How to Disable WordPress Auto Updates (and Update on Your Own Terms)

Automatic updates in WordPress were brought in to make admin life easier, but often have the exact opposite effect. As site admin, you want to have granular control over what happens to your site and when, so that you can run a tight ship. 

Especially in the case of plugin and theme updates, you can never tell if the new release or update is going to crash your site. With automatic updates, you don’t even get an email to say when an update has taken place. You visit your site and are greeted with a crashed site, without even realizing that an update was responsible. 

The best course of action is to test the update on a staging site first, and only then make the changes to your live site. We’ll talk more about that, but first, let’s disable WordPress auto update.

TL;DR: There are a few ways to disable automatic WordPress updates. Most of them involve tinkering with code in the wp-config file or creating a plugin with programmatic filters. Either way, working directly with your site’s code can be fraught, so it is best to take a backup before making changes. Once you’ve disabled auto updates, use BlogVault’s auto update feature. You have full control of when and how updates take place. With built-in backups, visual regression testing, and emails to keep you posted on progress, it is the best of both worlds.

What are WordPress auto updates? 

WordPress auto updates was introduced as a feature in WordPress 3.7. The idea was to have important security fixes and performance improvements applied to sites directly, without causing any disruption to the sites and their operation. 

Theoretically, this lofty aim was largely achievable with minor releases, but with the introduction of major release auto updates in version 5.5, and then plugin and theme versions, things got a little bit hoary. At least with plugin and theme updates, they needed to be individually opted into to work, but there were still a bunch of things going on in the background that could make any site admin break into a cold sweat.

Types of releases

Before you turn off automatic WordPress updates, it is important to get the lay of the land. What is it that you are actually disabling? 

There are 3 main types of WordPress releases: 

• Major releases introduce new features, big improvements to existing features, major security upgrades, and much more. You can identify major releases as they jump 0.1 forward from a previous release, like 4.9 to 5.0 or 5.0 to 5.1. Major releases come about twice a year. Auto updates were introduced in version 5.5, including the facility to update plugins and themes automatically. 

• Minor releases are known as security and maintenance releases, and usually contain important bug fixes. In fact, the initial thought process of auto updates was to push minor releases seamlessly to sites. 5.5.1, the minor release that followed the 5.5 major release, contained an important fix for the auto updates of plugins and themes. If the auto update was not available for a third party plugin or theme not hosted on the repository, the message on the dashboard reflected that correctly, as opposed to before.
  
• Dev releases are updates for development versions of WordPress, used mostly by plugin and theme developers in their testing environments. Development releases come out before major releases, and give developers a chance to build their extensions to be compatible with the next major release in the same timeline. As site admin, we don’t have to deal with these updates too much, so it is just in this list for information. 

Types of updates contained in the releases

Each release has a variety of updates. Some of the methods to disable automatic WordPress updates via the wp-config file or filters, which we will discuss below, require constants that specify which type of update to disable. Therefore, to make sure you disable only the auto updates that you really don’t want, it is good to have a quick read-through of this list. 

• Core updates are really just synonymous with WordPress updates. They update the core files and directories, specifically the wp-includes and wp-admin directories. 
• Plugin updates can be feature additions, security updates, bug fixes, or just about anything that is plugin-related. Plugin updates are available automatically for those plugins hosted on the WordPress repository. Premium plugin developers can also use the WordPress auto update mechanism to push updates automatically to sites, but they have to opt into the mechanism. These are actually the ones to look out for, as they have the most impact on your site. 
• Theme updates usually refer to updates for WordPress themes. The scenario to be cautious about with theme auto updates is if you have modified a stock theme like Twenty Twenty Two or Twenty Ten directly without using a child theme. Updates which patch security vulnerabilities are designed to be backward compatible, so there is a chance that the theme can be overwritten during an update. 
• Translation updates contain language packs for core WordPress, plugins, and themes. These are generally innocuous updates and will rarely break your site. This is why they are typically forced or background auto updates which are difficult to disable. 

What changes during an update?

The final piece of the puzzle that you need to know before you stop automatic WordPress updates is what changes during an update. This way, you can choose to disable automatic updates selectively.

In all major, minor, and dev releases, changes are made to the WordPress core files. This means the wp-admin and wp-includes folders, some parts of the wp-content folder, and many of the standalone files like .htaccess. wp-config is an exception, because WordPress installations never have a wp-config file. It is generated dynamically during the first installation. 

Thus, it is always best to have regular and automatic daily backups if you have auto updates for releases enabled. In fact, that is why major updates are usually opted into, as they change quite a lot. 

