hosting-handbook
hosting-handbook copied to clipboard
WordPress
Security page changes (2): Replacing Automatic updates
We always talk and explain that the main thing in WordPress is "update, update and update", but there isn't an explicit explanation for hosters on how WordPress can be managed that way. So,
PROPOSAL:
Automatic updates
WordPress, by default, incorporates a system of automatic updates, but it is a minimum to avoid major disasters and that over time ceases to be effective.
WordPress Core
There are 3 options when it comes to automatically upgrading or not upgrading the WordPress core: no upgrade, upgrade only minor versions, or upgrade everything, even major versions. It is recommended that you at least upgrade to the smaller versions, which is what the system does by default. This means that if you have version 5.0.1, it will automatically upgrade to 5.0.2, and then to 5.0.3, but it will not upgrade to 5.1.
To configure these automatic updates, it is best to add a series of codes in the configuration file of wp-config.php.
100% automatic core update
You have to add in the file wp-config.php the following line:
define('WP_AUTO_UPDATE_CORE', true);
Core update for minor versions only (recommended)
You have to add in the file wp-config.php the following line. When there are major updates you should update it by hand.
define('WP_AUTO_UPDATE_CORE', 'minor');
Disable automatic updates
You have to add in the file wp-config.php the following line. Unless you do very intensive maintenance, this option is not recommended.
define('WP_AUTO_UPDATE_CORE', false);
Plugins, themes and translations
The decision to have plugins, themes and translations done automatically is not trivial and requires important decision making. The main problem you may encounter is that, due to these automatic updates, the site may stop working.
In case you want to set everything up automatically, you can (we recommend) do it through a must-use plugin. These plugins, unlike a normal plugin, will run yes or no in WordPress and cannot be disabled from the admin panel.
The content of the Plugin would be as follows:
defined('ABSPATH') or die('Bye bye!');
add_filter('auto_update_core', '__return_true');
add_filter('auto_update_plugin', '__return_true');
add_filter('auto_update_theme', '__return_true');
add_filter('auto_update_translation', '__return_true');
add_filter('auto_core_update_send_email', '__return_true');
From WordPress version 5.5 onwards, a system is included that allows you to decide which Plugins and Themes you want to update automatically so that the update work is much lighter and you don't have to resort to the custom Plugin system.
Disabling all updates
In case you want to perform the updates manually or with other different systems, as could be the WP-CLI, and even if you have an installation that for some reason you cannot or should not update, you can include in the wp-config.php a line that will prevent the updates that are not done by alternative methods.
define('AUTOMATIC_UPDATER_DISABLED', true);
We may explain (now or on a couple months) the new Automatic Updates (or link on how this will work).
We should also have a recommendation on how to disable the notice of the health check if the hosts decide to disable the automated updates because they have their own routines
Plugins like https://wordpress.org/plugins/tags/update-control/, Jetpack or something proprietary are used for update management by some managed hosting companies. Probably these should not add the WP_AUTO_UPDATE_CORE static at all in wp-config.php as it will interfere with the inner workings of these plugins. I know some of them disable things like the health check completely.
Maybe we should check this with the Site Health Team to get their approach and then add that to the documentation.
Plugins like https://wordpress.org/plugins/tags/update-control/, Jetpack or something proprietary are used for update management by some managed hosting companies. Probably these should not add the WP_AUTO_UPDATE_CORE static at all in wp-config.php as it will interfere with the inner workings of these plugins. I know some of them disable things like the health check completely.
Moved to: https://github.com/WordPress/Advanced-administration-handbook/issues/154