When it comes to security, we know how important is to regularly update WordPress installations (core, themes and plugins), and how long the upgrade process could take to us, especially when we have installed a good number of plugins. It’s commonly recommended to follow these steps:

  1. Back-up files and database tables
  2. Disable plugins
  3. Update
  4. Enable plugins one by one
  5. Check the website

It could be a tedious task for a single website, and could be an annoying and complex job when we’ve to update five, ten or more websites.

With the specific purpose to improve the installation security and make the site administration easier, WordPress 3.7 introduced automatic updates. By default, this cool feature is enabled for minor releases (i.e. maintenance and security releases) and translation files, but it’s possible to customize any kind of updates. So, in this post, we’ll look at how to automate the upgrade process anytime a new version of WordPress core, theme or plugin is released. Let’s dive deep into WordPress automatic updates!

WordPress automatic updates

WordPress automatic updates

Automatic Updates Index

WordPress Automatic Updates

There are four typologies of updates and WordPress automatic updates:

  1. Core updates
  2. Plugin updates
  3. Theme updates
  4. Translation files updates

Core updates are divided into three sub-typologies:

  1. Core development (only available for development installations)
  2. Minor core updates (maintenance and security) – enabled by default in stable installations
  3. Major core updates

WordPress allows you to automate the update process for any of these typologies providing two wp-config.php constants and a good number of API filters.

Controlling Background Updates Through wp-config.php

WordPress provides a couple of wp-config.php constants that allow us to control auto-updates. Setting AUTOMATIC_UPDATER_DISABLED to true will disable any kind of automatic upgrade:


WP_AUTO_UPDATE_CORE allow us to control core updates (minor, major and development releases). This constant can be defined as follows:

# Disables all core updates:
define( 'WP_AUTO_UPDATE_CORE', false );

# Enables all core updates, including minor and major:
define( 'WP_AUTO_UPDATE_CORE', true );

# Enables minor updates:
define( 'WP_AUTO_UPDATE_CORE', 'minor' );

In development installations WP_AUTO_UPDATE_CORE defaults to true. In stable installations it defaults to minor.

For the sake of completeness, I should mention an additional constant that can be defined to disable auto-updates. However, setting its value to true will disable any file edits, even themes and plugin installations and manual updates.

define( 'DISALLOW_FILE_MODS', true );

Instead, you may prefer to define the DISALLOW_FILE_EDITS constant, which would disable the file editor, but keeping safe the installation and update functionalities.

Related tutorial: wp-config.php File – An In-Depth View on How to Configure WordPress

Controlling Background Updates Through API Filters

Configuration constants provide a general way to enable or disable auto-updates. But WordPress provides a number of filters which grant a deeper control over any kind of updates.

Note: Filters should be used within plugins, and “must use plugins” are a good option for background updates. mu-plugins reside in a specific folder inside /wp-content and are automatically enabled by WordPress. These plugins do not appear in WordPress Plugins Screen, so they could not be accidentally disabled or removed by the site admins. For a deeper view, refer to the Codex documentation

First, returning true through the automatic_updater_disabled filter has the same effect as defining the AUTOMATIC_UPDATER_DISABLED constant to true in wp-config.php:

add_filter( 'automatic_updater_disabled', '__return_true' );

We can control any of the update typologies through the auto_update_$type filters which enable or disable updates depending on the value of $type ('core', 'plugin', 'theme' or 'translation').

So, we can automate all core updates by returning true through the auto_update_core filter:

add_filter( 'auto_update_core', '__return_true' );

In the following example, we’re enabling automatic updates for themes, plugins and translations:

add_filter( 'auto_update_theme', '__return_true' );
add_filter( 'auto_update_plugin', '__return_true' );
add_filter( 'auto_update_translation', '__return_true' );

In the examples above we’ve just enabled auto-updates. But these filters give us a greater control over updates. In the following example we’re automating auto-updates for two specific plugins:

function cb_auto_update_plugins ( $update, $item ) {
	$plugins = array ( 'hello', 'akismet' );
	if ( in_array( $item->slug, $plugins ) ) {
		// update plugin
		return true; 
	} else {
		// use default settings
		return $update; 
add_filter( 'auto_update_plugin', 'cb_auto_update_plugins', 10, 2 );

The callback function keeps two arguments:

  1. $update: a boolean which sets wether to update or not;
  2. $item: the update offer object.

The function checks wether the item to update is in $plugins array, then returns true or false accordingly.

Last, we can make difference between development, minor and major updates, by returning true or false through the following filters:

add_filter( 'allow_dev_auto_core_updates', '__return_false' );
add_filter( 'allow_minor_auto_core_updates', '__return_true' );
add_filter( 'allow_major_auto_core_updates', '__return_true' );

We know that occasionally an update can fail. In the worst case, the website can go down after an update failure. But luckily we can ask WordPress to notify us with an email after any update (or attempt).