Plugin and theme updates will change plugin and theme code respectively. Auto updates are available for all extensions hosted on the repository. Third party plugins and themes—usually considered premium—can receive updates automatically, if the developer has chosen to enable that feature. 

As an admin, you want to retain control on what happens to your site at all times. Auto updates may appear to be a viable optimization, but it can wind up being an expensive shortcut to take. That being said, smaller sites or conversely less critical plugins may benefit from automatic updates. It does become more efficient and much safer for site admin. 

How does an auto update work?

WordPress introduced an updates API that connects to sites at regular intervals to check versions. This process is managed by wp-cron, a feature that handles automated and scheduled tasks in WordPress. 

The update process checks the versions on the site; whether WordPress, plugins, themes, or even php. If the installed version doesn’t match the latest one, it checks to see if the update is compatible with the php version. This step determines whether the whole update is installed or just a patch that fixes a critical vulnerability or bug. Usually, this happens with plugin and theme updates, because the core is mostly backwards-compatible with php. 

Cron jobs run twice a day, approximately every 12 hours. This is not to say that there is a fixed schedule. WordPress checks to see if an update check is scheduled in the next 12 hours on every page load. If not, it runs right away, and the next one is scheduled for 12 hours after.

How to disable WordPress auto updates

The methods to disable automatic WordPress updates below are essentially for major and minor releases. Plugin and theme auto updates are individually opt-in, so unless they have been enabled before, most of these methods are not necessary for them. Also, if some are enabled and others are not, constants and filters will blanket disable the lot. 

Let’s be really clear: updates are very important, especially from a security perspective. We do not recommend disabling minor WordPress releases, or the translation updates, as these are very unlikely to disrupt your site. 

Additionally, please remember to take a full backup of your site with BlogVault. Any changes to your site can break it, as you already know, and disabling auto updates is also a change to your site.

Disable WordPress auto updates via WP-admin dashboard

The Updates section on wp-admin should be your first port of call for disabling auto updates. By default, minor releases known as security and maintenance releases are enabled. There is no way to disable them from this menu, however you can disable major releases here.

If major release auto updates are enabled, you will see a link to Switch to automatic updates for maintenance and security releases only. 

Clicking on the link will disable major release auto updates, and keep minor ones enabled.

Disable automatic WordPress updates using wp-config file

If you want to disable minor releases as well as major ones, this is the next best way to do so. 

There are a few things to remember here. Minor WordPress updates are enabled by default, even using the Updates menu on wp-admin. You can control all auto updates by setting constants in the wp-config file. 

Note: The wp-config file is a lynchpin core file that links the database to your site. Even the smallest typo in this file will cause the site to crash, so please be very careful when making changes. Always take a backup so that you can restore quickly if something does go wrong.  

1. Log into cPanel, and navigate to File Manager. Alternatively, you can use an FTP client like FileZilla or Cyberduck to view your site files. 

2. Find the wp-config file. If you have a normal or stock installation of WordPress, it will be in the root directory, where WordPress is installed. Sometimes people move the wp-config file to another directory for security reasons. Wherever it is, get hold of a copy. 

3. Add the following line of code to disable core auto updates just before the /* That's all, stop editing! Happy publishing. */ line in the file:

define( 'WP_AUTO_UPDATE_CORE', false );

If you only want to disable major updates, but allow minor ones, change ‘false’ to ‘minor’. To disable all WordPress auto updates, add this line to the file: 

define( 'AUTOMATIC_UPDATER_DISABLED', true );

Under no circumstances should you add this code after the ‘happy publishing’ line. We also advise against adding it far above it, because there is other vital code in the file. Best not to tinker with any of it or the order without very good cause. 

4. Save and exit the file

Turn off WordPress automatic updates using filters

Filters are programming constructs that alter normal WordPress operations in a specific way and for a specific purpose. They are mostly used by theme and plugin developers, so as to give these extensions more powerful functionality within WordPress. 

As you can imagine, to use filters you need to actually write code. In this method, we will show you how to write a basic plugin that is always executed by WordPress, and cannot be modified from the admin dashboard. This is a special type of plugin known as a must-use plugin. 

A word of caution here: although filters give you the maximum flexibility over enabling and disabling updates, they do require a decent understanding of coding and programming practices. We do not recommend this course of action for beginners or those not familiar with common programming jargon. The possibilities of things going wrong are limitless, and you do need that knowledge to be able to troubleshoot effectively.

