Disable WordPress Plugin Auto Updates

Automatic updates in WordPress was supposed to make life easy, but after…

… you’ve had enough.

Instead of making life easier, they have the exact opposite effect.

You want is granular control over what happens to your site.

What, when, how, and why happens when you say so, or not at all.

Of course, the best course of action is to test the update on a staging site first, and only then make the changes to your live site. We’ll talk more about that, but first, let’s disable WordPress auto update.

TL;DR: Before you do anything to your site, take a full site backup. Then, scroll down for all the (tried-and-tested) ways to disable automatic WordPress updates. Anything goes wrong, you have the backup as an insurance policy.

What are WordPress auto updates? 

Before you turn off automatic WordPress updates, let’s understand them a bit more. What is it that you are actually disabling? 

WordPress auto updates was introduced as a feature in WordPress 3.7. The idea was to have important security fixes and performance improvements applied to sites directly, without causing any disruption to the sites and their operation. 

Theoretically, this excellent goal was possible with small updates.

But, when major release auto updates came with version 5.5, plus plugin and theme versions, things got a bit tricky.

With plugin and theme updates, you could at least to choose to enable them or not. Even so, the many background changes could still cause site admin worry.

Types of updates

There are different kinds of updates. The reason it is important to know these differences is to customise which ones to disable or leave enabled for your site.

For example, the wp-config file or filters require constants that specify which type of update to disable. Therefore, to make sure you disable only the auto updates that you really don’t want, it is good to have a quick read-through of this list. 

Understanding WordPress releases

Updates to the WordPress core are the biggest updates.

Here, there are 3 kinds called WordPress releases.

Minor WordPress updates turn on by default. We strongly recommend keeping them turned on because they usually include important security fixes.

What changes during an update?

The final piece of the puzzle that you need to know before you stop automatic WordPress updates is what changes during an update. This way, you can choose to disable automatic updates selectively.

WordPress core updates

In all major, minor, and dev releases, changes are made to the WordPress core files. This means the wp-admin and wp-includes folders, some parts of the wp-content folder, and many of the standalone files like .htaccess. wp-config is an exception, because WordPress installations never have a wp-config file. It is generated dynamically during the first installation. 

Thus, it is always best to have regular and automatic daily backups if you have auto updates for releases enabled. In fact, that is why major updates are usually opted into, as they change quite a lot. 

Plugin and theme updates

Plugin and theme updates will change plugin and theme code respectively. Auto updates are available for all extensions hosted on the repository. Third party plugins and themes—usually considered premium—can receive updates automatically, if the developer has chosen to enable that feature. 

How to disable WordPress auto updates

The methods to disable automatic WordPress updates below are essentially for major and minor releases. Plugin and theme auto updates are individually opt-in, so unless they have been enabled before, most of these methods are not necessary for them. Also, if some are enabled and others are not, constants and filters will blanket disable the lot. 

Before attempting any of these methods, please remember to take a full backup of your site. Any changes to your site can break it, as you already know, and disabling auto updates is a pretty major change to your site’s backend.

Method 1: Disable WordPress auto updates via WP-admin dashboard

The Updates section on wp-admin should be your first port of call for disabling auto updates. By default, minor releases known as security and maintenance releases are enabled. There is no way to disable them from this menu, however you can disable major releases here.

If major release auto updates are enabled, you will see a link to Switch to automatic updates for maintenance and security releases only. 

Clicking on the link will disable major release auto updates, and keep minor ones enabled.

Method 2: Disable automatic WordPress updates using wp-config file

If you want to disable minor releases as well as major ones, this is the next best way to do so. 

There are a few things to remember here. Minor WordPress updates are enabled by default, even using the Updates menu on wp-admin. You can control all auto updates by setting constants in the wp-config file. 

Note: The wp-config file is a lynchpin core file that links the database to your site. Even the smallest typo in this file will cause the site to crash, so please be very careful when making changes. Always take a backup so that you can restore quickly if something does go wrong.  

1. Log into cPanel, and navigate to File Manager. Alternatively, you can use an FTP client like FileZilla or Cyberduck to view your site files. 

2. Find the wp-config file. If you have a normal or stock installation of WordPress, it will be in the root directory, where WordPress is installed. Sometimes people move the wp-config file to another directory for security reasons. Wherever it is, get hold of a copy. 

