Security May 7, 2026

WordPress automatic updates: what to enable and what to keep manual

Automatic security updates close vulnerabilities without relying on you. A guide to configuring core, plugins and themes the right way.

Automatic updates are the cheapest defence against known vulnerabilities. The moment a CVE is published, attackers race to scan the web for vulnerable sites, write an exploit, and abuse the window before admins patch. An automatic update closes that window within hours.

Why this matters

The numbers are stark: roughly 60% of WordPress sites compromised in 2024 were running a plugin or core version with a vulnerability that had been patched at least a month earlier. In plain English, if they had auto-updated, they would not have been breached. Auto updates also remove the cognitive load - there is no more 'remind me next week to patch' that quietly never happens. WordPress core has supported automatic security (minor) updates since version 3.7 and automatic plugin updates since 5.5. The theoretical downside is that an auto update breaks the site, but in practice this is rare for minor updates and only occasionally happens with plugin major updates that change an API.

How to detect

The audit checks three layers: 1) the WP_AUTO_UPDATE_CORE constant in wp-config.php or the auto_update_core filter, 2) the list of plugins with auto-updates enabled in wp_options ('auto_update_plugins'), 3) the equivalent list for themes. If none of the three is enabled, the check fails. Manually: Dashboard > Plugins. The right column shows either 'Enable auto-updates' or 'Auto-updates enabled' for each plugin. If you see the former, automatic updating is off.

How to fix

  1. Core: in wp-config.php make sure there is no define('WP_AUTO_UPDATE_CORE', false). If you also want automatic major updates, add define('WP_AUTO_UPDATE_CORE', true).
  2. Plugins: Dashboard > Plugins. Tick every plugin sourced from wordpress.org, choose Bulk actions > Enable Auto-updates > Apply.
  3. Premium plugins (Yoast Premium, WP Rocket, Elementor Pro): make sure the license key is active. Without a valid licence, the plugin will not receive automatic updates.
  4. Themes: Dashboard > Themes > hover the theme > Theme details > Enable auto-updates.
  5. Core major versions: keep manual - before going from 6.x to 7.x, back up and verify compatibility. Minor versions (6.5 to 6.5.1) are safe automatically.
  6. Set up email notifications: WordPress sends an email after every automatic update. Make sure the admin email in Settings > General is valid.

Common mistakes

Do not enable auto-updates on a plugin you forked or pulled from an unofficial source - the update will come from wordpress.org with the original code and overwrite your fork. Do not enable auto-updates on payment-critical plugins (WooCommerce gateways) without staging - API changes from the payment provider can break checkout for hours. Do not switch off auto-updates because you read somewhere that they are dangerous - the risk of not updating is far greater than the risk of a broken update. Do not forget to renew premium licenses.

Verifying the fix

Wait a few days and check the update log: Dashboard > Updates. It should display 'Last checked: an hour ago'. If a plugin received an automatic update, an email from wordpress@yoursite will arrive. If no plugin has updated in a month, verify that WP-Cron is running, because auto-updates rely on it.

Tip: For critical sites a balanced approach is automatic staging - a tool like WP Stagecoach updates a staging copy first, runs smoke tests, and only then promotes to production. RankPlus offers a similar workflow for centrally managed updates.
More in this category ← Back to all docs