WordPress will, by default, automatically update itself when there are security releases. It can also update themes and plugins automatically if necessary. From a security perspective, this is great. However, automatic updates can also present complications.
For example, if you’ve modified your theme, you don’t want it auto updating or you will lose all of those customizations. Perhaps you don’t want to update plugins automatically so you can test for potential conflicts with other plugins. Maybe you don’t want to update WordPress core because you are intentionally running an older version, as is often the case with large companies. The list of reasons goes on and on, so let’s just get to the code already.
Here is a list of what can be automatically updated:
- WordPress core
WordPress Core Updates
By default, WordPress will automatically update core if:
- A new version is available and you are running a development version of WordPress.
- A new version is available and it is a minor release.
WordPress, by default, won’t automatically update if:
- A new version is available and it is a major release.
- Version control is detected
WordPress has a constant called
WP_AUTO_UPDATE_CORE which dictates how automatic updates to core are handled. Here are the possible values that can be set:
false — Prevents any automated updates to WordPress core.
minor — Allows updates to development versions and minor releases. This is the default.
true — Allows WordPress core to automatically update anytime there is a new version, whether it be a development, minor or major release.
To disable all automatic updates to WordPress core, you could just add this line to your
define( 'WP_AUTO_UPDATE_CORE', false );
After WordPress checks the value of the
WP_AUTO_UPDATE_CORE constant, there are three filters that let you control whether or not automated updates happen, depending on the scenario:
allow_dev_auto_core_updates — Controls whether or not WordPress updates to a development release.
allow_minor_auto_core_updates — Controls whether or not WordPress updates to a minor release.
allow_major_auto_core_updates — Controls whether or not WordPress updates to a major release.
You can use the filters above to disable a specific type of update like this:
add_filter( 'allow_minor_auto_core_updates', '__return_false' );
If you want to enable a specific type, just replace
__return_true. Just in case you were wondering, these are functions that WordPress provides so you can easily set a callback that will return true or false.
Finally, there is one last filter that is run:
auto_update_core. This controls whether or not core updates of any kind are run and defaults to the value determined after the
WP_AUTO_UPDATE_CORE constant is checked and the aforementioned filters are run.
You can use this filter to disable core updates like this:
add_filter( 'auto_update_core', '__return_false' );
By default, WordPress plugins will only auto-update if the API response from WordPress.org passes an non-empty
autoupdate property. This will only happen if the WordPress team makes the decision to update a plugin and ensures that the API response issues an auto-update command.
If you want to prevent this, there is only one filter that will allow you to do that:
add_filter( 'auto_update_plugin', '__return_false' );
Like plugins, WordPress plugins will only auto-update if the API response from WordPress.org passes an non-empty
autoupdate property because the core team decided to issue an auto-update command.
To prevent this, just use this filter:
add_filter( 'auto_update_theme', '__return_false' );
WordPress translations are managed separately and are automatically updated by default. If you want to prevent this, just use this filter:
add_filter( 'auto_update_translation', '__return_false' );
All WordPress Updates
If you aren’t trying to selectively enable / disable specific types of updates and would rather just disable automatic updates of any kind, then you can use the
AUTOMATIC_UPDATER_DISABLED constant in your
wp-config.php file to do just that:
define( 'AUTOMATIC_UPDATER_DISABLED', true );
Setting the value to
true will disable all automatic updates. The default value is
After the constant is checked, a filter by the same name is called:
automatic_updater_disabled. This filter is your last chance to override the defaults, or any value that may have been set via the constant.
You can disable all automatic updates using the filter, like this:
add_filter( 'automatic_updater_disabled', '__return_true' );
There is one other, slightly nuclear, way to disable automatic updates:
DISALLOW_FILE_MODS. When set to
true this constant will do the following:
- Disable automatic updates of any kind.
- Disable the theme editor.
- Disable the plugin editor.
- Disable the ability to install themes or plugins.
- Prevent all users from being able to update WordPress core, themes or plugins from the admin.
- Hide all update notifications for themes and plugins.
- Will prevent any and all the constants and filters mentioned earlier in this article from having any effect.
This doesn’t really make sense to use unless a site is completely managed by a professional developer or team of developers and there are systems in place where all updates are handled external to the production code base.
If you know what you are doing and want to go this route, just add this to your
define( 'DISALLOW_FILE_MODS', true );
Note: The WordPress core update nag will still display, but it will simply tell users to notify the site administrator. So, if you do choose to go this route, you will probably want to disable that nag as well.