Since WordPress 3.7 shipped and installations around the world began updating in the background to 3.7.1, the mild panic over automatic updates still hasn’t subsided.
Get a free WPMU DEV plugin, plus free weekly tips and resources for using WordPress.
This is despite lead developer Andrew Nacin’s attempts to assure everyone that background updates are “incredibly, incredibly safe”. Auto-updates was no doubt the release’s most thoroughly tested feature.
We ended the WordPress 3.7 beta cycle with 112,434 automatic background updates attempted and not a single critical failure.
— Andrew Nacin (@nacin) October 25, 2013
Also, WordPress 3.7 has been downloaded more than 1.7 million times… and is yet to break the internet.
The concern is that background updates site owners don’t test could break a site’s compatibility with certain plugins or themes.
Nacin addressed this issue in a comment at WPTavern, pointing out it’s important to keep in mind that minor releases of WordPress are fairly infrequent and usually security related:
In practice, minor releases are rare. The .1 release will always be needed to fix some bugs. Pretty much all others are security releases. Sometimes, the .1 also contains security fixes. A .2+ release is only going to happen for security reasons if there is a serious regression that somehow wasn’t discovered before the .1 release (which implies it probably wasn’t that serious).
Generally, then: .1 is a minor release with serious bug fixes. .2 is a security release and/or a critical regression fix. If you’re on 3.7, you’re going to want a regression from 3.6 fixed on your site. There’s really no reason to decline either of those releases. No, there is no differentiating in terms of how we version them, and we don’t plan to do so.
Finally: We have the ability to push out a minor release without having it auto-updated. We also have the ability to slowly roll out auto-update instructions. Essentially: We have a lot of tools at our disposal to ensure your site is getting exactly the fixes it needs. For more on this, read the definitive guide I wrote. I also talk about how this might mean more frequent minor releases, but that might just mean that .1 might be less of an omnibus release four to six weeks later, and is instead only a week or two later with a few important bug fixes.
Nacin has written a great in-depth and definitive post at Make WordPress Core on how to disable auto-updates, which should allay some fears about automatic updates.
Why Isn’t There an On/Off Switch for Auto-Updates?
Many users have questioned why there isn’t a UI solution for turning off automatic updates.
Nacin’s answered this in the comments to his disabling automatic updates post:
For the betterment of the web, we made a conscious decision to avoid a UI option. You’d be out of your mind to consciously avoid updating to fix a critical bug or security issue. We think the vast majority of users (many who don’t even know what PHP is) will celebrate this as a win in usability and security. – Andrew Nacin
The fact is, developers and advanced WordPress users can easily turn off automatic updates whenever they want. Novice users who are unfamiliar with site security are better off not having the option to switch off background updates, hence the decision not to have an off switch in the WordPress UI.
Is Your WordPress Install Compatible With Auto-Updates?
Nacin and core contributor Dion Hulse have released Background Update Tester, which allows you to check whether automatic core updates will work with your WordPress install.
Most sites are able to update automatically in the background. This plugin checks if there are any compatibility issues and explains any problems.
To use the plugin, go to Dashboard > Update Tester. If you’re using Multisite, go to Updates > Update Tester in the network admin.
I tested the plugin on a fresh install of WordPress and passed with flying colors.
Then I updated my wp-config.php file to turn off auto-updates. It’s easy enough to do (I covered it in How to Turn Off Automatic Updates in WordPress 3.7). Just add the following line of code:
define( 'AUTOMATIC_UPDATER_DISABLED', true );
I checked Background Update Tester again and got this:
Nacin emphasised this plugin is an “early rough cut”. He said in a future version he wanted to add the ability to send a test email to check that your install can email you.
Have you had any issues with automatic updates? Or do you think all the fuss is much ado about nothing? Tell us in the comments below?