WordPress 3.7 Ships with Auto-Updates. Don’t Use That! (Generally.)

WordPress people know a lot about WordPress updates, but all to often they need to know a lot more, to avoid a broken site.

For one thing, WordPress bloggers, with good intention, tend to tell us to always update asap, upon a core update being available. That can be bad advice leading to broken sites, as we casually hack ourselves, effectively, due to incompatibilities from unkempt plugins, old themes and the like.

The auto-updates function, rolled out in WP 3.7, will be terrific for casual bloggers with very few plugins and a basic theme, but beware everyone else of the potential for a broken site when opting for this feature.

I wrote something or other about this update business, BTW, and why ** it is not best advice to tell people to update the WordPress core, verbatim, ** without explaining the possible pitfalls and proper procedure. Hope that's handy, before you go and hack yourself with an incompatible update! …

For auto-updates, in addition to this welcome new function, what would be really cool would be:-

  • an option of a middle approach, too, allowing us to set how long after a core update to wait before updating. That would allow potentially incompatible plugins to be updated (hopefully!) so that the core update then goes without a hitch
  • a further option, whereby the admin can choose auto-updates to be committed (again however long after the update becomes available) ONLY depending on the kind of update it is

Regarding that latter point, for example, if WordPress has a snazzy new feature update, we could opt not to auto-update as those updates tend to be most likely to break a site. But if the update is security-related then, hey, maybe we'd want that to auto-update although, again, perhaps with a delay option.

You could take this update option feature even further, because as we know some security updates are critical (as was 3.6.1, confronting XSS vulnerabilities, for one thing) while most are relatively minor. (This is not to say they should not be addressed as a priority. Hardly.)

This all brings me back to one of my pet hopes: that Automattic separates out security fixes from any other updates, again to reduce (greatly) the number of post-updated, broken sites.

Verdict: if in doubt, be old-fashioned, don't use this (nonetheless important) feature. Instead always explore each and every WordPress update and, ideally, test it on your cloned development site before deploying it on your production site.


About the Author:

Olly Connelly (yeah, that's me) blogs at guvnr.com, polices WordPress security at wpCop.com and helps noobs build web servers at vpsBible.com, so if you've got sleeping problems you know where to come.


  1. edik  October 31, 2013

    WordPress puts security fixes AND bug fixes into the minor updates which are installed automatically. They do not affect the compatibility on the most cases. By default you have to install major updates manually. 😀

Add a Comment