Should you enable automatic updates in WordPress?

One of the headline features in the recent release of WordPress 5.5 was the ability to enable automatic plugin and theme updates. This follows the inclusion of automatic core updates in WP 3.7.

On paper, the arguments for automatic updates are compelling. They’re the fastest and most reliable way to patch security exploits, for instance, and most users are woefully lax in remembering to update their sites on their own. (Clients frequently hire me to debug and update installations that haven’t been touched in a more than a year, so I’m more sympathetic than some to the problems that automatic updates are intended to solve.)

Unfortunately, this is yet another area where good intentions go terribly awry. At this point in time, automatic updates in WordPress remain a dangerous, unstable, and unworkable idea by every practical measure.

For proof of this we need look no further than the release of WordPress 5.5 itself, which contained breaking changes in core javascript libraries that caused issues on many sites. This was followed a few days later by an update to Woocommerce that introduced conflicts and fatal errors of its own (particularly on those sites running my favorite caching plugin WP Rocket).

So this week alone, you could have found your site broken by an automatic core update to WordPress 5.5, and then, had you turned on the new automatic plugin updates, found your site broken again in less than 48 hours by a Woocommerce update.

The most significant thing about these examples is that they weren’t caused by little known plugins or themes from unproven developers — they were introduced by the WP core dev team and the WooCommerce dev team, some of the most experienced and proven talent in the WP ecosystem.

I don’t intend at all to beat up on the core devs or the Woocommerce devs with these remarks. Bugs happen — and I’ve certainly introduced more than my share of them into my own code. The problem with automatic updates isn’t the quality of the code coming from the best devs in our community but the nature of WordPress itself. Automatic updates work great on a closed ecosystem like Apple’s app store — an ecosystem where the hardware options are limited, quantified, and controlled, and where all software is screened to at least some degree before it’s allowed on the platform.

But WordPress is an entirely different animal. The infinite variety (and varying quality) of third-party plugins, theme frameworks, and laughably underpowered shared hosting plans makes automatic updates a recipe for disaster. It’s impossible to test even a fraction of every possible plugin, theme, and hosting combination. As long as that’s true, automatic updates are a fool’s errand.

Furthermore, to try and change these fundamental issues to make automatic updates more reliable would necessarily kill the openness and flexibility that has made WordPress such a global success.

So should you enable automatic updates in WordPress? Absolutely not.

If not automatic updates, then what? A workable approach to updates

With all that said, here is my approach to updates on the sites I manage (and the recommendations I give to my clients).

• Set a workable update schedule, put it on your calendar, and stick to it. You don’t need to check your site for updates every day. Updating once per week will put you ahead of 95 percent of the WP sites out there, and updating even once every couple of weeks is still enough to avoid critical problems in my experience.
• Don’t apply updates to your site until they’ve been in the wild for a week or so. This bit of lag time will allow developers to address any unexpected bugs or conflicts without your site suffering the fate of a neglected lab rat. The only exceptions to this policy are critical security updates. If the release notes for a plugin or core update mention a security fix, it’s best to cross your fingers and apply those as soon as you see them.
• If you’re using paid or premium plugins, be sure you have activated your license codes and are receiving update notices. A common problem in my client work are premium plugins and themes that weren’t activated to receive updates. So the site owner conscientiously updates the rest of their installation on schedule but is eventually stopped cold by a fatal error because they were never notified that updates were available for a particular plugin or theme.
• Make sure you have a backup system in place. Even when you’re careful and apply updates on a reasonable schedule, something will eventually break. When this happens, the ability to quickly roll back to a working backup will prevent you from adding bourbon to your breakfast cereal.
• Whenever possible, test updates on a staging site before applying them on your live site. Whether you can easily do this depends almost entirely on your web host. Specialty hosts like WPEngine offer automatic staging sites and one click copying of your live site to a staging area, where you can safely test updates. But the junkyard Cpanel shared hosting abominations that power most WP sites offer nothing of the sort. (I will save my hosting rant for another time).

Finally, if you’re going to allow any automatic updates, I recommend enabling only security and minor updates for the core. You can enable core security updates alone by adding the following line to your wp-config.php file: