The vast majority of hacked WordPress sites were compromised due to outdated plugins, themes, or WP core. I need to keep my site updated. But should I update manually, or automatically? If I choose automatic, updates will be more timely but there is always a small chance that an update will break something. If I update manually, I can make a full site backup first, and restore if anything breaks – but I am at more risk of a hack occurring in between my manual updates.
I had always kept my WP, themes, and plugins up to date manually, as a item on my monthly maintenance checklist. After the WP REST API exploit debacle, I decided to switch to automatic updating. I now auto-update everything – major and minor core releases as well as plugins and themes. I am choosing better hack protection over oops-the-update-broke-my-site risk.
// Automate updates for WordPress core
add_filter( 'allow_minor_auto_core_updates', '__return_true' );
add_filter( 'allow_major_auto_core_updates', '__return_true' );
// Automate updates for themes and plugins
add_filter( 'auto_update_theme', '__return_true' );
add_filter( 'auto_update_plugin', '__return_true' );
I have to keep in mind that ‘automatic’ does not mean instantaneous. PHP is not a continuously running process, something like a page load has to trigger it. And since my pages are globally cached for blazing site speed, I can never be sure when a trigger will happen. In practice though, even my low-traffic sites are staying updated much more timely than with my previous manual method.
Update: Explicitly setting automatic updates for minor core releases (i.e. maintenance and security releases) may seem redundant. This is default behavior since WP 3.7. However, WP 4.3 broke this feature, and most sites that were upgraded to 4.3 could not auto-update to 4.4. With the explicit setting in my custom plugin, my sites auto-updated to WP 4.4 just fine. Sometimes redundancy can be a good thing.