Notice:

If you are using our Managed WordPress Portal, before making any changes to the wp-config.php file, make sure that you have Automatic Updates disabled within the portal. Changes made within the wp-config.php file will override any automatic updates you have enabled via plugin or through our portal.

There are steps you can take to avoid updates interfering with your site design and functionality. One way is to use the Visual Comparison tool in Liquid Web’s Managed WordPress Portal. This tool creates a staging site, runs the updates and provides output showing any visual changes to your site. This allows you to choose to update or not, and provides you the forewarning to adjust your code so that the update doesn’t interfere with design and functionality.

Another method of testing before updating is by creating a staging domain or staging server. Creating a staging server is done by creating a clone of your current server, see our article Cloning a Cloud VPS for instructions. The method you use depends on the size of your site and amount of customization you’ve done to your server. If you have a lot of custom configuration on your server to optimize your site, creating a staging server is best. This allows you to run updates outside of the live environment and test them prior to updating on the live site.

Smaller sites with less customization can be tested using a subdomain (ex. staging.mysite.com), and allow you to run updates on the staging domain before allowing them to update on the live site. Using a staging domain, you can test, adjust code, and run updates without doing harm to your live site. Learn more about creating subdomains in our article Creating a Subdomain in cPanel or see how to Create a Staging Site in Managed WordPress Portal.

In addition to testing updates before going live, there are additional ways to protect your site from compromise. And as we learned in our article, Best Practices: Protecting Your Website from Compromise, there are steps you can take to protect your website and CMS installation from malicious attack. A few of those steps are:

Make sure your CMS is up-to-date.
CMS developers regularly roll out updates to help keep your information and site secure from malicious compromise. It is important to make sure that you are using the most up-to-date version.
Keep themes, modules, plugins and templates up-to-date.
Even if you update the core CMS files, themes, templates, modules, and plugins can all be subject to compromise if they are not kept up to date as well. Liquid Web provides Softaculous in cPanel to help you manage CMS updates and installations. See our article What Is a Content Management System (CMS)? for more information on how to safely update and install your CMS.
Make sure old backups/migrated copies of data are not public for download.
Hackers can access these host-spots of data if they are public, and many times, these contain sensitive data that attackers can use to exploit your site. A good rule of thumb when looking at your domain’s doc_root is, if you can download it, so can the attackers.
Maintain regularly scheduled backups in case of a security emergency and occasionally test your restoration process to make sure the backups are viable.

If you notice, the top two ways to best keep your CMS secure, is to make sure that all themes and plugins are up-to-date. The most preferred method for keeping your sites up-to-date is to enable automatic updates for your themes and plugins. This avoids the annoyance of having to log in and manually update plugins and themes weekly, as most of the popular ones push updates frequently.

There are four types of automatic background updates:

Core updates
Plugin and T heme updates
Translation file updates

Warning:

Enabling automatic core updates requires that you edit the wp-config.php file. Before making any changes to the wp-config.php file, be sure to take a full backup of your site and database. Depending on the type of server you have running your WordPress site, the backup process will vary. Check out our articles on creating backups:

Core Updates

Core updates can be divided into three types:

Core development updates
Minor core updates like security and maintenance releases
Major core release updates

Minor core releases and translation files are automatically updated by default, but core development updates are only automatically updated if you are running a development version, they will not automatically update in your live site as they could potentially cause issues conflicting with custom code or plugins that are no longer compatible after the update.

Large releases (generally an X.0 update), are set to manual updating and not enabled for automatic updates. This is because larger updates can cause issues with your theme or with plugin functionality and you need to test them prior to allowing the update to go live. One way of testing is by creating a subdomain or maintaining a test server running a copy of your website on it so that you can test any code changes or updates prior to making them go live. This keeps your site from having any unexpected downtime and ensures that all updates run as planned on your site.

Enable Automatic Core Updates

If you’re not worried about your site having issue with core updates, there is a way to turn on automatic updates by editing the wp-config.php file:

vim wp-config.php

and add the following to the file:

/* Enable Automatic Background Updates for WordPress Core */
define( ‘WP_AUTO_UPDATE_CORE’, true );

then exit and save the file with the command:

:wq

This will allow automatic core updates to be run regardless of the version.

Plugin and Theme Updates

Plugin and theme updates are determined by the developer of the plugin or theme. The more popular, the more updates will likely be deployed by the developer for a given plugin or theme. This is also one way of verifying if a plugin or theme is stable and working as it is intended when researching plugins and themes for your site. The more updates it has in its documentation, the more you know it is actively worked on and functioning as it should.

By default, automatic background updates happen for plugins and themes in special cases. To enable or disable updates in all cases, you can leverage the auto_update_$type filter where $type would be replaced with “plugin.”

Enable Automatic Plugin Updates

To update all plugins automatically, use the following filter in the wp-config.php file:

add_filter(  'auto_update_plugin', '__return_true'  );

This will override the WordPress.org API response of only updating plugins in special cases, controlled by the WordPress security team for patching critical vulnerabilities.

Enable Automatic Theme Updates

To updates all themes automatically, use the following filter in the wp-config.php file:

add_filter(  'auto_update_theme', '__return_true'  );

This will allow all themes to update automatically without having to manually update them when you enter your WordPress Admin Dashboard.

Translation Updates

If you use translation with your WordPress site so that your content can be read in multiple languages, the files will be automatically updated by default, the same as minor core updates. You do not need to make any configuration changes unless you want to disable automatic updates. If you need to disable these updates, you will use the filter in the wp-config.php file:

add_filter( 'auto_update_translation', '__return_false' );

Now your translation files will no longer automatically update, giving you the control of which files to update and when.

Once you’ve adjusted your updates to your liking, you can check out the next protection step and change your login URL for the wp-admin login page for WordPress. Find out how in our article Best Practices: Changing Your CMS Login URL.

Was this article helpful?

Thank you for your input.

Thank you for your feedback.