Learn how to turn on and tune WordPress automatic updates for core, plugins, and themes so your site stays secure without constant manual work.
Why Automatic Updates Matter for WordPress Security
Most successful website hacks don’t rely on Hollywood-style tricks. They exploit known vulnerabilities in outdated software. Security organizations consistently recommend keeping all software up to date as a basic defense layer.Source
For WordPress site owners, that means:
- Keeping WordPress core updated
- Updating plugins and themes promptly
- Removing anything you no longer use
Automatic updates can handle most of this for you—if you configure them thoughtfully and have a rollback plan.
How WordPress Automatic Updates Work
Modern WordPress includes several update mechanisms:
- Core updates – Security and minor releases are usually applied automatically. Major releases can be configured to auto-update.
- Plugin and theme auto-updates – You can enable these individually from the dashboard, or globally with code filters.Source
- Translation updates – Language packs typically update automatically.
Your goal is to balance security (patch quickly) with stability (avoid breaking changes on a live site).
Pre-Flight Checklist: Before You Turn On Auto-Updates
Before changing any update settings, make sure you have the basics in place:
- Reliable backups – Daily automated backups stored off-server (your host or a backup plugin).
- Tested restore process – You or your team know how to restore a backup quickly.
- Staging site (optional but ideal) – A clone of your site where you can test major updates before they hit production.
Once those are in place, you can safely lean on automatic updates for routine security patches.
Step 1 – Enable Safe Auto-Updates for Plugins and Themes
WordPress lets you turn on auto-updates per plugin and per theme from the dashboard.Source
Enable auto-updates for plugins
- Log in to your WordPress admin.
- Go to Dashboard ? Plugins ? Installed Plugins.
- In the plugins table, find the Automatic Updates column.
- For each plugin you trust and rely on, click Enable auto-updates.
- Leave auto-updates disabled for:
- Complex plugins that control payments, memberships, or custom integrations
- Plugins you rarely use (consider removing these instead)
Enable auto-updates for themes
- Go to Appearance ? Themes.
- Click the thumbnail of your active theme.
- In the modal window, click Enable auto-updates.
- Repeat for any child theme if applicable.
What you should see
- On the Plugins screen, the Automatic Updates column should show “Auto-updates enabled” for selected plugins.
- On the Themes screen, your active theme’s details modal should show auto-updates as enabled.
- Under Dashboard ? Updates, you’ll see notices about when the next automatic check will run.
Step 2 – Decide on Core Update Strategy
WordPress core updates fall into two categories:
- Minor/security releases (e.g., 6.5.1 ? 6.5.2) – These typically auto-install and are strongly recommended.
- Major releases (e.g., 6.5 ? 6.6) – These may introduce new features and sometimes breaking changes.
Recommended approach for most business sites
- Allow automatic minor/security updates.
- Apply major updates manually after testing on staging, unless you have a strong backup and monitoring process.
How to review core update settings
- Go to Dashboard ? Updates.
- Look for messaging about automatic updates for WordPress core (e.g., “This site is automatically kept up to date with maintenance and security releases”).
- If your developer or host has customized update behavior using constants or filters, they should document that for you.
Step 3 – Use Site Health to Monitor Update Status
WordPress includes a Site Health tool that flags outdated core, plugins, and themes.
- Go to Tools ? Site Health.
- On the Status tab, review any Recommended improvements related to updates (for example, plugins or themes that need updating).
- Click the Info tab to see detailed environment information if you’re troubleshooting with your developer or host.
What you should see
- A Good or at least Recommended Site Health status.
- No critical issues about running an outdated WordPress version.
- Few or no warnings about inactive or outdated plugins and themes.
Step 4 – Configure Blanket Auto-Updates (Advanced)
If you manage many sites or want a “set it and forget it” approach, WordPress supports global auto-update filters. These are typically added by a developer to your theme’s functions.php file or a small custom plugin.Source
Examples of global auto-update filters
Enable auto-updates for all plugins:
add_filter( 'auto_update_plugin', '__return_true' );
Enable auto-updates for all themes:
add_filter( 'auto_update_theme', '__return_true' );
Enable major core auto-updates:
add_filter( 'allow_major_auto_core_updates', '__return_true' );
Important: These filters override the per-plugin and per-theme settings in the dashboard. Use them only when you have:
- Strong, tested backups
- Monitoring in place (so you notice if something breaks)
- A developer or support partner who can respond quickly
Step 5 – Combine Auto-Updates with Good Patch Hygiene
Automatic updates are powerful, but they’re not a complete maintenance strategy. Security agencies recommend a broader patching mindset: enable automatic updates where possible, avoid unsupported software, and apply patches promptly.Source
Practical habits to adopt
- Log in weekly to quickly review Dashboard ? Updates and Tools ? Site Health.
- Remove unused plugins and themes instead of leaving them inactive but installed.
- Avoid end-of-life software (themes or plugins no longer maintained by their developers).
- Update from inside WordPress or your trusted host dashboard—never from random links in emails.
What to Do If an Automatic Update Breaks Your Site
Even with careful planning, an update can occasionally cause issues. Having a simple response plan keeps this from turning into a crisis.
Immediate steps
- Stay calm and document what changed (date/time, what you were doing, any error messages).
- Check your email for WordPress auto-update notifications; they often list which plugin, theme, or core version was updated.Source
- Try deactivating the suspected plugin via Plugins ? Installed Plugins if you still have admin access.
- If the site is down or the admin is inaccessible, contact your host or developer to restore the latest backup.
After recovery
- Note which update caused the issue and temporarily disable auto-updates for that specific plugin or theme.
- Ask your developer to test the update on a staging site and resolve conflicts before trying again.
- Review your overall auto-update policy; you may want to be more selective for complex components.
Putting It All Together: A Simple Auto-Update Policy
For most small to mid-sized business WordPress sites, a balanced configuration looks like this:
- Core: Automatic minor/security updates enabled; major updates applied manually after testing.
- Plugins: Auto-updates enabled for well-maintained, non-critical plugins; disabled for payment, membership, or custom integration plugins.
- Themes: Auto-updates enabled for your active theme (and child theme), with backups in place.
- Monitoring: Weekly quick check of Updates and Site Health, plus email alerts from WordPress and your host.
This approach aligns with broader security guidance that emphasizes keeping components up to date while maintaining control over high-impact changes.Source
Next Steps
If Compass Production manages your site, we can review your current update configuration and adjust it to match this policy. If you manage your own site, start by:
- Confirming your backup and restore process works.
- Enabling auto-updates for low-risk plugins and your active theme.
- Scheduling a recurring calendar reminder to review Dashboard ? Updates and Tools ? Site Health.
Once this is in place, your site will be far better protected against common attacks that target outdated WordPress installations and extensions.Source
