Never Miss a Patch: How to Enable WordPress Automatic Updates

Keeping a WordPress site secure and stable requires timely updates to the core, themes, and plugins. Many vulnerabilities are exploited quickly after a patch is released, so manual updates alone can leave sites exposed — especially when administrators manage multiple installations. This article explains the technical mechanisms behind WordPress automatic updates, practical approaches to enable and control them, pros and cons compared to other workflows, and tips for choosing the right hosting environment to support reliable automatic updates.

How automatic updates work in WordPress

WordPress includes a built-in update system that covers the core, plugins and themes. Understanding its components helps you control behavior and handle edge cases.

Core components

• WP-Cron vs system cron: WordPress schedules update checks and background tasks using WP-Cron. WP-Cron runs on page loads and can miss schedule windows on low-traffic sites. Using a system cronjob to hit wp-cron.php or to run wp-cli scheduled tasks improves reliability.
• Update API: WordPress reaches out to api.wordpress.org to check for new versions and download packages. The API returns update metadata and download URLs.
• Filesystem and permissions: Automatic updates require PHP to write to the WordPress filesystem. If files are owned by a different user (e.g., git deployments, root or another system user), updates will fail unless FS_METHOD is configured or SSH credentials are available.
• Filters and constants: WordPress exposes constants (in wp-config.php) and filters (in themes/plugins/mu-plugins) to control auto-update behavior:

• WP_AUTO_UPDATE_CORE — controls core updates. Accepts boolean or string values (‘minor’, ‘major’, true/false).
• AUTOMATIC_UPDATER_DISABLED — disables all automatic updates when true.
• add_filter('auto_update_plugin', '__return_true') — enables plugin auto-updates.
• add_filter('auto_update_theme', '__return_true') — enables theme auto-updates.

Update phases

• Check phase: WordPress checks api.wordpress.org for new versions.
• Download phase: it downloads the update zip to a temporary directory.
• Unpack and install: files are extracted and replaced; database upgrade routines run if needed.
• Notifications and hooks: update hooks fire, and emails can be sent to administrators about success or failure.

How to enable and configure automatic updates (practical steps)

Below are concrete, technical steps for enabling and customizing automatic updates on production sites. Apply these in a staged environment first.

1. Configure core automatic updates

• Edit wp-config.php to control core updates. Example lines:

define('WP_AUTO_UPDATE_CORE', true);
This enables both major and minor core updates automatically. If you only want minor (security) updates, use:

define('WP_AUTO_UPDATE_CORE', 'minor');

2. Enable plugin and theme auto-updates

• As of WordPress 5.5+ you can enable auto-updates from the admin plugin/theme screens. For programmatic control, add filters in an MU-plugin (recommended) or your theme’s functions.php:

add_filter('auto_update_plugin', '__return_true');
add_filter('auto_update_theme', '__return_true');

Creating an MU-plugin in wp-content/mu-plugins/auto-updates.php ensures the code runs even if themes change.

3. Ensure filesystem write access securely

• Determine the webserver user (e.g., www-data, apache, nginx). Files must be writable by PHP or you must configure SSH credentials.
• For increased security with Git-based deployments, set define('FS_METHOD', 'ssh'); and provide SSH credentials via a non-interactive key. Alternatively, use a deployment pipeline that pulls updates to a staging branch and deploys after tests.
• On SELinux-enabled systems, ensure contexts allow httpd to write files (use chcon or set appropriate policy).

4. Use system cron for reliability

• Disable default WP-Cron behavior by adding to wp-config.php: define('DISABLE_WP_CRON', true);
• Create a system cron job to call WP-Cron every 5–15 minutes:
  /5 wget -q -O - https://example.com/wp-cron.php?doing_wp_cron >/dev/null 2>&1
• Or run scheduled WP commands via WP-CLI:
  /5 cd /var/www/example && /usr/bin/wp cron event run --due-now --quiet

5. Notifications and monitoring

• Hook into core update email filters to customize notifications and include logs: add_filter('auto_core_update_send_email', 'my_update_email', 10, 4).
• Use monitoring tools or uptime services to catch update-related downtime quickly.
• Log update events to syslog or a centralized logging service for audit and troubleshooting.

