Automatic Updates in WordPress - should they be enabled?

The software WordPress, written in PHP, has been the undisputed market leader among all Content Management Systems (CMS) since at least 2010 - only from 2005 did Joomla manage to take over this position for a few years. The portal w3techs.com, specialised in monitoring and analysing the internet, currently identifies a share of over 40 percent (as of October 2021) among the ten million most popular websites in the world and around two-thirds of all shopping systems and CMSs used. Therefore, it is a significant question whether it is sensible and advisable to enable automatic updates for WordPress - as this results in direct consequences for a multitude of private, commercial, and public websites.

Contents:

How often does WordPress release updates?
What impact do updates have on the CMS?
How do automatic updates work in WordPress?
What are the advantages of automatic updates over manual ones?
Should automatic updates be enabled in WordPress?

How often does WordPress release updates?

Compared to other CMSs like Joomla or Typo3, WordPress releases its updates at a relatively short interval - typically about three times a year, with significant version leaps involving a comprehensive redesign or optimization of the code appearing relatively rarely every four to five years. This concept differs from many other providers who opt for longer development times and extensive changes, but it offers some concrete advantages:

• Numerous minor changes reduce the risk of incompatibility
• Rapid response to critical security vulnerabilities or bugs possible
• Continuous development in short intervals
• Widespread adoption enables rapid development and focus on weaknesses
• Closely integrated communication between developers and users
• Extensive control over workflows and individual team responsibilities
• Concentration of resources such as manpower and time on significant points
• Early implementation of new features for users and external programmers

On the other hand, there is a risk that these updates may not be applied or implemented promptly. However, WordPress addresses this risk by supporting all existing versions over a very long period, sometimes up to ten years. This entails practical extra effort in development and poses a challenge for the team behind WordPress - but due to its popularity and extremely large community, numerous initiatives and support from external programmers also emerge.

What impact do updates have on the CMS?

Prior to releasing an update, it undergoes extensive testing in various environments and thorough evaluation. Due to the short cycles and focus on minor changes, individual WordPress updates often bring about specific effects, such as improving performance, addressing potential vulnerabilities, or introducing new features and graphical user interfaces. However, they do not impose significant changes on users in a larger scale, allowing for better adaptation to the introduced options through gradual change.

Furthermore, the relatively low number of changes significantly reduces the effort required to identify the source of a problem or incompatibility. This quick pinpointing also accelerates the development cycle for users, as it allows a focus on the essentials. To further facilitate usage, WordPress also largely supports automatic updates - this applies to both the core system and a variety of available plugins. Of course, the responsibility lies with the external developer to implement these and make them available to their users.

Although individual advancements in WordPress tend to be rather "small", they can still bring about fundamental changes to a running system. In this context, it is important to distinguish between simple updates that occur within a version and only affect certain parts, and the so-called version jumps such as from 4.0 "Benny" in 2014 to 5.0 "Bebo" in December 2018. These jumps signify a more comprehensive intervention and therefore pose an increased risk of technical difficulties arising or the update proving to be incompatible with individual extensions like templates or plugins.

How do automatic updates work in WordPress?

The function for automatic updates for plugins and themes was only introduced by WordPress with the release of version "Eckstine" in August 2020, catering to the needs of primarily private users who do not actively manage and update their website in their daily lives, yet aim for quick closure of security vulnerabilities and optimal performance. It operates similarly to the pre-existing option for manual updates, but contacts the addresses provided by the developers and regularly checks if a new version has been published. If it finds one, an automated process for its installation begins, aiming to minimise the risk of malfunction during the transition and enable a timely, unattended update. This process involves several steps carried out sequentially:

• Checking for new versions on the servers specified by the developers
• Comparing the installed version with the available one in terms of version and status (e.g. stable or experimental)
• Downloading a compressed package with the new version in Zip or Gzip format
• Installation using the manual update routines integrated in WordPress
• Automatically responding to confirmations or queries with predefined standards or settings
• Optional: Notifying the administrator of automatic updates via email or SMS

In most cases, such an update runs smoothly in the background without requiring manual intervention. However, especially with version jumps, problems can occur in exceptional cases, for instance when information like directory paths is missing and cannot be automatically determined, or when plugins and themes prove to be incompatible with the installed system.

What are the advantages of automatic updates over manual updates?

Essentially, there is actually no difference whether updates are applied automatically or manually, because their effects naturally do not differ based on the method. However, there are some aspects to consider in order to choose the ideal process and minimize the risk of technical difficulties while ensuring maximum security, stability, and performance. Specifically, the following points speak for or against automatic updates:

Advantages:

• Rapid updating of WordPress, plug-ins, and themes
• Immediate application of updates for improved performance, functionality, or security
• No manual checking for updates required
• Consistently up-to-date system without additional time or effort
• Integrated control of access rights, users, and groups
• Logging of actions in the respective log files

However, there are also some potential conflicts and difficulties that should be considered before allowing automatic updates in general:

• Automatic updates can overwrite customised code
• No explicit control over settings, for example with new permissions
• Responses to queries are predetermined by developers
• Incompatibility between the system and components such as plug-ins or themes is possible
• Errors and limited functionality with extensions and their integration

In principle, it should be noted that technical issues resulting from updates are a rare exception and only occur in a small fraction of all installations. However, due to the multitude of possible combinations of WordPress, templates, themes, and plug-ins, they can never be completely ruled out. The problem in this context is that they can have significant impacts on the accessibility, appearance, or security of a website.

Should automatic updates be enabled in WordPress?

When deciding whether to enable automatic updates for WordPress, various factors need to be considered. One of the most important factors is the nature of the website - for example, while a temporary outage may not have serious consequences for a personal blog or a personal presentation, it could lead to significant loss of revenue or trust for a commercial online presence. Therefore, for such productive systems, it is generally advisable to first test all updates in an experimental environment to ensure complete compatibility and functionality in the live environment. This could involve using an identical base system of WordPress with the corresponding plugins and settings on a virtual server where no critical security or privacy-related data is stored. A simple approach is to enable automatic updates on this test environment and only apply them manually to the productive system after a thorough review. Specialised WordPress hosting often provides this option.

For websites with private content or those solely serving the purpose of informing visitors without any commercial interests, there is little reason not to activate automatic updates for WordPress. In such cases, it often has a positive impact on security as these sites are not regularly maintained and may contain publicly disclosed vulnerabilities or security issues in older versions. Therefore, due to the limited potential damage from malfunctions - typically resulting in an error code like HTTP Error 500 Internal Server Error - it is advisable to allow automatic updates in these scenarios.

Photo: Werner Moser on Pixabay