Should You Block Auto-Updates? (New Feature Alert)

Sep 3, 2020

Should You Block Auto-Updates? (New Feature Alert)

Sep 3, 2020

A broken site is certainly unpleasant.

But a broken site because of your own doing…. is the worst.

That’s precisely what can happen if you have auto-updates turned on.

With ZERO human involvement in the process, auto-updates have actually ended up breaking many sites.

This has kept many agency owners and developers on the edge of their seats.

As Kristina Romero from WP Care Market explained in this webinar, clients are already getting multiple emails about their sites – from hosting companies, from WordPress and what not. They might easily learn about auto-updates and turn them on thinking it’s more convenient.

This ends up being a maintenance nightmare.

As a backup and security company, we’ve always advocated for keeping websites updated, in a secure manner.

Thus, we decided to build a new feature to Block Auto-Updates.

Read on to see how this prevents you from being in the dark.

How Do These Auto-Updates Work?

Let’s first understand the auto-update process. 

WordPress uses a WP-cron job to run scheduled tasks such as checking for updates, publishing a scheduled post etc.

According to’s Plugin Handbook, “WP-Cron works by checking, on every page load, a list of scheduled tasks to see what needs to be run. Any tasks due to run will be called during that page load.”

Now that you know this, let’s see what happens behind the scenes when you turn on auto-update.

  1. WordPress uses the cron process to check updates twice everyday. When this process runs, it checks if your plugins/ themes (which have auto-update enabled) have new updates.

  2. If an update is found, the latest version of the plugin/theme is immediately downloaded and installed.

This effectively replaces the existing version of the plugin/theme. Also, the update is applied irrespective of whether the update is a small minor fix or a big release. 

When a website updates to WordPress 5.5, the auto-update feature is disabled by default. To enable this feature, the site owner has to go to the Plugins /Themes section and enable it from the toggle bar.

Here’s what the feature attempts to offer. 

The Advantages Of Auto-Updates

  1. Protection from Vulnerabilities:
    Say a plugin on your site is found to have a vulnerability and the plugin owner releases an update with a security patch. Once the news is made public, there’s no telling how long it’ll be before you find out and update. In the meantime, hackers might target sites which have the plugin installed.

    With Auto-Update enabled, the update is immediately applied which drastically reduces the chances of the vulnerability being exploited.

  2. Easier Maintenance:
    With Auto-Update enabled, a website owner will no longer have to manually login and update the site regularly. This feature “does it all” and lets them know when an update has run successfully.

    In addition, if an update breaks the site, WordPress also has a fatal error system which displays information about the root cause. The website owner can use information to identify the faulty plugin update and fix it.

Now, the Auto-Update feature clearly appears to be beneficial.

The real question to ask here is, for whom?

What Kind Of Sites Should Use Auto-Updates?

Auto-Update enabled for all plugins and themes is advantageous only if your website is:

  • A Hobbyist website or Personal Blog 
  • A Small Business Website which is used as a portfolio and is not a source of revenue or leads

The common characteristic between these sites is that:

  • They tend to use fewer plugins
  • The plugins/ theme used are usually popular, and therefore are assumed to be well-coded
  • The level of activity on the website is less 

Clearly, not everything is fun and dandy with this feature.

For sites that have constant activity or that are sources of income, Auto-Updates can actually increase security risks and make maintenance even more harder.

Let’s see how.

Auto-Updates: The Bad And The Ugly

The root issue with auto-updates is that there is no human involvement. The automated process leaves no room for preparedness or supervision. And the update can happen at any point of time.

Moreover, the website owner is only intimated about the update after it’s been executed.

And here’s where things get ugly.

The Block Auto-Update feature can actually lead to a variety of issues.

1. Simultaneous Updates Can Overload Your Server:

As mentioned, if the cron process finds an available update, it immediately updates. Now imagine if there are multiple plugin updates available. The auto-update feature sets off these updates to run at the same time. This creates a spike in utilisation of server resources which can overload your server. This can ultimately lead to failed updates or even crash your website.