1. Create a text file on your computer, and add the following code: 

<?php
/* Plugin Name: Managing auto updates plugin
Description: Using filters to manage auto updates
*/
?>

This code tells WordPress that this file is a plugin and should be treated as such. Replace the plugin name and description with text of your choosing. 

2. Next, just before the last line, add the following code: 

add_filter( 'automatic_updater_disabled', '__return_true' );
add_filter( 'allow_dev_auto_core_updates', '__return_false' ); 
add_filter( 'allow_minor_auto_core_updates', '__return_false' ); 
add_filter( 'allow_major_auto_core_updates', '__return_false' ); 
add_filter( 'auto_update_plugin', '__return_false' );
add_filter( 'auto_update_theme', '__return_false' );
add_filter( 'auto_update_translation', '__return_false' );

Lines 2 to 6 each disable a particular type of auto update, which we covered earlier in the article. The first line disables all at once. We advise caution here, so pick and choose the auto updates you want to disable carefully. 

In case you want to leave some auto updates enabled—or at least have the option available on the dashboard—you need to change the ‘false’ to ‘true’ in the respective lines above. 

3. Save the text file with the extension .php. 

4. Log into your site files through cPanel’s File Manager or via FTP. Locate the wp-content folder and look for the mu-plugins folder. If it doesn’t exist, don’t worry. Create a new folder with the name ‘mu-plugins’ and upload the php file to that folder. 

5. Log into wp-admin, and check the Plugins page. A new tab called ‘Must-use’ should have appeared, showing the plugin you’ve just created. 

That’s it. WordPress will load and execute the plugin every 12 hours, or on page load. 

Some pointers to keep in mind

We have seen a lot of advice to add filters to the wp-config file. For many reasons, this is a bad idea. Create a must-use plugin, as we’ve shown above, and you should be able to steer clear of any issues that may arise from mucking about with the wp-config file. 

In fact, don’t add this or any other code to any core file. As we said before, WordPress updates overwrite core files and directories. Presumably you want to turn off auto updates to have more control over your site, not to never update your site ever—which is a terrible idea. So eventually, your site will have its core files overwritten too.

Stop WordPress auto updates using BlogVault (for themes and plugins)

If ever you opted in to auto update plugins and themes, you can blanket disable the lot from your BlogVault dashboard.

1. Log into your BlogVault dashboard, and navigate to the site in question. 

2. Look for the gear icon on the dashboard on the Site Overview page. 

3. Find the Auto Update option from the side menu. Here, you can enable or disable auto updates for plugins and themes in one fell swoop.

Disable auto updates in web host

Depending on the web host you are using, some will update WordPress automatically for your site. Although this is not strictly WordPress auto updates in the strongest sense, it is spiritually the same principle as updates will be applied to your site without your express permission. 

One of our test sites on Dreamhost, for example, has a one-click WordPress installation. According to their documentation, Dreamhost applies updates between 1 and 3 weeks after an update is released. You need to opt out of these updates, if you want to control the update process on your site. 

On the other hand, there are some web hosts who disable automatic updates, even if you want them. Reach out to the web host’s customer support to figure out their policies.

Best practices for handling updates after disabling WordPress auto updates

The leading cause of successful hacks is vulnerabilities on sites. Vulnerabilities are lapses in code that inadvertently let hackers into the site. When vulnerabilities are discovered by responsible individuals, they report the bugs to the original developers, be it WordPress, plugin, or theme developers. The developers then release patches to fix these issues. The patches are contained in updates.

This long-winded explanation is to underline, highlight, bold, and put in neon lights the importance of updates. Therefore, while we completely appreciate the desire to disable auto updates, there is the second part of that process: how do you handle updates correctly? 

• The best way to update your site with major and minor updates is to use a staging site. We’ve already talked about how to use BlogVault for backups, and how they can recover your site from inadvertent disasters. However, BlogVault can also create a staging site from a backup in minutes. This is a huge help, because staging sites should be near-identical to live sites for testing purposes. However, those can be a pain to recreate on localhost or other development servers, so a 1-click staging feature is a fantastic boost to productivity.
  
• Keep a weather eye for all updates. If you are going to manage updates on your own steam, be very aware that you are taking on the onus of tracking which ones have been released. Otherwise, you’re rolling out the red carpet to hackers. You can log into wp-admin periodically to check the Updates tab for recently released updates, or alternatively log into your BlogVault dashboard to check which updates are available.
  
• Auto update on a schedule. Yes, we know this is an article about disabling auto updates, because you want to retain control of your site. However, the convenience of automatic updates is undeniable. Which is why we are discussing the third most excellent BlogVault feature of this article: auto update schedules.
  