6. Testing and rollback strategy

• Always test updates in a staging environment with production-like data. Automate tests for critical functionality (checkout flows, authentication, API endpoints).
• Maintain daily backups (files + database) and verify backup integrity. Use snapshot capabilities of VPS providers for fast rollback.
• Implement a quick rollback plan: restore backup or revert code via Git, then clear caches and run database rollbacks if necessary.

Application scenarios and recommended setups

Different types of sites need tailored auto-update strategies.

Low-traffic brochure sites

• Enable automatic core (minor + major) and plugin/theme updates. Risk is lower because traffic is limited and compatibility issues are often minimal.
• Use simple notifications and daily backups.

High-traffic e-commerce or enterprise sites

• A staged pipeline is recommended. Do not enable unrestricted auto-updates on production. Instead:
• Enable auto-updates on staging. Run automated tests and a short manual QA window before promoting to production.
• Use automatic security (minor) core updates on production but gate major upgrades.
• Consider managed update solutions or orchestration tools (CI/CD) to deploy tested updates.

Multi-site networks and agency-managed installs

• Carefully plan plugin/theme updates. A single incompatible update can break the network. Use rollout strategies: update a subset, monitor, then continue.
• Centralize update controls in a management dashboard or via WP-CLI scripts.

Pros and cons: Automatic updates vs manual/managed approaches

Advantages of automatic updates

• Speed: security patches are applied immediately, reducing exposure windows.
• Scalability: easy to maintain hundreds of small sites without manual intervention.
• Reduced operational overhead: fewer hands-on update tasks for admins.

Disadvantages and risks

• Compatibility risk: an automatic plugin/theme update might introduce regressions affecting critical flows (checkout, custom integrations).
• Limited testing: automatic updates often lack pre-deployment testing unless you have staging automation.
• File ownership and security complexities: enabling auto-updates can require loosening file permissions or giving PHP SSH access, which must be done securely.

Comparison with managed hosting and CI/CD

• Managed hosting: providers often run and test updates for you, sometimes with staging previews. This reduces risk but may cost more.
• CI/CD approach: updates are applied to a build pipeline, tested automatically, and then deployed. This is the safest for mission-critical sites but requires engineering resources.

Choosing hosting and configuration recommendations

Reliable automatic updates depend on server configuration. When selecting a VPS or host, consider:

• Filesystem ownership and deployment model: choose a workflow that avoids manual chowning. If you use Git deployments, ensure update tools can still run or rely on CI to apply updates.
• System cron access: ability to run server cron jobs to replace WP-Cron for reliability.
• Snapshot and backup capabilities: fast snapshots let you quickly roll back a failed automatic update.
• SSH and secure key management: facilitates secure FS_METHOD=ssh updates when necessary.
• Performance and monitoring: VPS with good I/O and monitoring reduces risk of timeouts during updates.

For example, a U.S.-based VPS with snapshot backups, SSH key management, and control over cron jobs is an excellent foundation for safely enabling automatic updates while maintaining rollback options and performance. You can learn more about VPS options at VPS.DO and their U.S. locations at USA VPS.

Summary and best practices

Automatic updates are a powerful tool to keep WordPress sites secure and reduce maintenance overhead. To implement them safely and effectively:

• Use WP_AUTO_UPDATE_CORE and filters for plugins/themes to control what updates automatically apply.
• Prefer MU-plugins for programmatic controls to ensure persistence across theme changes.
• Replace WP-Cron with system cron for predictable scheduling.
• Secure filesystem access using proper ownership, SSH keys, or deployment pipelines.
• Test updates in staging and maintain automated backups and a clear rollback plan.
• Monitor update logs and notifications to respond quickly to any failures.

Combining automatic updates for critical security fixes with a staged, tested promotion path for major changes delivers the best balance of security and stability. If you are deploying at scale or require granular control, consider a VPS that supports snapshots, secure SSH key access, and cron configuration — such as the U.S. VPS plans available at VPS.DO USA VPS. These resources make it easier to implement a robust update strategy with fast recovery options when needed.