WordPress automatic updates are one of those features that seem to have a simple answer. Turn them on and forget about it, right?
The reality is more nuanced. Auto-updates can be a genuine safety net for some sites and a real liability for others. The right setting depends on what kind of site you're running, what plugins you rely on, and whether anyone is actually monitoring things after an update runs.
We manage updates across roughly 200 WordPress sites at FatLab. That volume gives us a clear picture of when auto-updates help, when they create problems, and what approach actually works best for different situations.
What WordPress Auto-Updates Actually Cover
WordPress automatic updates are not a single on/off switch. There are four separate categories, each with its own risk profile.
Core minor releases (e.g., 6.7 to 6.7.1) have been auto-updated by default since WordPress 3.7 in 2013. These are security patches and bug fixes only. No new features, no interface changes. They have an excellent track record and rarely cause issues.
Core major releases (example: 6.7 to 6.8) are disabled for auto-updates on most existing installations. Since WordPress 5.6, new installations opt into major core auto-updates by default, but existing sites keep their previous setting. Major releases introduce new features and API changes that can affect plugin compatibility.
Plugin updates are disabled by default. WordPress 5.5 introduced per-plugin toggles that let you selectively auto-update plugins -- choosing which ones update automatically and which wait for manual action.
Theme updates follow the same pattern as plugins. Disabled by default, with individual toggles available since WordPress 5.5.
The important takeaway: you do not have to treat auto-updates as all-or-nothing. You can auto-update security patches while keeping everything else under manual control. Most people don't realize they have that flexibility.
The Case for Turning Auto-Updates On
Auto-updates solve a real problem. WordPress vulnerabilities get exploited fast.
In early 2025, research from Patchstack showed that half of all critical WordPress flaws were exploited within 24 hours of disclosure. Leaving a known vulnerability unpatched for even a few days creates genuine risk.
For sites without active management, auto-updates are almost always the right choice. The alternative is typically no updates at all.
We have seen sites come to us running plugins that haven't been updated in over a year. Every week of deferred updates is another batch of security patches left unapplied, and that accumulates quickly.
If you manage your own WordPress site, don't have a maintenance provider, and don't have a reliable weekly update routine, the smart move is to enable automatic updates with a solid backup solution. That combination is better than the status quo for most people.
"Updates usually go very smoothly. They are not something to be scared of. But over many years, it is relatively common to have a few instances where an update breaks your site. That is the edge case you need to plan for."
The point is not to fear updates. It is to have a plan for the small percentage of cases where something goes wrong, because over time, those cases are close to inevitable. Our guide on how to update WordPress safely covers that plan step by step.
When to Disable WordPress Auto-Updates
The risk with auto-updates is not the updates themselves. It is that they run without anyone watching.
Plugin updates are where most breakage occurs. A plugin author tests their update against their own environment, not against the thousands of possible plugin combinations on any given site. When a plugin update conflicts with your theme, another plugin, or a custom integration, the result can range from a broken layout to a completely unresponsive site.
WordPress 6.6 introduced automatic rollback for plugin updates that trigger PHP fatal errors. That sounds reassuring, but it only catches one category of failure.
The rollback system does not detect broken layouts, JavaScript errors, form submission failures, WooCommerce checkout problems, or performance degradation. It checks only the front page of your site. If the issue shows up on an interior page or in your admin dashboard, the rollback will not trigger.
The timing creates additional risk. Auto-updates run via WordPress cron, which fires roughly every 12 hours. An update could deploy at 2 a.m. on a Saturday, and if something breaks, nobody notices until Monday morning. For a revenue-generating site or membership platform, that is a serious exposure window.
When multiple plugins auto-update at the same time, diagnosing the problem gets harder. If three plugins are updated overnight and the site is broken in the morning, you have to test each one individually to find the culprit. That is the same "Update All" problem we tell clients to avoid, just happening on autopilot.
"Update All is like crossing a road blind. You might make it, but you probably won't."
We have seen this play out in costly ways. One client, a professional industry association using WP Membership Pro, had built an entire collection of add-ons around their membership plugin: geolocation, directory search, multiple subscription levels, and expiration management.
The night before a major communication to thousands of members, an employee who was not aware of the update strategy saw the high pending update count and hit Update All.
