Managing WordPress Automatic Updates

WordPress will, by default, automatically update itself when there are security releases. It can also update themes and plugins automatically if necessary. From a security perspective, this is great. However, automatic updates can also present complications.

For example, if you’ve modified your theme, you don’t want it auto updating or you will lose all of those customizations. Perhaps you don’t want to update plugins automatically so you can test for potential conflicts with other plugins. Maybe you don’t want to update WordPress core because you are intentionally running an older version, as is often the case with large companies. The list of reasons goes on and on, so let’s just get to the code already.

Here is a list of what can be automatically updated:

  • WordPress core
  • Plugins
  • Themes
  • Translations

WordPress Core Updates

By default, WordPress will automatically update core if:

  • A new version is available and you are running a development version of WordPress.
  • A new version is available and it is a minor release.

WordPress, by default, won’t automatically update if:

  • A new version is available and it is a major release.
  • Version control is detected

WordPress has a constant called WP_AUTO_UPDATE_CORE which dictates how automatic updates to core are handled. Here are the possible values that can be set:

  • false — Prevents any automated updates to WordPress core.
  • minor — Allows updates to development versions and minor releases. This is the default.
  • true — Allows WordPress core to automatically update anytime there is a new version, whether it be a development, minor or major release.

To disable all automatic updates to WordPress core, you could just add this line to your wp-config.php file:

define( 'WP_AUTO_UPDATE_CORE', false );

After WordPress checks the value of the WP_AUTO_UPDATE_CORE constant, there are three filters that let you control whether or not automated updates happen, depending on the scenario:

  • allow_dev_auto_core_updates — Controls whether or not WordPress updates to a development release.
  • allow_minor_auto_core_updates — Controls whether or not WordPress updates to a minor release.
  • allow_major_auto_core_updates — Controls whether or not WordPress updates to a major release.

You can use the filters above to disable a specific type of update like this:

add_filter( 'allow_minor_auto_core_updates', '__return_false' );

If you want to enable a specific type, just replace __return_false with __return_true. Just in case you were wondering, these are functions that WordPress provides so you can easily set a callback that will return true or false.

Finally, there is one last filter that is run: auto_update_core. This controls whether or not core updates of any kind are run and defaults to the value determined after the WP_AUTO_UPDATE_CORE constant is checked and the aforementioned filters are run.

You can use this filter to disable core updates like this:

add_filter( 'auto_update_core', '__return_false' );

Plugin Updates

By default, WordPress plugins will only auto-update if the API response from WordPress.org passes an non-empty autoupdate property. This will only happen if the WordPress team makes the decision to update a plugin and ensures that the API response issues an auto-update command.

If you want to prevent this, there is only one filter that will allow you to do that:

add_filter( 'auto_update_plugin', '__return_false' );

Theme Updates

Like plugins, WordPress plugins will only auto-update if the API response from WordPress.org passes an non-empty autoupdate property because the core team decided to issue an auto-update command.

To prevent this, just use this filter:

add_filter( 'auto_update_theme', '__return_false' );

Translation Updates

WordPress translations are managed separately and are automatically updated by default. If you want to prevent this, just use this filter:

add_filter( 'auto_update_translation', '__return_false' );

All WordPress Updates

If you aren’t trying to selectively enable / disable specific types of updates and would rather just disable automatic updates of any kind, then you can use the AUTOMATIC_UPDATER_DISABLED constant in your wp-config.php file to do just that:

define( 'AUTOMATIC_UPDATER_DISABLED', true );

Setting the value to true will disable all automatic updates. The default value is false.

After the constant is checked, a filter by the same name is called: automatic_updater_disabled. This filter is your last chance to override the defaults, or any value that may have been set via the constant.

You can disable all automatic updates using the filter, like this:

add_filter( 'automatic_updater_disabled', '__return_true' );

There is one other, slightly nuclear, way to disable automatic updates: DISALLOW_FILE_MODS. When set to true this constant will do the following:

  • Disable automatic updates of any kind.
  • Disable the theme editor.
  • Disable the plugin editor.
  • Disable the ability to install themes or plugins.
  • Prevent all users from being able to update WordPress core, themes or plugins from the admin.
  • Hide all update notifications for themes and plugins.
  • Will prevent any and all the constants and filters mentioned earlier in this article from having any effect.

This doesn’t really make sense to use unless a site is completely managed by a professional developer or team of developers and there are systems in place where all updates are handled external to the production code base.

If you know what you are doing and want to go this route, just add this to your wp-config.php file:

define( 'DISALLOW_FILE_MODS', true );

Note: The WordPress core update nag will still display, but it will simply tell users to notify the site administrator. So, if you do choose to go this route, you will probably want to disable that nag as well.

Comments

  1. sorry to border you, but I am new to this. Where do I put the filter: add_filter( ‘allow_minor_auto_core_updates’, ‘__return_true’ );

    Is it in the wp-config.php?

    thanks for helping me out.

    1. You won’t want to place that in the wp-config.php file since the add_filter function isn’t defined yet and will cause the site to crash due to a fatal error. What you most likely would want to do in this case is to create a file in the mu-plugins directory and place the code in there. You can name the file whatever you want and you only need to make sure you have an opening PHP tag (<?php) at the beginning of the file before you drop in the code. You can read more about how to add a must-use plugin here: https://wpscholar.com/blog/wordpress-must-use-plugins/

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.