How to configure automatic updates in WordPress

Automatic updates in WordPress install selected releases without waiting for a dashboard session. They are useful when a site should receive routine security, maintenance, plugin, or theme fixes promptly, but the update policy still needs to be explicit enough for backups and rollbacks.

WordPress handles update types separately. Translation files update automatically by default, core updates can be controlled with WP_AUTO_UPDATE_CORE in wp-config.php, and plugin or theme auto-updates are enabled per extension or theme.

WP-CLI keeps the policy visible from the shell and can be repeated across several sites. Avoid this live-write workflow on immutable, Git-deployed, or CI/CD-managed sites where AUTOMATIC_UPDATER_DISABLED or DISALLOW_FILE_MODS is intentionally enforced, and route those updates through the deployment system instead.

1. Change into the WordPress document root.

   $ cd /var/www/example.com/public_html

   Run the remaining commands from the directory that contains wp-config.php. In automation, use --path=/var/www/example.com/public_html instead of relying on the inherited working directory.

2. Confirm that WP-CLI is targeting the intended site.

   $ wp option get home
   https://www.example.com

   On multisite, add --url=https://www.example.com to the remaining site-specific commands.
   Related: How to use WP-CLI safely on a production WordPress site

3. Review the current plugin auto-update state.

   $ wp plugin list --fields=name,status,auto_update --format=table
   name	status	auto_update
   akismet	inactive	off
   hello	inactive	off

   Use the slug from the name column when enabling a plugin, not the display name shown in wp-admin.

4. Review the current theme auto-update state.

   $ wp theme list --fields=name,status,auto_update --format=table
   name	status	auto_update
   twentytwentyfive	active	off
   twentytwentyfour	inactive	off
   twentytwentythree	inactive	off

   Inactive parent themes can still matter when a child theme depends on them.

5. Check wp-config.php for constants that block or override automatic updates.

   $ grep -nE "AUTOMATIC_UPDATER_DISABLED|DISALLOW_FILE_MODS|WP_AUTO_UPDATE_CORE" wp-config.php

   No output means none of these constants is explicitly set yet.

   If AUTOMATIC_UPDATER_DISABLED or DISALLOW_FILE_MODS is set to true, background installs are intentionally blocked. Keep that policy on immutable or code-managed sites unless the deployment model is changing on purpose.

6. Create a backup directory outside the public document root.

   $ mkdir -p ~/backups/wordpress

   Do not store rollback exports under the public document root. A downloadable database dump can expose users, password hashes, emails, and private content.

7. Export a database rollback copy before enabling unattended writes.

   $ wp db export ~/backups/wordpress/pre-auto-update-change.sql
   Success: Exported to '/home/user/backups/wordpress/pre-auto-update-change.sql'.

   A database export does not save plugin, theme, or upload files. Use the normal full-site backup or host snapshot when file-level rollback is required.
   Related: How to back up a WordPress site

8. Set the core auto-update policy in wp-config.php.

   $ wp config set WP_AUTO_UPDATE_CORE minor --type=constant
   Success: Added the constant 'WP_AUTO_UPDATE_CORE' to the 'wp-config.php' file with the value 'minor'.

   minor keeps maintenance and security core releases automatic while leaving major core releases for manual review. Use true only when the site is already tested for automatic major core updates.

   The shell account running WP-CLI must be able to write wp-config.php. If the command fails with a permissions error, fix ownership or update the constant through the configuration workflow that normally manages that file.

9. Enable plugin auto-updates for one reviewed plugin slug.

   $ wp plugin auto-updates enable hello
   Success: Enabled 1 of 1 plugin auto-updates.

   Opt in only plugins with a release history and rollback path that fit the site. Use --all only after compatibility is already standardized across the installed plugin set.

10. Enable theme auto-updates for one reviewed theme slug.

    $ wp theme auto-updates enable twentytwentyfour
    Success: Enabled 1 of 1 theme auto-updates.

    Do not enable automatic updates on heavily customized themes. Keep bespoke themes on a reviewed release path unless they are rebuilt from source on every deploy.

11. Verify the saved core update policy.

    $ wp config get WP_AUTO_UPDATE_CORE --type=constant
    minor

12. Verify the plugin auto-update status.

    $ wp plugin auto-updates status hello --format=table
    name	status
    hello	enabled

13. Verify the theme auto-update status.

    $ wp theme auto-updates status twentytwentyfour --format=table
    name	status
    twentytwentyfour	enabled

    If scheduled updates do not run later, review Tools → Site Health for cron, filesystem, or update-blocking warnings before assuming the policy was ignored.