates', '__return_false' );
add_filter( 'allow_minor_auto_core_updates', '__return_true' );
add_filter( 'allow_major_auto_core_updates', '__return_true' );

We know that occasionally an update can fail. In the worst case, the website can go down after an update failure. But luckily we can ask WordPress to notify us with an email after any update (or attempt).

Result, Notification and Debugging Emails

Depending on the result of the update process, WordPress sends a different email to the administrator address:

  • a result email is sent following an automatic core update;
  • a notification email is sent when WordPress could not run an auto-update;
  • a debugging email is sent in development versions of WordPress.

Anytime an auto-update succeeds or fails, WordPress sends a result or notification email with one of the following subjects:

  • Your site has updated to WordPress XXX (case success)
  • WordPress XXX is available. Please update! (update failed and a manual update is required: case fail)
  • URGENT: Your site may be down due to a failed update (update failed and WordPress could be down: case critical)

The auto_core_update_send_email filter controls result and notification emails. These emails can be disabled by returning false as follows:

apply_filters( 'auto_core_update_send_email', '__return_false' );

Especially if you’re planning to extend automatic updates to major core and/or theme and plugin releases, you may prefer to leave result and notification emails enabled, or customize them depending on the result or update typology. In the following example WordPress won’t send the result email in case of success:

function cb_auto_core_update_send_email ( $send, $type, $core_update, $result ) {
	if ( !empty( $type ) && $type == 'success' ) {
		// don't send email
		return false; 
	}
		// use default settings
		return $send; 
	}
}
add_filter( 'auto_core_update_send_email', 'cb_auto_core_update_send_email', 10, 4 );

The callback function keeps the following arguments:

  • $send is a boolean that determines wether to send a result or notification email;
  • $type is a string which sets the type of email to be sent (success, fail or critical);
  • $core_update is the update offer object;
  • $result is the result for the core update (can be a WP_Error).

By default, administrators are notified when the update offer received from WordPress.org sets a particular flag and the install is unable to update. The notification email will be sent just once per release. The send_core_update_notification_email filter allows some discretion in wether and when to send this kind of notifications. Apply the filter as follows:

apply_filters( 'send_core_update_notification_email', '__return_true' );

Finally, the automatic_updates_send_debug_email filter controls debugging emails, which provide useful log information concerning the performed updates. By default, these emails are sent by development installations. Returning false will prevent WordPress from sending debug emails, while returning true will enable these emails even in stable installs:

apply_filters( 'automatic_updates_send_debug_email', '__return_true' );

When and Why to Disable WordPress Automatic Updates

The auto-updating process is a great feature for many users, as they can save a lot of time and work.
But even if it looks like auto-updates are really safe, we should ask ourselves if it is always a good idea to enable all of them.

Occasionally, we could experience incompatibility issues on themes and plugins that could interrupt some functionalities or even break down the website. If the website depends on a good number of plugins, it could be safer to perform manual updates, at least for plugins. The one-by-one process allows us to quickly detect issues that automation would make hard to find.

Moreover, if you’re a developer, you should be careful on the names you choose for your themes and plugins even if you’re not planning to distribute them. When running updates, WordPress looks in the Plugin Directory for new versions of your plugins and overwrites your files if a plugin with the same name is found. So, if you think to enable background updates for themes and plugins, be sure to set unique names to your scripts.

Yeah, that’s a lot of good stuff for developers. But how can a non-developer user manage auto-updates?

Control WordPress Automatic Updates With Plugins

If you’re not a developer, you can control WordPress automatic updates using a plugin.

Easy Updates Manager allows admin users to control WordPress updates on both single site and multisite installations. The plugin allows to manage all typologies of WordPress updates, and Themes and plugins can be individually selected for auto-updates. Additional features relate to notification emails, user blocking and logging plugin updates.

Easy Updates Manager - manage WordPress automatic updates
Easy Updates Manager

In case of incompatibility, it could be necessary to quickly revert to a previous version of a theme or plugin. WP Rollback allows you to restore a previous version of any installed themes and plugins from Plugins Screen. Just click on the Rollback link and the plugin will show you a list of all available versions.
Unfortunately, WP Rollback won’t be of help if your website goes down, so don’t forget to back-up and to read carefully the online documentation.

WP Rollback
WP Rollback

Finally, if you need a compatibility test on auto-updates in your WordPress installation, Background Update Tester will provide the information you need.

Automatic Updates for Premium Plugins & Themes

As a developer of premium WordPress plugins or themes, it’s your duty to integrate an automatic updates mechanism into your products to offer the same seamless update experience users have come to expect with WordPress.org products. This has become today’s market standard (for a good reason). You can host the premium products yourself and develop an updates mechanism, or leverage platforms like Freemius or Kernl, which offer a secure repository and automatic updates as a service, out-of-the-box.

Rollback for automatic updates

Any update to core, plugins, or themes presents some risk, whether manual or automatic. Thankfully, WordPress provides a safety parachute for both manual and automatic updates. While automatic rollbacks for core updates date back to WordPress 3.7, we had to wait a little longer for plugin update rollbacks.

Since WordPress 6.3, in case of manual update, a plugin is not reactivated if it generates a PHP fatal error. This security check has not been performed on automatic plugin updates until WordPress 6.6.

Now, if you have plugin auto-updates enabled on your WordPress website, in case of failure you will not see the white screen of death because WordPress automatically rolls the plugin back to its previous version preventing the site from crashing. When you visit the plugins screen in your WordPress dashboard, you will notice that the plugin is still waiting for an update.

WordPress Plugins screen showing a plugin waiting for update
If a plugin fails to auto-update, WordPress will roll it back to its prior version

In addition, when WordPress detects an error when updating a plugin, it also sends the site administrator an email listing the plugins that failed to update and those that are up to date.

An email from WordPress warning of plugin auto rollback failure
An email from WordPress warning of plugin auto rollback failure

You can retry the update in a staging environment, wait for a new plugin release that fixes the issue, or contact the developer for support.

Summary

WordPress automatic updates are a great feature that could save us a lot of time and work, and allow us to keep our website regularly updated. But would you enable all kinds of updates? Let us know in the comments below.

Carlo Daniele Kinsta

Carlo is a passionate lover of webdesign and front-end development. He has been playing with WordPress for more than 20 years, also in collaboration with Italian and European universities and educational institutions. He has written hundreds of articles and guides about WordPress, published both on Italian and international websites, as well as on printed magazines. You can find him on LinkedIn.