Automatic background updates have been introduced in WordPress 3.7. Since this moment it is possible to receive minor + security updates automatically because this feature is enabled by default. Additionally, managed hosting providers have their own update policy, updating websites themselves if you don’t do it yourself within days from the release of a new version.
There are many benefits, but also a few drawbacks of this situation.
Advantages of WordPress auto updates
Let’s start with the positives. Here are a few reasons why enabling automatic updates for your website, under some conditions, is a good solution.
- Zero-day problem is solved. Hackers release their bots immediately just after every WordPress security update is published. But thanks to automatic updates bots don’t have any chance to attack your site.
On average the administrator of a website has a time window of less than 24 hours to patch following a serious vulnerability disclosure. Many times it’s approximately 4 hours.
- Undoubtedly, time-saving is an advantage. thanks to the auto-update feature you don’t need to log in to multiple websites you manage to press the “update” button.
Disadvantages of WordPress auto updates
A friend of mine, who is a web developer, was on his vacation on Gran Canaria. Suddenly, he got the call from a client that his website is broken. In one hour he received more than 15 complaints from others. So, he spent the next 2 days sitting in a hotel hallway (that was the only place the Wi-Fi signal was strong enough) trying to fix all the websites.
The reason for that was trivial — he hadn’t disabled auto updates on the websites and when WordPress 4.2.3 security fix was released, all shortcodes that contained HTML stopped working, breaking most of his managed websites.
Let’s take a quick look at main drawbacks of using auto updates.
- No way to get back. There is no chance to do a backup before the auto update. It means if auto-update fails or there is anything wrong with the website, you can’t rollback to the previous version because you don’t have a recent backup to restore.
- A false sense of security. The auto-update feature keeps your core updated, but most plugins don’t have an auto-update feature. According to WordFence statistics plugins are the most common entry for hackers to WordPress responsible for almost 60% cases.
Auto update: handy for inactive websites, but dangerous for the rest of us
An “automatic update” sounds great for abandoned websites and websites without active administration because it prevents these sites from becoming zombie websites, which are a source of malware. But, when you actively manage your website it’s better to disable auto updates + handle updates yourself. There are tools to automate the update process without the risk of losing anything due to lack of backup.