Safely Disable WordPress Automatic Updates: Step-by-Step

November 15, 2024 by Paul G. | Security

WordPress automatic updates play a major role in maintaining your site’s security and functionality. This system works behind the scenes to keep your site protected, yet some users consider disabling these updates, often due to concerns about compatibility issues or a desire for greater control.

However, turning off automatic updates, especially for minor releases, can significantly increase security risks. Unless you have a compelling reason, it’s generally advisable to leave at least the minor updates enabled.

This article examines the importance of minor updates for security patches, the risks of running outdated WordPress versions, and the distinction between minor and major updates. While the desire to control updates manually is understandable, it’s vital to balance site stability and security.

You’ll learn about the pros and cons of disabling automatic updates, and discover best practices that keep your site secure without sacrificing control. The following sections will guide you through this critical aspect of WordPress management and help you optimise your update approach.

Understanding WordPress automatic updates

WordPress updates refine and fortify the core software, plugins, and themes that run your website. Each update addresses specific aspects of your site’s functionality, security, and performance.

Here are the different types of WordPress updates:

Core updates come in two varieties: minor and major. Minor releases (e.g., 5.9.1 to 5.9.2) patch security vulnerabilities and squash bugs. Major releases (e.g., 5.9 to 6.0) overhaul existing features and introduce new capabilities.
Plugin updates target functionality improvements and resolve issues within individual plugins. These range from minor tweaks to significant feature additions.
Theme updates focus on enhancing visual elements, improving responsiveness, and fixing theme-specific glitches. They ensure your site’s design remains current and functional.
Translation file updates keep multilingual sites accurate and up-to-date, reflecting the latest changes in core, plugin, and theme text.

While automatic updates streamline maintenance, they might not suit every site. Custom code, specific plugin setups, or high-traffic periods may necessitate manual update management.

Step-by-step guide: Safely disabling automatic updates in WordPress

Again, turning off automatic updates for minor releases is almost always a bad idea. You can put off major updates for a bit, but minor updates should be applied as soon as they’re available.

If you’ve assessed the risk and decided it’s worth taking, you can use one of two methods to disable WordPress updates:

Method 1: Using code

This first method has two variants: editing the functions.php file to turn off plugin and theme updates but keep minor updates, and editing the wp-config.php file to turn off all WordPress updates.

The functions.php file allows you to add custom functionality to your site. By inserting code into this file, you can selectively disable automatic updates for specific components of WordPress. This approach provides more granular control over updates compared to modifying wp-config.php.

Here’s how to disable plugin and/or theme updates by editing your functions.php:

Go through your hosting control panel or SFTP to access your WordPress installation folder.
Go to your theme’s folder and look for the functions.php file.
Save a backup copy offline before editing the original.
Open the original with a text editor and add
- add_filter( 'auto_update_plugin', '__return_false' ); to disable plugin updates;
- and/or add_filter( 'auto_update_theme', '__return_false' ); to disable theme updates.
Save the file.

The wp-config.php file contains your WordPress site’s base settings. Adding a specific line of code to this file can disable automatic updates at the core level of your WordPress installation.

This method offers direct control over update settings but affects the fundamental behaviour of your site.

Here are the steps you need to follow to disable all updates, including to plugins and themes:

Access your WordPress site’s installation folder via SFTP or your hosting control panel.
In the root folder, locate a file named wp-config.php.
Save a copy of the file offline as a backup before making any changes to the original.
Open the original with a text editor.
Add the line define ( 'WP_AUTO_UPDATE_CORE', false ); and save the changes.

Any mistakes you make while editing system files could cause critical errors on your site. Luckily, resolving them is usually as easy as replacing the edited file with the backup you created.

Shield Security PRO Call-To-Action: Purchase

Method 2: Using plugins

If you’re uncomfortable editing core files or working with code, there are plugins you can use to manage your WordPress update settings.

One such option is Easy Updates Manager, which gives you control over core, plugin, theme, and translation updates. Here’s how to use it:

1. Install and activate the plugin.2. From the admin area, go to Dashboard > Updates options to access the plugin.

Accessing the Easy Updates Manager plugin settings.

3. Configure your updates from the General tab as you wish. Your settings should be saved automatically as soon as you toggle the option.

The Easy Updates Manager plugin dashboard.

Pros and cons of disabling automatic updates in WordPress

Pros of disabling automatic updates:

Precise control over update timing and selection.
Preservation of complex custom code and functionality.
Avoidance of potential conflicts with mission-critical plugins or themes.

Cons of disabling automatic updates:

Increased vulnerability window if critical security patches are delayed.
Additional time investment for manual update management and testing.
Potential performance lag due to missed optimisation improvements.
Risk of accumulated technical debt from prolonged update avoidance.
Potential loss of support from plugin and theme developers who require the latest WordPress version.
Possible negative impact on SEO due to outdated security and performance features.

