How to Safely Configure WordPress Core, Theme, and Plugin Update Settings

Learn how to safely configure WordPress core, theme, and plugin update settings so your site stays secure without unexpected breakage.

Why Your WordPress Update Settings Matter for Security

Keeping WordPress core, themes, and plugins updated is one of the most important ways to prevent hacks and data breaches. Many known attacks target vulnerabilities that already have patches available, but only help you if updates are actually installed.Source

This guide will help you configure update settings in a way that:

• Reduces your risk from known vulnerabilities
• Minimizes the chance of a broken layout or plugin conflict
• Fits a realistic small-business maintenance workflow

Understand the Types of WordPress Updates

Before changing settings, it helps to know what can be updated and how WordPress treats each type by default.

1. WordPress Core Updates

There are two main types of core updates:

• Minor/security releases (for example, 6.5.1 ? 6.5.2) – usually contain security and bug fixes.
• Major releases (for example, 6.4 ? 6.5) – add new features and sometimes change behavior.

By default, WordPress automatically installs minor and security releases, but not major releases.Source

2. Theme Updates

Themes control your site’s design and layout. Updates may include:

• Security fixes
• Compatibility updates for new WordPress versions
• New features or design changes

Theme updates can sometimes affect layout, especially if you use a heavily customized theme or child theme.

3. Plugin Updates

Plugins add functionality (forms, SEO, e?commerce, etc.). Updates often include:

• Security patches for discovered vulnerabilities
• Bug fixes and performance improvements
• New features or interface changes

Because plugins interact with each other, plugin updates are the most common source of conflicts and breakage.

Recommended Overall Strategy

For most small business sites, a balanced, security-first strategy looks like this:

• Allow automatic minor/security updates for WordPress core.
• Manually approve major WordPress core updates after testing on staging.
• Use controlled automatic updates for low-risk, well-maintained plugins and themes.
• Manually update high-impact plugins (e?commerce, membership, booking, page builders) after testing.

How to Configure Automatic Updates in the WordPress Dashboard

These steps assume you are logged in as an Administrator.

Step 1 – Review Core Update Settings

1. Go to Dashboard ? Updates.
2. At the top, look for the message about automatic updates. It will usually say that security updates are enabled.
3. If your hosting provider or a security plugin manages core updates, you may see a note indicating that.

Recommended: Leave automatic minor/security updates enabled. Plan to handle major version updates manually on a staging site first.

Step 2 – Configure Plugin Automatic Updates

1. Go to Dashboard ? Plugins ? Installed Plugins.
2. For each plugin, you’ll see a link such as “Enable auto-updates” or “Disable auto-updates” in the right-hand column.Source
3. For each plugin, decide whether to enable auto-updates using this rule of thumb:
   • Safe to auto-update: security plugins, backup plugins, anti-spam, small utility plugins with simple functions.
   • Manual updates recommended: WooCommerce, payment gateways, membership plugins, booking systems, page builders, custom integration plugins.
4. Click the link to toggle auto-updates on or off for each plugin.

Step 3 – Configure Theme Automatic Updates

1. Go to Appearance ? Themes.
2. Click on the theme card for your active theme.
3. Look for the “Enable auto-updates” or “Disable auto-updates” link and choose your preference.

Recommended:

• Enable auto-updates for unused parent themes you keep only for compatibility (for example, a default WordPress theme).
• Consider manual updates for your active theme, especially if it’s heavily customized or part of a complex design system.

Using wp-config.php for Advanced Core Update Control

If you are comfortable with basic file editing (or working with your developer), you can control core updates more precisely via wp-config.php. This file lives in the root of your WordPress installation.

Step 1 – Safely Access wp-config.php

1. Make a fresh backup of your site and database using your backup plugin or hosting tools.
2. Access your site files via SFTP or your hosting file manager.
3. Download wp-config.php to your computer and open it in a plain-text editor.

Step 2 – Choose the Right Constant

WordPress supports the WP_AUTO_UPDATE_CORE constant to control core updates.Source

Add one of the following lines above the line that says /* That's all, stop editing! */:

• define( 'WP_AUTO_UPDATE_CORE', true ); – Enable all core updates (major and minor).
• define( 'WP_AUTO_UPDATE_CORE', 'minor' ); – Enable only minor and security updates (this is the default behavior).
• define( 'WP_AUTO_UPDATE_CORE', false ); – Disable all automatic core updates (not recommended for most sites).

Recommended for most business sites: explicitly set 'minor' to ensure security updates always run, even if a plugin or host tries to change behavior.

Best Practices Before Any Update Runs

To avoid downtime and data loss, build these habits into your maintenance routine.

1. Always Have Recent, Tested Backups

• Ensure you have automatic daily backups of both files and database.
• Periodically perform a test restore on a staging or local site so you know the backup actually works.

Backups are your safety net if an update introduces a bug or conflict.

2. Use a Staging Site for Major Changes

A staging site is a private copy of your site where you can test updates before applying them to your live site. Many managed WordPress hosts provide one-click staging environments.Source

Recommended workflow:

1. Push your live site to staging.
2. Run core, theme, and plugin updates on staging.
3. Click through key pages, forms, and checkout flows.
4. If everything looks good, repeat the same updates on the live site.

3. Schedule Updates During Low-Traffic Windows

When you manually trigger updates, do it during a time when your audience is least active (for example, late evening or early morning in your primary time zone). This reduces the impact if you need to troubleshoot.

What You Should See After Configuring Update Settings

Once your settings are in place, you should notice:

• The Dashboard ? Updates screen shows fewer urgent items because minor security updates are handled automatically.
• On the Plugins screen, the “Automatic Updates” column clearly indicates which plugins are set to auto-update.
• In Appearance ? Themes, your active theme shows your chosen auto-update status.
• Your site continues to function normally after updates, with no broken layouts or missing features.

If you notice unexpected layout changes or errors immediately after an update, check the plugin or theme’s changelog, and consider rolling back using your backup or a version rollback tool provided by your host or plugin vendor.Source

Ongoing Maintenance Checklist

To keep your update strategy working smoothly, follow this simple recurring checklist:

• Weekly: Log in, check Dashboard ? Updates, and apply any pending manual updates after a quick backup.
• Monthly: Review which plugins and themes are set to auto-update and adjust if you’ve added new ones.
• Quarterly: Test your backups and staging workflow, and review whether any plugins or themes can be removed to reduce your attack surface.Source

With these settings and habits in place, your WordPress site will stay significantly more secure while still giving you control over high-impact changes.