The danger of disabling automatic updates on WordPress

As soon as WordPress launch a new version they publish a changelog on their website where you can find what has been changed. This also includes all potential security vulnerabilities that have been patched.

For example, in the latest version released in early September, two vulnerabilities in core WordPress were fixed. In addition, you can see where in the code the vulnerability lies. With the help of the newer version, any developer with an interest in security can find the vulnerabilities in the older one.

Hackers are clever, so they are doing the exact same thing. The moment a new WordPress version is out, hackers have access to vulnerabilities in the previous one, and it is therefore of great importance that a WordPress owner always use the very latest version.

This is something that WordPress has also realized, and in the end of 2013, an automatic update feature was launched in order for users to always have the latest and most secure version. This was enabled by default so that as many as possible would start to automatically update.

“Going forward, this will be one of the best ways to guarantee your site stays up to date and secure and, as such, disabling these updates is strongly discouraged.”

WordPress.com about the auto-update feature

And yet people do disable this feature. It is not uncommon for us at Detectify to find old, outdated and vulnerable installations when scanning customers’ websites.

Why do users disable automatic updates?

The reason is a fear, often greatly exaggerated, that the update will somehow break the website. Searching the web for discussions about this makes it clear that it does happen, but it is very, very rare. WordPress runs on hundreds of thousands of websites, and their testing is therefore obviously very rigorous before releasing something that risks crashing even a small percentage of those websites.

Can disabling automatic updates ever be a good idea?

There are a few valid reasons for disabling auto-update. You might disable the feature if:

• the website is managed by a version control system;
• it is a larger website with its own deployment mechanism, possibly towards multiple servers;
• it is a WordPress host confident in being able to manually push out new updates in time. This is the case if the company’s focus is hosting WordPress installations.

However, as long as the website is not part of any of the categories above, there is no need to disable auto-updates and no good excuse for doing so. It cannot be emphasized enough how important updates are, and it is genuinely sad to see that sites still get hacked on a daily basis because of this. Make sure to enable automatic updates and test your website with Detectify on a regular basis!

Do you have questions about your WordPress site’s security? Check out our WordPress security tips or get in touch at hello[at]detectify.com.