  Auto update schedules enable you to set up updates for WordPress, plugins, and themes in as many schedules as you like. The schedules can be set to run daily, weekly, or monthly. When creating a schedule, we highly recommend checking both the options of a pre-update backup and a visual regression test straight after. Once the schedule completes, you will receive an email. If the update has broken your site, you can restore the backup immediately, and then troubleshoot the update on a staging site. It is the best of both worlds.
  
• Wait at least a week before applying the update, in the case of smaller ones. For larger releases, wait for up to 3 weeks. If there are any fixes, they will generally appear by then.
  

• Stop making changes to core files. There are lots of solutions for things like geoblocking or blacklisting IPs, you don’t need to configure the .htaccess file for instance. All WordPress updates affect core files, so you’re creating more work for yourself when you customise core files.

Pros of disabling auto updates

We already know that updates can break your site. You always want to have full control on any changes to your site. However there are other advantages to disabling automatic updates as well. 

• Simultaneous updates can overload your site, especially if there are lots of plugins and many of them have updates at the same time. This may seem coincidental, but happens often around WordPress major releases. Developers will want to prime their products to leverage all the new features as far as possible.
• Updates can also have issues. You want to wait it out to see if the update is good to go, especially with plugin updates. 
• When things go wrong, it is very hard to troubleshoot if multiple updates are happening all the time. Admins don’t receive emails when automatic updates are done. You can just be confronted with a critical error on your site, and you may not even realise that an update was the issue. More so, which update caused the issue. 
• Features can be changed or moved. There is a learning curve with updates which can be disruptive to your workflow. 
• Updates can overwrite customisations or changes you have made. This is why you should always have backups. 

Cons of disabling auto updates

There isn’t a lot in this section that hasn’t already been covered in the rest of the article. However, there are downsides to disabling auto updates as well.

• You may miss important updates, which have vulnerability patches, performance improvements, feature upgrades, new features, and more. 
• Manual updates are time consuming, unless you have an alternative solution to manage your site, like an agency. 

Takeaways

We completely understand the impetus of wanting to disable auto update in WordPress. But we want to emphasize one last time that updates are super important. If you are disabling auto updates for any other reason than wanting to update your site on your terms, it is a bad idea to do so. 

Take backups with BlogVault, and set up auto update schedules to maintain your site. If an auto update does break your site, you have an instant backup to restore your site, and can troubleshoot using a staging site. It is all so conveniently wrapped up in one package. 

FAQs

How do I turn off automatic updates in WordPress?

There 3 ways to turn off automatic updates in WordPress: 

• Updates menu on wp-admin for major WordPress releases; and Plugins and Themes tabs respectively for those updates
• Updating the wp-config file with constants
• Creating a custom plugin with filters

How do I enable WordPress theme updates automatically?

The easiest way to enable WordPress theme updates automatically is to click on the Enable auto updates link for each theme you want to update automatically. Themes which are hosted on the repository will receive updates automatically, however premium and third party theme developers have to opt into use the feature. Check with your theme developer for their policies on auto updates. 

Should you enable auto-updates for WordPress plugins?

No, it is inadvisable to enable auto-updates for big WordPress plugins or ones that are critical to the functioning of your site. It is always best to test updates first on a staging site, and then apply them to your live site, once you’ve determined that everything works as it should. 

Smaller sites may consider enabling auto-updates for plugins, but in that case you should make sure to take regular backups. 

How do I stop WordPress from updating automatically? 

There are a few ways to stop WordPress auto update. We’ve provided detailed steps here. Please note that you should eventually update WordPress because updates contain important fixes and improvements for your site. 

Is WordPress auto-update safe?

Not always. Minor WordPress auto-updates and translation auto-updates will rarely break your site, and are important enough to allow them to work untrammeled. Major updates change quite a lot on your site, so should be tested before being applied. To be clear, WordPress updates are not 100% safe, but they are 100% necessary.

What is WP_auto_update_core?

wp_auto_update_core is a constant used to control WordPress auto updates. It is usually set in the wp-config file to decide how core updates are applied to the site. 

It is used with the define statement, and takes the following values for configuration: true, false, and minor.

How do you know when there is a WordPress update available? 

The most common way to find out if there is a WordPress update available is to log into your wp-admin dashboard. There will generally be a notification right on the dashboard indicating that a new version is available. 

Alternatively, you can check the Updates tab on your dashboard, or run the command wp core check-update using SSH. On your BlogVault dashboard, you will see a list of WordPress, plugin, and theme updates available on your site, along with the means to apply them safely.