Your site’s complexity should influence the decision to disable automatic updates, the update frequency of installed plugins, and your site’s role in business operations. For most WordPress sites, including eCommerce platforms, membership sites, and content-heavy blogs, the security and performance benefits of automatic updates far outweigh the risks.

Unless you have a compelling reason and the resources to manage updates manually, it’s advisable to keep automatic updates enabled, at least for minor releases. This approach helps maintain your site’s security, performance, and long-term stability.

You don’t want to leave your site vulnerable to security threats or miss out on crucial performance improvements just for the sake of control.

Maintaining site security without automatic updates

Maintaining WordPress security without automatic updates requires diligence and a proactive approach. Here are essential steps to keep your site secure while managing updates manually:

Consistently update WordPress core, plugins, and themes to patch known vulnerabilities. Set a schedule for checking and applying updates to ensure you’re not leaving your site exposed.
Implement a reliable backup solution that stores copies of your site off-site. Automate the process to ensure you always have a recent backup available.
Develop and enforce strong password policies with complex, unique passwords for all accounts. Implement two-factor authentication for an extra layer of security, especially for administrator accounts.
Restrict the number of failed login attempts to prevent brute force attacks. Many security plugins offer this feature, or you can use a dedicated plugin.
Ensure all software on your server, not just WordPress, is up-to-date. This includes PHP, MySQL, and any other server-side applications.
Implement SSL/TLS certificates to encrypt data transmission between your server and visitors. This protects sensitive information and is a ranking factor for search engines.

For those comfortable with more advanced techniques, here are a few more things you could do:

Set up a staging site to test updates before applying them to your live site. This helps identify potential conflicts without affecting your main site’s functionality.
Regularly review your site’s defences and perform security audits to identify potential vulnerabilities.

Introducing Shield Security PRO: Your WordPress security ally

If you were thinking about disabling WordPress updates to avoid potential security issues, hopefully you’ve realised this can actually weaken your site’s defences.

The smarter move would be to leave your security needs in the hands of Shield Security PRO. Shield Security PRO is antifragile – it learns from every attack, making it stronger and stronger. Here’s how it helps keep your site secure:

MAL{ai} offers continuous threat detection through malware scans and monitoring of suspicious activities.
Advanced login security features, including two-factor authentication and brute force attack protection.
Firewall capabilities to block malicious traffic before it reaches your site.
Proprietary silentCAPTCHA technology to block bots without annoying users.
Update Delay to hold off on installing new updates so you’re safer from buggy releases.
Automatic patching of known vulnerabilities in plugins.
An intuitive dashboard accessible to users of all expertise levels.
Customisable settings to match your specific needs and risk tolerance.

Starting with Shield v20, the plugin no longer controls WordPress automatic updates, except for the Shield plugin and plugins with known vulnerabilities. This way, critical security patches are applied immediately, keeping your site secure without causing issues.

Take control of your WordPress security updates with Shield Security PRO

While it might seem like disabling WordPress updates could prevent issues, this approach actually leaves your site more vulnerable. A better strategy is to trust Shield Security PRO with your site’s protection.

With continuous threat detection, advanced login protections like two-factor authentication, and a robust firewall to block malicious traffic, Shield Security PRO covers your security needs.

It also automatically patches known vulnerabilities in plugins, keeping your site safe without the hassle. The intuitive dashboard makes it easy for users of all experience levels, while customisable settings allow you to tailor the security to your specific needs.

For stronger, smarter security without losing control, get started with Shield Security PRO.

Hello dear reader!

If you want to level-up your WordPress security with ShieldPRO, click to get started today. (risk-free, with our no-quibble 14-day satisfaction promise!)

You'll get all PRO features, including AI Malware Scanning, WP Config File Protection, Plugin and Theme File Guard, import/export, exclusive customer support, and much, much more.

We'd be honoured to have you as a member, and look forward to serving you during your journey towards powerful, WordPress security.

Try ShieldPRO Today →

ShieldPRO Testimonials

@jrebert

Top security plugin

Working all well – great security tool for WordPress.

@ghanaking

Love this plugin.. why did i not find it earlier?

just switch to this plugin and i just love the TONS of USEFUL features!! My oh my i recommend this to all whose privacy had been invaded lately by a certain Fence security plugin. This is way much better security plugin than the Fence. Thanks!!

@sugglars

Best Solution

Using on single & multisite installs, LEMP stack, great software, keep it up guys 🙂

@lizbethjames

My Choice for Website Safety

I believe Shield Security is the best plugin by far when it comes to securing your website. When you use all of its capabilities, you’ll be amazed. I highly recommend it for any type of website!

ESSENTIAL WORDPRESS SECURITY NEWS

Get ShieldNOTES, our excellent weekly WordPress security newsletter!