Did you know that WordPress can automatically update your website? Yes that include plugins and themes too. Despite the security benefits, there is a slight chance that it can break your website. We will show you how to disable automatic background updates in WordPress, in this article.
Background auto updates were introduced in WordPress 3.7 in an effort to promote better security. WordPress may update your plugins and themes by default it is limited to only minor releases however in special cases .
Your site was automatically updated about a week ago without any notification if you are one of the millions of websites that are using Yoast WordPress SEO plugin.
Because many users never update their plugins or their WordPress installs then automatic updates are great for WordPress security . However it can break your site which we will highlight below.
First let’s take a look at how to disable WordPress auto updates.
The easiest way to do this is by installing and activating Disable Updates Manager plugin.
Go to Settings » Disable Updates Manager to configure your settings.
Alternatively, you can disable automatic updates in WordPress by adding this line of code in your
This will disable all automatic WordPress updates.
You can do so by adding the following filters in your theme’s functions.php file or in a site-specific plugin if you want to receive minor core updates, but disable theme and plugin updates.
Disable automatic WordPress plugin updates:
Disable automatic WordPress theme updates:
Now that you know how to disable automatic updates in WordPress, the question is should you disable it?
We have disabled automatic plugin and theme updates while keeping the minor core updates enabled on our sites.
We are listing the pros and cons of automatic updates below to help you make the decision that’s best for you.
You don’t have to worry about updating minor WordPress releases which are pushed out for maintenance and security purposes.
Now it’s available for everyone (at least for minor releases) because this is something that you only got if you paid for managed WordPress hosting.
You also have the benefit of knowing that if there was a crucial security issue with WordPress or a popular plugin, then WordPress will automatically update even if you are on a vacation, so your site is secure.
There is a slight chance that automatic updates can break your site. The minor releases haven’t broken any of our sites yet in our experience.
But that’s because we are following the best practices and not modifying any core files. These automatic updates can override them if you modify WordPress core files.
There is a chance that it will break your website specially if you have modified your theme files although it hasn’t happened yet, but if WordPress ever felt necessary to push a security update for a theme you are using.
Similar to that, automatic plugin updates can break your site as well because there are just too many variables (different server environments, plugin combinations, etc).
Now it’s important to know that these updates will not break majority of websites, but considering WordPress powers millions of websites, a small percentage can still be a lot of sites.
For example, the recent Yoast SEO update broke two of our sites: WPBeginner andThemeLab.
On WPBeginner, the issue was very edge-case. Our permalinks broke for some odd reason. That meant every page except our homepage was returning a 404 error. One of our users reported it, and we fixed it fairly fast. All we had to do was go to Settings » Permalinks and click Save Settings to rebuild permalinks.
On ThemeLab, Yoast SEO was deactivated without our knowledge. Apparently when the auto update happened something went wrong with the process which caused the plugin to deactivate.
Since this was such a subtle change which didn’t affect the site’s functionality, we didn’t catch it for a few days. Yoast SEO is crucial for search engine optimization because it handles your meta information, sitemaps, etc. All of that functionality was gone.
Google Webmaster Tools was showing a sitemap error because our sitemap URL now returned a 404.
Worst, our broken meta titles started being indexed which we are not sure how long it will take to recover from.
This issue was reported by several users in the comments of Yoast’ blog post.
The core team did not communicate with site-owners was the worst part about this update. So there is a very good chance that some people haven’t even realized that their SEO is at risk because of a security update that possibly deactivated their main SEO plugin.
WordPress automatic updates for core is new, and automatic security updates for plugins has only been done TWICE … ever!
Normally there is an announcement that follows with it when WordPress core updates.
However with the past two automatic plugin updates, we haven’t seen a blog post or an email from WordPress.
Site owners should be notified of every change that is made to their site because we fully support the efforts of improving security.
It would be nice to have the WordPress team send an email when they push out security updates to a plugin. Also there should be a way to notify the site owner if the update wasn’t successful, so they can fix the issues as soon as possible.
We hope that there is better communication and more transparency in these security updates in the future.