After hearing about a wave of site compromises at the university where I work and noticing that many of them were test sites, I started looking at the automatic core and plugin update features in WordPress. 

Just to see what would happen, I just spent the last two months of letting WordPress take care of itself on my blog and (spoiler alert!) nothing bad happened.

If the thought of letting everything automatically upgrade makes you cringe, here’s what I learned after I stopped clicking the ‘update now’ button.

What’s the Worst That Can Happen?

The White Screen of Death will take over every site because the database is corrupted or some developer was careless and I’ll end up jobless and homeless under I-75 and eventually die of shame.

Yes, that was oddly specific. Considering that so many plugin and theme authors are offering quality work for free or next to nothing and it may run on millions of sites, I probably shouldn’t be too harsh.

This fear isn’t completely irrational, so I’d like to dedicate this section to the following:

• The WordPress 4.2.3 security release that changed the way shortcodes worked, proving that even point releases could possibly introduce breaking changes.
• The plugin developer who renamed the plugin’s main file, which deactivated it on every site on the network.
• The premium plugin that created a world-writeable (777) folder.

Maybe it was because I was fresh from one of my employer’s touchy-feely soft-skills workshops that my boss forced empowered me to take, I started to ask myself “What’s the real issue?” whenever I found myself hesitating or wanting to delay certain updates, even though I know very well that out-of-date plugins and themes have been the source of countless hacks.

How to Turn on Automatic Updates

If you’re reading this, you’re probably a grownup and you don’t need anyone to hold your hand or give you a back massage while you RTFM. Here you go, you WordPress diva:

• Configuring Automatic Background Updates
• Automatic Plugin Security Updates
• The definitive guide to disabling auto updates in WordPress

Before Enabling Automatic Updates…

Here are some things I’ve learned that could prevent updates from ruining your life.

Make Regular Backups

You’ll need a complete backup of both your files and database before you update, since some updates can change the database. I’ve been using Duplicator on my own site, but there are plenty of plugins and services that can do this for you.

Avoid Using Hacks

In the 2003 movie, The Core, the US military came up with the smart idea to build a weapon that could cause earthquakes and ended up stopping the Earth’s core from… doing it’s thing… whatever that is. In your case, those minor tweaks may not destroy all the world’s famous landmarks, but any code changes you make will be lost during updates.

Even if you’re only enabling updates for minor security releases, the WordPress security team could potentially push an update for “malicious or dangerously insecure” plugins or themes.

Do Things the “Right” Way

Sometimes the reasons why something ultimately breaks isn’t really the plugin’s fault at all. We could be using features in ways that no one anticipated or we’re hacking in our own. Well, there’s a better way to do it and I’ve struggled to learn this.

Many plugins and themes have their own actions or filters that you can use to customize them without interfering with updates. Check the documentation or search the plugin files for add_action or apply_filter functions.

If the something you’re using doesn’t have a good way to do this, that leads to my next point:

Ask Developers for Improvements and Contribute

I’ve been guilty of this, but instead of just changing that one offending line of code in a plugin or theme in your own version, try contributing features or suggesting changes.

I gave this a try last year with a newsletter plugin called IssueM. The issue pages were displaying the text of articles, but not the formatting in them like paragraphs, so I made a very simple change (a.k.a. my one line of awesomeness) and submitted it to the project on Github using a pull request. The plugin’s author was very responsive and other people wanted the change, so it ended up being merged into a later version.

Everyone lived happily ever after.

(If this is still intimidating, watch  “You Are Not Your Code: Sharing Your Code Without Fear”)

The Choice Is Yours

So, should you use automatic updates? Yes and no. Yes, it works great on sites where no one is visiting the dashboard often or test installations. No, it’s not that helpful on sites where you need to log which plugins are being updated or when you need to schedule updates during maintenance windows.

I Wish Plugin Developers would…

• Make incremental changes and stick to semantic version numbers.
• Use descriptive changelog messages with warnings about breaking changes
• Provide a blog or an email list to help users stay up-to-date and involved in the plugin’s development
• Post code on Github and be open to contributions.

I Wish WordPress would…

• Email notifications whenever any updates are available and the ability to schedule them.
• A quick link to view the code changes between the latest and previous version like a Github diff.
• Include making a backup as part of the upgrade process.