The result was catastrophic. The core membership plugin jumped several major versions, the commercial theme was updated after years of neglect, and the entire system became incompatible with itself. A full backup restore was required, the campaign had to be delayed, and a day's worth of preparation work was lost.
What WordPress 6.6 Rollback Actually Catches
To understand why auto-updates carry more risk than they appear to, it helps to look at what the built-in rollback system actually monitors and what it misses.
| Failure Type | Detected by Rollback? | Notes |
|---|---|---|
| PHP fatal error (front page) | Yes | Only checks front page loopback |
| Broken page layout | No | No visual comparison |
| JavaScript errors | No | Not monitored |
| Broken checkout/forms | No | Only checks front page |
| Admin dashboard errors | No | Only checks public site |
| Performance degradation | No | No speed comparison |
| Database schema issues | No | Files only, not database |
The rollback feature is a step forward, but it covers a narrow slice of what can go wrong. Most of the failures we see in practice, broken layouts, JavaScript conflicts, and checkout disruptions, fall outside its detection capability.
The Middle Path Most Sites Should Consider
For most WordPress sites, the best approach is selective. Auto-update the low-risk items. Keep manual control over everything else.
Auto-update these:
- Core minor and security releases (this is the default, and you should leave it alone)
- Simple, low-risk plugins like Akismet, Classic Editor, or Redirection
- Security-focused plugins like Wordfence, where patching speed matters
- Translation files
Keep manual control over these:
- Core major releases
- Page builders (Elementor, Divi, WPBakery)
- E-commerce plugins (WooCommerce and its extensions)
- Membership and subscription plugins
- Your active theme, especially if you use a child theme or custom CSS
- Any plugin that alters your database during updates
The distinction comes down to impact. An anti-spam plugin that requires a rollback is inconvenient. A page builder update that breaks your entire site layout is a crisis. A WooCommerce update that disrupts checkout is lost revenue.
If a plugin significantly affects the user experience or the user interface, it warrants greater caution. That is the simplest framework we can offer.
Plugin Auto-Update Risk by Category
To make this more concrete, here is how we classify plugin types by auto-update risk based on what we have seen across our client base.
| Plugin Type | Risk Level | Examples | Auto-Update Recommendation |
|---|---|---|---|
| Anti-spam, Utilities | Low | Akismet, Classic Editor, Redirection | Safe to auto-update |
| Form Builders | Medium | Gravity Forms, Contact Form 7, Ninja Forms | Can auto-update with monitoring |
| Page Builders | High | Elementor, Divi, WPBakery | Manual updates only |
| E-commerce | High | WooCommerce, Easy Digital Downloads | Manual updates only, test first |
| Membership/RSVP | Critical | MemberPress, WP Membership Pro, Event Espresso | Manual updates only, staging required |
The critical-risk category deserves extra emphasis. Membership and e-commerce plugins do not just change files during an update. They alter your database.
If something goes wrong and you need to roll back, replacing the plugin files alone will not fix the problem because the database is now out of sync. Recovery becomes much harder and often requires a full backup restore.
How Professional Maintenance Changes the Equation
For sites with managed hosting and maintenance services, auto-updates become a different conversation entirely.
At FatLab, we use an automated system called SafeUpdates. It runs updates weekly for all themes, plugins, and core. It also triggers updates outside the regular schedule when critical vulnerabilities are patched.
The system spins up a virtual server, copies the site over, applies updates to the staging environment, and runs automated tests: error log checks and visual regression tests that compare key pages against the production site. If everything checks out, updates go to production automatically. If something fails, our DevOps team gets a notice to investigate manually.
That system makes WordPress's built-in auto-update feature almost irrelevant for our clients. We disable WordPress auto-updates entirely because they operate outside of SafeUpdates.
There is nothing worse than an automatic update running overnight, outside any monitoring or testing system, and coming into your office the next morning to find your website is down. For clients with managed hosting, turn auto-updates off and rely on your support team's systems instead.
The key difference is what happens after an update runs. WordPress auto-updates apply changes and hope for the best. A managed system applies changes, verifies the result, and rolls back if anything looks wrong.
That verification step is what separates professional update management from the built-in WordPress automatic updates approach.
