WordPress Automatic Core Updates: Is Your Site Compatible?

Since WordPress 3.7 shipped and installations around the world began updating in the background to 3.7.1, the mild panic over automatic updates still hasn’t subsided.

This is despite lead developer Andrew Nacin’s attempts to assure everyone that background updates are “incredibly, incredibly safe”. Auto-updates was no doubt the release’s most thoroughly tested feature.

Also, WordPress 3.7 has been downloaded more than 1.7 million times… and is yet to break the internet.

The concern is that background updates site owners don’t test could break a site’s compatibility with certain plugins or themes.

Nacin addressed this issue in a comment at WPTavern, pointing out it’s important to keep in mind that minor releases of WordPress are fairly infrequent and usually security related:

In practice, minor releases are rare. The .1 release will always be needed to fix some bugs. Pretty much all others are security releases. Sometimes, the .1 also contains security fixes. A .2+ release is only going to happen for security reasons if there is a serious regression that somehow wasn’t discovered before the .1 release (which implies it probably wasn’t that serious).

Generally, then: .1 is a minor release with serious bug fixes. .2 is a security release and/or a critical regression fix. If you’re on 3.7, you’re going to want a regression from 3.6 fixed on your site. There’s really no reason to decline either of those releases. No, there is no differentiating in terms of how we version them, and we don’t plan to do so.

Finally: We have the ability to push out a minor release without having it auto-updated. We also have the ability to slowly roll out auto-update instructions. Essentially: We have a lot of tools at our disposal to ensure your site is getting exactly the fixes it needs. For more on this, read the definitive guide I wrote. I also talk about how this might mean more frequent minor releases, but that might just mean that .1 might be less of an omnibus release four to six weeks later, and is instead only a week or two later with a few important bug fixes.

Nacin has written a great in-depth and definitive post at Make WordPress Core on how to disable auto-updates, which should allay some fears about automatic updates.

Why Isn’t There an On/Off Switch for Auto-Updates?

Many users have questioned why there isn’t a UI solution for turning off automatic updates.

Nacin’s answered this in the comments to his disabling automatic updates post:

For the betterment of the web, we made a conscious decision to avoid a UI option. You’d be out of your mind to consciously avoid updating to fix a critical bug or security issue. We think the vast majority of users (many who don’t even know what PHP is) will celebrate this as a win in usability and security. – Andrew Nacin

The fact is, developers and advanced WordPress users can easily turn off automatic updates whenever they want. Novice users who are unfamiliar with site security are better off not having the option to switch off background updates, hence the decision not to have an off switch in the WordPress UI.

Is Your WordPress Install Compatible With Auto-Updates?

Nacin and core contributor Dion Hulse have released Background Update Tester, which allows you to check whether automatic core updates will work with your WordPress install.

Most sites are able to update automatically in the background. This plugin checks if there are any compatibility issues and explains any problems.

To use the plugin, go to Dashboard > Update Tester. If you’re using Multisite, go to Updates > Update Tester in the network admin.

I tested the plugin on a fresh install of WordPress and passed with flying colors.

Background Updater Tester
The Background Update Tester plugin allows you to check your WordPress install is compatible with automatic core updates.

Then I updated my wp-config.php file to turn off auto-updates. It’s easy enough to do (I covered it in How to Turn Off Automatic Updates in WordPress 3.7). Just add the following line of code:

1
define( 'AUTOMATIC_UPDATER_DISABLED', true );

I checked Background Update Tester again and got this:

Background Update Tester
And this is what happens when you turn off automatic updates…

Nacin emphasised this plugin is an “early rough cut”. He said in a future version he wanted to add the ability to send a test email to check that your install can email you.

Have you had any issues with automatic updates? Or do you think all the fuss is much ado about nothing? Tell us in the comments below?

Comments (11)

  1. 3.7 upgrades have gone very well so far. I a little confused about the auto updates though. I’ve left the sites to get the minor version, but all I’m seeing is a prompt to install it myself. It’s not happening automatically. At least not yet.

    I ran the plugin to text for compatibility and it said I was good to go, but no joy. It hasn’t run itself yet.

    Am I missing something?

  2. I have WP 3.7 installed on my sites. I then installed the Background Update Tester and there were no problems indicated. So all looked fine. Then with the release of WP 3.7.1, the update is still sitting there waiting for me to run the update. But I’m not, since I’m expecting it to auto upgrade to 3.7.1 (but it doesn’t seem to be updating on it’s own).

    I have not modified my wp-config.php to enter anything that would be blocking it, and it passes the checks in the Background Update Tester.

    I am running Infinite WP (which I typically use to update plugins, WP core and themes). So I also see in IWP that the upgrade is available to be done, but I’m holding off .. hoping it will automatically update.

    Any thoughts as to what could be the problem?

    Gary

  3. Anytime someone says “It’s for the good of … ” , that is the time to be very, very afraid.

    For someone to intentionally make it tricky to turn off automatic updates to YOUR website is wrong. And to say that it is for security updates is absurd since the very nature of automatic access for security reasons is an oxymoron.

    There is no reason to trust anyone, especially an unseen amorphous entity like WP, with automatic access to YOUR website.

  4. 24 hours later and 3.7.1 still hasn’t auto-updated. It just asks me to update, as it always has.

    This is not giving me much confidence in the whole process. Worse, I’ve already spoken to a number of clients about this and they chose to allow the auto-updates. That would be great if they actually worked.

    I’ve commented on several threads, including on WordPress’s Facebook page. I get no response. Very discouraging.

  5. I’m with bendelaney … there should be a choice which doesn’t involve editing code. One of the reasons I use WordPress to build sites is because I’m not a coder.
    There is danger with any change, and it doesn’t matter how thoroughly Andrew Nacin says it’s been tested, you can bet they haven’t tested it with all the combinations of themes & plugins on the sites I have to keep running for clients.
    Until WordPress add an automatic backup to the core which runs just BEFORE the update, they should allow us to turn it off and be notified so we can create the backup ourselves.
    I’ve had 30 years in corporate IT, eventually making IT Director – I’d have been shot if I allowed ANY update to be made to a live system without having a roll-back process and/or tested backups in place first.

  6. If the final choice about when and how to update WordPress lies with WordPress and Andrew Nacin rather than with the WordPress user, then the WordPress user exists to serve WordPress and Andrew Nacin, not vice versa.

    The arguments about security are simply empty and specious. WordPress and Andrew Nacin are offering no guarantees nor any liability for any damages to any WordPress-using site from any cause with respect to either their basic coding or specifically the automatic updating. If a WordPress site is hacked, with or without security updates, WordPress will do nothing for it. If a WordPress site breaks, with or without automatic updates, WordPress will do nothing for it.

    Moreover, because it is automatic, scheduled solely according to the needs of WordPress and Andrew Nacin – not according to the needs of the WordPress user – the hardwired automatic update feature specifically prevents a WordPress user from making a backup of his site prior to updating.

    Anything other than a straightforward user choice as to how and when to update his WordPress site, again, treats users as little more than useful living extensions of the software itself, useful for deploying, testing, expanding market share for, and advertising the software for its developers and marketers, but ultimately not as clients to be served as ends themselves.

    Sadly, this sort of naive, childlike arrogance is becoming far too common a norm across too many enterprises today.

Participate