Result, Notification and Debugging Emails

Depending on the result of the update process, WordPress sends a different email to the administrator address:

Anytime an auto-update succeeds or fails, WordPress sends a result or notification email with one of the following subjects:

The auto_core_update_send_email filter controls result and notification emails. These emails can be disabled by returning false as follows:

apply_filters( 'auto_core_update_send_email', '__return_false' );

Especially if you’re planning to extend automatic updates to major core and/or theme and plugin releases, you may prefer to leave result and notification emails enabled, or customize them depending on the result or update typology. In the following example WordPress won’t send the result email in case of success:

Struggling with downtime and WordPress problems? Kinsta is the hosting solution designed to save you time! Check out our features
function cb_auto_core_update_send_email ( $send, $type, $core_update, $result ) {
	if ( !empty( $type ) && $type == 'success' ) {
		// don't send email
		return false; 
		// use default settings
		return $send; 
add_filter( 'auto_core_update_send_email', 'cb_auto_core_update_send_email', 10, 4 );

The callback function keeps the following arguments:

By default, administrators are notified when the update offer received from WordPress.org sets a particular flag and the install is unable to update. The notification email will be sent just once per release. The send_core_update_notification_email filter allows some discretion in wether and when to send this kind of notifications. Apply the filter as follows:

apply_filters( 'send_core_update_notification_email', '__return_true' );

Finally, the automatic_updates_send_debug_email filter controls debugging emails, which provide useful log information concerning the performed updates. By default, these emails are sent by development installations. Returning false will prevent WordPress from sending debug emails, while returning true will enable these emails even in stable installs:

apply_filters( 'automatic_updates_send_debug_email', '__return_true' );

When and Why to Disable WordPress Automatic Updates

The auto-updating process is a great feature for many users, as they can save a lot of time and work.
But even if it looks like auto-updates are really safe, we should ask ourselves if it is always a good idea to enable all of them.

Occasionally, we could experience incompatibility issues on themes and plugins that could interrupt some functionalities or even break down the website. If the website depends on a good number of plugins, it could be safer to perform manual updates, at least for plugins. The one-by-one process allows us to quickly detect issues that automation would make hard to find.

Moreover, if you’re a developer, you should be careful on the names you choose for your themes and plugins even if you’re not planning to distribute them. When running updates, WordPress looks in the Plugin Directory for new versions of your plugins and overwrites your files if a plugin with the same name is found. So, if you think to enable background updates for themes and plugins, be sure to set unique names to your scripts.

Yeah, that’s a lot of good stuff for developers. But how can a non-developer user manage auto-updates?

Control WordPress Automatic Updates With Plugins

If you’re not a developer, you can control WordPress automatic updates using a plugin.

Easy Updates Manager allows admin users to control WordPress updates on both single site and multisite installations. The plugin allows to manage all typologies of WordPress updates, and Themes and plugins can be individually selected for auto-updates. Additional features relate to notification emails, user blocking and logging plugin updates.

Easy Updates Manager - manage WordPress automatic updates

Easy Updates Manager

In case of incompatibility, it could be necessary to quickly revert to a previous version of a theme or plugin. WP Rollback allows you to restore a previous version of any installed themes and plugins from Plugins Screen. Just click on the Rollback link and the plugin will show you a list of all available versions.
Unfortunately, WP Rollback won’t be of help if your website goes down, so don’t forget to back-up and to read carefully the online documentation.

WP Rollback

WP Rollback

Finally, if you need a compatibility test on auto-updates in your WordPress installation, Background Update Tester will provide the information you need.

Automatic Updates for Premium Plugins & Themes

As a developer of premium WordPress plugins or themes, it’s your duty to integrate an automatic updates mechanism into your products to offer the same seamless update experience users have come to expect with WordPress.org products. This has become today’s market standard (for a good reason). You can host the premium products yourself and develop an updates mechanism, or leverage platforms like Freemius, Kernl, or WP Updates, which offer a secure repository and automatic updates as a service, out-of-the-box.


WordPress automatic updates are a great feature that could save us a lot of time and work, and allow us to keep our website regularly updated. But would you enable all kinds of updates? Let us know in the comments below.

Save time, costs and maximize site performance with:

  • Instant help from WordPress hosting experts, 24/7.
  • Cloudflare Enterprise integration.
  • Global audience reach with 28 data centers worldwide.
  • Optimization with our built-in Application Performance Monitoring.

All of that and much more, in one plan with no long-term contracts, assisted migrations, and a 30-day-money-back-guarantee. Check out our plans or talk to sales to find the plan that’s right for you.