WordPress auto updates – how they work and best practice

Keeping WordPress up to date is one of the most important things you can do to maintain a secure, stable, and high-performing website. However, updates are also one of the most common causes of unexpected site issues.

This article explains how WordPress auto updates work, how those settings are managed through WP Toolkit, and what best practice looks like to reduce risk. We also introduce Smart Updates, Staging Sites and Vulnerability Scanning, and explain how they fit into a safer update strategy.

How WordPress auto updates work

WordPress updates fall into three main categories:

• WordPress core
• Plugins
• Themes

Each can be updated manually or automatically, and each carries a different level of risk.

WordPress core updates

WordPress core updates are split into two types.

Minor updates are security and maintenance releases (for example 6.4.1 to 6.4.2). They are generally safe and recommended for automatic installation.

Major updates introduce new features and structural changes (for example 6.3 to 6.4). Major updates may:

• Deprecate older functionality
• Change behaviour that plugins or themes rely on
• Raise the minimum PHP version requirement

Major updates are far more likely to introduce compatibility issues and should not be applied blindly.

Plugin and theme updates

Plugins and themes are maintained by third-party developers, each with their own release schedules and support policies.

Out-of-date plugins and themes are one of the most common causes of:

• Security vulnerabilities
• PHP compatibility errors
• Sites breaking after WordPress or PHP updates

How WP Toolkit fits in

WP Toolkit is the interface used to manage WordPress installations within cPanel. It is important to understand that:

• WP Toolkit inherits WordPress' native auto-update behaviour
• It does not override WordPress' update logic by default
• It gives you visibility and control over how updates are applied

If WordPress core is configured to auto-update, it will continue to do so via WP Toolkit - even if plugins or themes are not updating.

WP Toolkit also adds tooling on top of WordPress' native behaviour, including Smart Updates, Staging Sites and Vulnerability Scanning, which help reduce risk.

A common risky configuration (and why it causes problems)

Problems usually arise when WordPress components are updated out of step with one another. Two particularly common risky configurations are outlined below.

Scenario 1: core auto-updates, plugins and themes do not

A frequently seen setup looks like this:

• WordPress core: auto-updating (including major versions)
• Plugins: manual updates only
• Themes: manual updates only
• PHP: pinned to an older version (for example PHP 7.4)

This configuration often leads to predictable issues.

Core updates outpace PHP. WordPress core may automatically update to a version that requires a newer PHP version or uses functionality removed in older PHP releases. The result is PHP errors or site outages, even though nothing was manually changed.

Core updates outpace plugins. If WordPress core updates automatically but plugins do not, older plugins may not be compatible with the newer WordPress version, and functionality may break or behave unpredictably.

Scenario 2: plugins and themes auto-update, core does not

The reverse configuration can be just as problematic:

• Plugins and themes: auto-updating
• WordPress core: manual updates only
• PHP: statically defined

In this case:

• Plugins may adopt newer APIs based on recent WordPress versions
• Updated plugins may no longer behave correctly on older core versions
• PHP compatibility requirements may shift without core being updated alongside them

The result is plugin failures, warnings, or broken functionality even though WordPress core itself has not changed.

Updates happen without testing

In both scenarios, the underlying issue is the same: native WordPress auto updates apply changes directly to the live site without testing how components interact together.

If something breaks, the first sign is usually:

• A critical error
• A blank page
• Broken functionality noticed by users

Why alignment and testing matter

WordPress, plugins, themes, and PHP are tightly interdependent. Updating any one of them in isolation increases the risk of compatibility issues.

Using Smart Updates or a staging environment ensures that updates are tested together before reaching your live site, significantly reducing the risk of downtime.

"Everything looks fine" is not the same as "everything is safe"

Leaving plugins unpatched is risky and often insecure. Outdated plugins are one of the most common causes of WordPress security vulnerabilities.

However, even a site where WordPress core and plugins appear fully updated can still carry hidden risk.

We frequently see sites running plugins that:

• Have been discontinued or abandoned
• Have not received updates in years
• Were withdrawn due to known security issues
• Rely on older PHP behaviour that still works - for now
• Leave the site vulnerable even if no obvious problems are visible

In these situations, WordPress core and actively maintained plugins may be fully compatible with newer PHP versions, but a single abandoned or custom plugin can still:

• Depend on deprecated PHP functions
• Break when PHP is upgraded
• Force the site to remain on an older PHP version
• Introduce security risk simply by existing

This creates hidden dependencies on legacy code. A site may appear healthy and up to date while quietly accumulating technical debt and security exposure that only becomes apparent during a WordPress or PHP upgrade.

