WordPress auto-updates can be quite a divisive topic. When enabled, auto-updates can ensure that you get the latest updates as soon as they become available. This can help you mitigate certain risks, such as security holes, as fast as possible. Yet, untested updates can break your website – so what’s the deal? Should auto-updates be enabled or disabled? The answer is not so simple.
The case for enabling auto-updates
Outdated software remains one of the leading causes of WordPress security breaches. Practically all software comes with bugs – which is one of the reasons why developers release updates every now and again. Some of those bugs could very well present a security risk or have a software vulnerability. While it has to be said that reputable developers will certainly test for vulnerabilities such as Cross-site Scripting before releasing software to the public, there are no guarantees that any software is ever free from security holes – including WordPress itself.
While auto-updates do not fix the issue, they can shorten the time it takes to install updates. With auto-updates enabled, once updates become available, WordPress will install them straight away. This ensures any security holes are patched as fast as possible, minimizing the time window in which an attacker can take advantage of security holes to breach your website.
The case for disabling auto-updates
While reputable software developers do test their software before releasing it to the public, it is virtually impossible for them to test it in all WordPress scenarios. WordPress is, by its very nature, highly customizable and can look and function in a million different ways. Since developers cannot test their updates in a way that accounts for each and every setup out there, in some cases, updates may not play nice, leading to website issues such as loss of functionality or visual impacts.
What does the data show?
We recently carried out a WordPress security survey, in which we asked participants about auto-updates and testing. The data shows that WordPress administrators and website owners are split right down the middle when it comes to auto-updates. In fact, 52% of all survey respondents said they have some form of auto-updates enabled, while 48% do not.
Breaking down the numbers
There is no rule that dictates you have to choose between auto-updates and testing of updates. In fact, out of all survey respondents who have auto-updates enabled, only 24% do not test updates.
* Always tests updates – 18%
* Never tests updates – 24%
* Only tests major updates – 20%
* Sometimes tests updates – 38%
The large majority of administrators who have auto-updates enabled sometimes test updates, followed by those who never test updates.
* Always tests updates – 33%
* Never tests updates – 9%
* Only tests major updates – 32%
* Sometimes tests updates – 26%
Most administrators who have disabled auto-updates always test updates, followed by those who only test major updates.
Making sense of the numbers
While a slight majority have auto-updates enabled, the absolute majority carry out some form of testing before rolling out updates to their live environment. With many hosting providers now offering staging environments with their WordPress packages, testing updates is easier than ever before.
The numbers do not show us whether any other processes or procedures are in place instead of auto-updates.
WordPress auto-updates – it’s not take it or leave it.
WordPress auto-updates are a very useful feature. However, their utility depends on how your website is set up and how you manage it. It’s also important to note that WordPress auto-updates can be enabled in different ways, helping you achieve a level of risk mitigation that you’re comfortable with.
In fact, WordPress allows for four different types of auto-updates, including WordPress, plugins, themes, and translation files. WordPress updates are further split into three categories that include core development, minor, and major updates. You are free to enable or disable WordPress auto-updates for any of these components.
There is no rule that tells us whether we should enable automatic updates or whether we should test them. Both processes have merit. Which configuration you choose will largely depend on your setup and how you manage your WordPress website.
Either way, having a process in place is essential to improving the overall security of your websites. In most cases, a hybrid solution might be the sweet spot that achieves a balance between WordPress security and hardening and ensuring nothing breaks – helping you maintain a healthy website that visitors and customers will continue visiting time and again.