3. Add the following line of code to disable core auto updates just before the /* That's all, stop editing! Happy publishing. */ line in the file:

define( 'WP_AUTO_UPDATE_CORE', false );

If you only want to disable major updates, but allow minor ones, change ‘false’ to ‘minor’. To disable all WordPress auto updates, add this line to the file: 

define( 'AUTOMATIC_UPDATER_DISABLED', true );

Under no circumstances should you add this code after the ‘happy publishing’ line. We also advise against adding it far above it, because there is other vital code in the file. Best not to tinker with any of it or the order without very good cause. 

4. Save and exit the file

Method 3: Turn off WordPress automatic updates using filters

Filters are programming constructs that alter normal WordPress operations in a specific way and for a specific purpose. They are mostly used by theme and plugin developers, so as to give these extensions more powerful functionality within WordPress. 

As you can imagine, to use filters you need to actually write code. In this method, we will show you how to write a basic plugin that is always executed by WordPress, and cannot be modified from the admin dashboard. This is a special type of plugin known as a must-use plugin. 

A word of caution here: although filters give you the maximum flexibility over enabling and disabling updates, they do require a decent understanding of coding and programming practices. We do not recommend this course of action for beginners or those not familiar with common programming jargon. The possibilities of things going wrong are limitless, and you do need that knowledge to be able to troubleshoot effectively.

1. Create a text file on your computer, and add the following code: 

<?php
/* Plugin Name: Managing auto updates plugin
Description: Using filters to manage auto updates
*/
?>

This code tells WordPress that this file is a plugin and should be treated as such. Replace the plugin name and description with text of your choosing. 

2. Next, just before the last line, add the following code: 

add_filter( 'automatic_updater_disabled', '__return_true' );
add_filter( 'allow_dev_auto_core_updates', '__return_false' ); 
add_filter( 'allow_minor_auto_core_updates', '__return_false' ); 
add_filter( 'allow_major_auto_core_updates', '__return_false' ); 
add_filter( 'auto_update_plugin', '__return_false' );
add_filter( 'auto_update_theme', '__return_false' );
add_filter( 'auto_update_translation', '__return_false' );

Lines 2 to 6 each disable a particular type of auto update, which we covered earlier in the article. The first line disables all at once. We advise caution here, so pick and choose the auto updates you want to disable carefully. 

In case you want to leave some auto updates enabled—or at least have the option available on the dashboard—you need to change the ‘false’ to ‘true’ in the respective lines above. 

3. Save the text file with the extension .php. 

4. Log into your site files through cPanel’s File Manager or via FTP. Locate the wp-content folder and look for the mu-plugins folder. If it doesn’t exist, don’t worry. Create a new folder with the name ‘mu-plugins’ and upload the php file to that folder. 

5. Log into wp-admin, and check the Plugins page. A new tab called ‘Must-use’ should have appeared, showing the plugin you’ve just created. 

That’s it. WordPress will load and execute the plugin every 12 hours, or on page load. 

Some pointers to keep in mind

We have seen a lot of advice to add filters to the wp-config file. For many reasons, this is a bad idea. Create a must-use plugin, as we’ve shown above, and you should be able to steer clear of any issues that may arise from mucking about with the wp-config file. 

In fact, don’t add this or any other code to any core file. As we said before, WordPress updates overwrite core files and directories. Presumably you want to turn off auto updates to have more control over your site, not to never update your site ever—which is a terrible idea. So eventually, your site will have its core files overwritten too.

Method 4: Stop WordPress auto updates using BlogVault (for themes and plugins)

If ever you opted in to auto update plugins and themes, you can blanket disable the lot from your BlogVault dashboard.

1. Log into your BlogVault dashboard, and navigate to the site in question. 

2. Look for the gear icon on the dashboard on the Site Overview page. 

3. Find the Auto Update option from the side menu. Here, you can enable or disable auto updates for plugins and themes in one fell swoop.

Method 5: Disable auto updates in web host

Depending on the web host you are using, some will update WordPress automatically for your site. Although this is not strictly WordPress auto updates in the strongest sense, it is spiritually the same principle as updates will be applied to your site without your express permission. 