Good update hygiene is not just about applying updates - it is about understanding what code your site depends on, which components are actively maintained, and which ones are silently holding you back.

Understanding the role of vulnerability scanning

Vulnerability scanning in WP Toolkit helps identify:

• Plugins and themes with known, publicly disclosed vulnerabilities
• Software that has already been flagged by recognised security databases

This makes it a useful indicator of risk, particularly for highlighting plugins or themes that may need attention, updating, or replacement.

However, vulnerability scanning should be viewed as one signal among many, rather than a complete assessment of a site's health.

Some components may not appear in vulnerability reports, including:

• Custom plugins or themes
• Internally developed or modified code
• Plugins that are outdated but not publicly reported
• Plugins that introduce PHP compatibility or dependency issues rather than known security flaws

For this reason, it is still important to be aware of any custom or legacy code in use.

If a plugin or theme is no longer maintained, has not received updates for a long time, or is incompatible with modern PHP versions, it should be considered unsupported and reviewed for replacement - even if no vulnerabilities are currently reported.

Vulnerability scanning helps surface known risks early, while testing changes using Smart Updates or a staging environment helps ensure those risks do not turn into outages.

Why Smart Updates (or staging) is best practice

Smart Updates adds an intelligent testing layer to the update process:

• Your site is cloned
• Updates are applied to the clone
• Automated tests are run to detect errors
• Updates are only applied to the live site if no new issues are found

This approach significantly reduces the risk of downtime, especially when:

• Applying major WordPress updates
• Updating multiple plugins at once
• Changing PHP versions
• Working with older or custom code

For a full step-by-step guide, see Using Smart Updates in WP Toolkit.

If you prefer a more hands-on approach, using a dedicated staging site achieves a similar goal.

What happens when updates go wrong?

Despite best efforts, dependency issues can still occur. When they do, you may see:

• PHP fatal errors
• "There has been a critical error on this website"
• Blank pages or partially broken functionality

These issues are usually caused by:

• Plugin or theme incompatibilities
• PHP version mismatches
• Abandoned or outdated code being exposed by updates

If your site displays a critical error, see Diagnosing critical errors in WordPress - a survival guide for how to diagnose and recover safely.

Recommended update strategy

For most WordPress sites, we recommend using Smart Updates as the foundation of your update strategy. Updates are essential for security, but applying them without testing is one of the most common causes of site issues.

Recommended: automatic updates with Smart Updates enabled

If you want your site to stay secure without constant manual intervention, this is the preferred approach.

With Smart Updates enabled:

• WordPress core (including major versions) can be updated automatically
• Plugin and theme updates can run automatically and in alignment with core updates
• Updates are tested together on a cloned site before being applied to production
• If an update introduces errors, it is not applied to the live site and you are notified

This approach keeps all components aligned while significantly reducing the risk of downtime.

Acceptable (but less ideal): manual or limited auto updates without Smart Updates

If Smart Updates is not enabled, updates should be applied more conservatively.

In this case, we recommend:

• Auto-updating minor (security) WordPress core releases only
• Applying major WordPress, plugin, theme, and PHP updates manually
• Testing changes in a staging environment before applying them to the live site

Plugins and themes (all approaches)

Regardless of how updates are applied:

• Remove unused or abandoned plugins and themes
• Ensure all active plugins and themes are actively maintained
• Replace unsupported or discontinued components
• Review vulnerability scan results regularly and address flagged items promptly

PHP versions

• Stay on the highest supported PHP version appropriate for your site
• Review PHP compatibility before upgrading WordPress, plugins, or themes
• When making PHP version changes, test first using Smart Updates or a staging site, particularly for major version upgrades

Backups

• Ensure restore points exist before major changes
• Confirm that backups can be restored if needed

The bottom line

If you use any form of automatic updates, Smart Updates should be enabled. This ensures:

• Your site remains secure
• Updates are applied in alignment
• Issues are detected before they affect your live site

If issues are detected during testing, they can be reviewed safely - for example, identifying whether a PHP version change is required - without impacting visitors or customers.

Any update on a production website, whether manual or automated, that is not done using Smart Updates or within a staging site carries significant risk.

A site that appears stable today may still carry hidden risks from outdated or abandoned code. Understanding how WordPress updates work, regularly reviewing vulnerabilities, and testing changes before they go live allows you to stay secure without unnecessary downtime.

If you would like help reviewing your update configuration or deciding on the best approach for your site, our support team is always happy to help.