Frequently Asked Questions
Are WordPress automatic updates safe for plugins?
It depends on the plugin. Low-risk plugins like Akismet, Classic Editor, and Redirection have an excellent track record with auto-updates. High-risk plugins, particularly page builders, e-commerce tools, and membership systems, are a different story. These plugins interact deeply with your site's layout, database, and checkout flows, so an unmonitored update that introduces a conflict can cause real damage. The safest approach is selective: auto-update the simple stuff and keep manual control over anything that significantly affects your site's functionality.
What happens if a WordPress auto-update breaks my site?
WordPress 6.6 introduced automatic rollback for plugin updates that cause a PHP fatal error on the front page. But that only catches one narrow category of failure. Broken layouts, JavaScript errors, form failures, checkout problems, and admin dashboard issues will not trigger a rollback. If an auto-update breaks your site overnight, you may not discover the problem until the next morning, and if multiple plugins updated simultaneously, isolating the cause requires testing each one individually. Having a verified, restorable backup is essential if you rely on auto-updates.
Should I enable auto-updates for all WordPress plugins?
No. The per-plugin toggle introduced in WordPress 5.5 exists for a reason. Enable auto-updates for plugins with a low chance of causing conflicts, like utility plugins and simple tools. Keep auto-updates disabled for anything that alters your database during updates, controls your site's visual layout, or handles transactions. The goal is to get the security benefit of fast patching on low-risk items without exposing your site to unmonitored breakage from complex plugins.
Do I need WordPress auto-updates if I have a maintenance provider?
If your maintenance provider runs a managed update system with staging and testing, you should typically disable WordPress's built-in auto-updates entirely. Built-in auto-updates run outside your provider's system, which means updates can deploy without the staging tests, visual regression checks, and monitoring that a managed process provides. Two update systems running independently creates more risk than either one alone.
How do I disable WordPress automatic updates for specific plugins?
In your WordPress dashboard, go to Plugins and look for the "Enable auto-updates" link next to each plugin. Clicking it toggles auto-updates on or off for that individual plugin. You can also control core major release auto-updates under Dashboard, Updates. For more granular control, including disabling auto-updates for themes or overriding defaults, many managed hosting providers offer their own controls in the hosting dashboard.
Should You Enable WordPress Auto-Updates?
The decision comes down to three questions:
Is anyone monitoring your site after updates run? If not, auto-updates with a reliable backup system are your best option. An updated site with occasional breakage is still safer than an outdated site with known vulnerabilities.
How complex is your plugin stack? A brochure site with five well-maintained plugins is a good candidate for auto-updates. A site running WooCommerce, a membership plugin, a page builder, and 15 other plugins has too many potential points of conflict for unmonitored updates. These sites benefit from a structured weekly update schedule instead.
What is the cost of downtime? If your site going down for a few hours on a weekend is an inconvenience, auto-updates are probably fine. If it means lost sales, missed donations, or members unable to access services, you need a more controlled approach.
Auto-Update Decision Matrix
If you are still unsure, this matrix maps the recommendation to your specific situation.
| Site Type | Monitoring Level | Recommendation |
|---|---|---|
| Brochure site | Email only | Enable selective auto-updates (core minor, low-risk plugins) |
| Brochure site | Professional managed | Disable auto-updates, rely on provider |
| Multi-plugin site | Email only | Core minor auto-updates only, manual for plugins |
| E-commerce | Any | Disable auto-updates, manual with staging |
| Membership/Complex | Any | Disable auto-updates, professional management |
The pattern is clear: the more complex and revenue-critical your site is, the less you should rely on unmonitored WordPress automatic updates.
For most small-to-medium organizations, the honest assessment is that WordPress updates need consistent, knowledgeable attention every week. Whether that comes from an internal team member who takes it seriously or from a managed maintenance provider, the important thing is that someone is responsible and that updates don't pile up.
The worst outcome is not choosing the wrong auto-update setting. It's having no update strategy at all and letting months of patches accumulate until someone panics and hits "Update All" at the worst possible moment.
If you are not confident in your current update process, or if updates have been deferred longer than you are comfortable with, that is a good time to talk with a maintenance provider about getting your site on a sustainable schedule.