Automatic updates are a great way of making sure your application gets security updates as soon as they are available. Once a vendor releases a
security update, it is crucial to apply it in a timely manner before malicious actors exploit the vulnerability. Relying on manual updates is usually
too late, especially if the application is publicly accessible on the internet.
Ask Yourself Whether
- there is no specific reason for deactivating all automatic updates.
- you meant to deactivate only automatic major updates.
There is a risk if you answered yes to any of those questions.
Recommended Secure Coding Practices
Don’t deactivate automatic updates unless you have a good reason to do so. This way, you’ll be sure to receive security updates as soon as they are
available. If you are worried about an automatic update breaking something, check if it is possible to only activate automatic updates for minor or
security updates.
Sensitive Code Example
define( 'WP_AUTO_UPDATE_CORE', false ); // Sensitive
define( 'AUTOMATIC_UPDATER_DISABLED', true ); // Sensitive
Compliant Solution
define( 'WP_AUTO_UPDATE_CORE', true ); // Minor and major automatic updates enabled
define( 'WP_AUTO_UPDATE_CORE', 'minor' ); // Only minor updates are enabled
define( 'AUTOMATIC_UPDATER_DISABLED', false );
See