2. Increased Risk of Vulnerabilities

Vulnerabilities in plugins and themes have put over 5 million sites at risk just in 2020. Imagine a plugin releases an update which has a vulnerability. With auto-update enabled, your site is immediately vulnerable and prone to a hack. If the update was done by a person, it could’ve been tested on a staging site before being made live. Here are some of the best WordPress staging plugins that will help you create staging site

3. Plugin/Theme Conflicts can Break The Site

Certain plugins and themes when used together can cause internal code conflicts. This could be due to poor quality of code, difference in the WordPress versions that they were built for etc. Conflicts can lead to malfunctioning of your site.

While updating manually, you can check for possible conflicts and test the updates before making it live. This is not possible if auto-update is enabled. If plugin update break your site, you can also go through our guide on reverting plugin updates.

4. You’re Unprepared For Sudden Changes

Let’s say you’re going away on vacation for a few days. Your friend decides to surprise you by giving your house a complete makeover. They change the wallpaper, move around the furniture and rearrange all your stuff. How disoriented would you feel when you came back?

Auto-Update is a lot like that friend. There might be changes in UI or website functionality due to an update that happens without the site-owners knowledge.

5. It Can Be A Maintenance Nightmare

For agencies or developers who are maintaining websites for clients, auto-updates are an absolute nightmare.

Clients might turn on auto-updates thinking it helps maintain the site. But if things go wrong and the site misbehaves, the onus is on the agency. Moreover, clients might undervalue outsourcing updates to an agency or developer.

Non-technical website owners might enable the auto-update feature thinking it makes maintenance easier. But it might just do the opposite and cause issues (as discussed in the previous points) they are not prepared for.

Our Solution? A Block Auto-Update Feature

To combat all these possible issues, we came up with a simple solution – our new Block Auto-Update feature!

This lets the user block auto-updates from happening even if it is previously enabled in the WordPress Admin Dashboard.

Let’s see how to use it.

This is how the Plugins tab in the WordPress Admin Dashboard looks on WordPress 5.5.

Plugins tab in WP Dashboard

As you can see, the plugins have a toggle option to enable the auto update.

To use our block auto-update feature:

  • From the Site Details Page click on the Settings option. 
  • Choose the Auto Update option at the bottom of the list. 

Auto-Update in Settings

  • Enable the Block Auto Updates feature and click on Apply. 

Enable Block Updates from Settings

Auto-Updates are now blocked for the whole website. The toggle bar no longer appears on the Admin dashboard.

And there you go! 

Note: This feature is available to all BlogVault, MalCare Pro and WP Remote Pro users. 

Why We Developed This Feature (Words From Our CEO Himself)

This is not the first time auto-update has been tackled in the WordPress space. 

As Kristina explains, we have seen web hosts like WP Engine, Liquid Web and even Pantheon offer automatic updates bundled with visual regression testing and more. However, this only increases the responsibility on agencies to troubleshoot when things go south. 

At BlogVault, our goal is to enable you to manage and maintain websites easily. For agencies, we provide visual regression testing and are constantly improving our reporting and management functions.

This makes maintenance easier for agencies and makes the value they provide to clients even more robust.

For now we let you block the auto-update feature and hide it from within your clients dashboard. This is particularly valuable as it could confuse your client otherwise. If they enable auto-updates by mistake, it can cause an update to happen without your knowledge and may cause the site to break.

What Next? 

Keeping a WordPress site updated is not easy.

Updates in general can cause your site to misbehave and can even break it. This can affect your revenue, online reputation and will definitely make Google unhappy with your site.

A good update strategy can do wonders for your website.

Check out our Ultimate Guide To Update WordPress Safely for the best practices to update your site in a safe manner. 

Would love your thoughts, please comment.x