One of our test sites on Dreamhost, for example, has a one-click WordPress installation. According to their documentation, Dreamhost applies updates between 1 and 3 weeks after an update is released. You need to opt out of these updates, if you want to control the update process on your site. 

On the other hand, there are some web hosts who disable automatic updates, even if you want them. Reach out to the web host’s customer support to figure out their policies.

Best practices for handling updates for WordPress

Let’s be clear: updates are not negotiable.

We get wanting to control them—and actively encourage you to do so. However just not updating your site is a recipe for disaster.

Therefore the better question is: how do you handle updates correctly? 

Pros of disabling auto updates

We already know that updates can break your site. You always want to have full control on any changes to your site. However there are other advantages to disabling automatic updates as well. 

Cons of disabling auto updates

There isn’t a lot in this section that hasn’t already been covered in the rest of the article. However, there are downsides to disabling auto updates as well.

How does an auto update work?

WordPress introduced an updates API that connects to sites at regular intervals to check versions. This process is managed by wp-cron, a feature that handles automated and scheduled tasks in WordPress. 

The update process checks the versions on the site; whether WordPress, plugins, themes, or even php. If the installed version doesn’t match the latest one, it checks to see if the update is compatible with the php version. This step determines whether the whole update is installed or just a patch that fixes a critical vulnerability or bug.

Usually, this happens with plugin and theme updates, because the core is mostly backwards-compatible with php. 

Cron jobs run twice a day, approximately every 12 hours. This is not to say that there is a fixed schedule. WordPress checks to see if an update check is scheduled in the next 12 hours on every page load. If not, it runs right away, and the next one is scheduled for 12 hours after.

Final thoughts

We completely understand the impetus of wanting to disable auto update in WordPress. But we want to emphasize one last time that updates are super important. If you are disabling auto updates for any other reason than wanting to update your site on your terms, it is a bad idea to do so. 

Take backups with BlogVault, and set up auto update schedules to maintain your site. If an auto update does break your site, you have an instant backup to restore your site, and can troubleshoot using a staging site. It is all so conveniently wrapped up in one package. 

FAQs

How do I turn off automatic updates in WordPress?

There 3 ways to turn off automatic updates in WordPress: 

• Updates menu on wp-admin for major WordPress releases; and Plugins and Themes tabs respectively for those updates
• Updating the wp-config file with constants
• Creating a custom plugin with filters

How do I enable WordPress theme updates automatically?

The easiest way to enable WordPress theme updates automatically is to click on the Enable auto updates link for each theme you want to update automatically. Themes which are hosted on the repository will receive updates automatically, however premium and third party theme developers have to opt into use the feature. Check with your theme developer for their policies on auto updates. 

Should you enable auto-updates for WordPress plugins?

No, it is inadvisable to enable auto-updates for big WordPress plugins or ones that are critical to the functioning of your site. It is always best to test updates first on a staging site, and then apply them to your live site, once you’ve determined that everything works as it should. 

Smaller sites may consider enabling auto-updates for plugins, but in that case you should make sure to take regular backups. 

How do I stop WordPress from updating automatically? 

There are a few ways to stop WordPress auto update. We’ve provided detailed steps here. Please note that you should eventually update WordPress because updates contain important fixes and improvements for your site. 

Is WordPress auto-update safe?

Not always. Minor WordPress auto-updates and translation auto-updates will rarely break your site, and are important enough to allow them to work untrammeled. Major updates change quite a lot on your site, so should be tested before being applied. To be clear, WordPress updates are not 100% safe, but they are 100% necessary.

What is WP_auto_update_core?

wp_auto_update_core is a constant used to control WordPress auto updates. It is usually set in the wp-config file to decide how core updates are applied to the site. 

It is used with the define statement, and takes the following values for configuration: true, false, and minor.

How do you know when there is a WordPress update available? 

The most common way to find out if there is a WordPress update available is to log into your wp-admin dashboard. There will generally be a notification right on the dashboard indicating that a new version is available. 

Alternatively, you can check the Updates tab on your dashboard, or run the command wp core check-update using SSH. On your BlogVault dashboard, you will see a list of WordPress, plugin, and theme updates available on your site, along with the means to apply them safely.