Automatic updates in WordPress shorten the gap between an upstream fix and the moment a site actually installs it. On servers that update directly in place, that usually means fewer missed security or maintenance releases when nobody is watching the dashboard at the right time.

WordPress does not treat every update type the same way. Translation packs already update automatically, core background updates use WP_AUTO_UPDATE_CORE, and plugin or theme auto-updates are opt-in per item. Making that policy explicit keeps older sites and newer installs consistent instead of relying on whatever default the site started with.

This guide uses WP-CLI so the policy is explicit, repeatable, and easy to audit across several sites. If the site is deployed from Git or CI/CD, or if AUTOMATIC_UPDATER_DISABLED or DISALLOW_FILE_MODS is intentionally enforced, keep that immutable policy and manage updates through the release path instead of mixing live writes with code-managed deployments.

Related: How to back up a WordPress site
Related: How to install WP-CLI on Ubuntu or Debian
Related: How to install WP-CLI on CentOS, Fedora, or Red Hat

Steps to configure WordPress automatic updates:

  1. Change into the WordPress document root. 
    $ cd /var/www/example.com/public_html

    Run the remaining commands from the directory that contains /wp-config.php/.

  2. Confirm that WP-CLI is pointed at the intended site and review the current auto-update state before changing anything. 
    $ wp option get home
https://www.example.com

$ wp plugin list --fields=name,status,auto_update --format=table
name             status    auto_update
akismet          inactive  off
hello            inactive  off
google-site-kit  active    off

$ wp theme list --fields=name,status,auto_update --format=table
name               status    auto_update
twentytwentyfive   active    off
twentytwentyfour   inactive  off
twentytwentythree  inactive  off

    On multisite, add --url=<site-url> to the remaining commands so the policy is applied to the intended site instead of the network default.

    Related: How to use WP-CLI safely on a production WordPress site

  3. Check whether wp-config.php already defines a blocking or conflicting update policy. 
    $ grep -nE "AUTOMATIC_UPDATER_DISABLED|DISALLOW_FILE_MODS|WP_AUTO_UPDATE_CORE" wp-config.php

    No output means none of these constants is explicitly set yet.

    If AUTOMATIC_UPDATER_DISABLED or DISALLOW_FILE_MODS is set to true, background installs are intentionally blocked. Leave that policy in place on immutable or Git-deployed sites unless the deployment model is being changed on purpose.

  4. Create a rollback point before enabling unattended writes. 
    $ mkdir -p ~/backups/wordpress
$ wp db export ~/backups/wordpress/pre-auto-update-change.sql
Success: Exported to '/home/user/backups/wordpress/pre-auto-update-change.sql'.

    This exports the database only. If plugin or theme files are not already covered by snapshots or backups, take a full site backup through the normal recovery workflow as well.

    Related: How to back up a WordPress site

  5. Set the core auto-update policy explicitly in wp-config.php. 
    $ wp config set WP_AUTO_UPDATE_CORE minor --type=constant
Success: Added the constant 'WP_AUTO_UPDATE_CORE' to the 'wp-config.php' file with the value 'minor'.

    minor keeps maintenance and security core releases automatic while leaving major releases on manual review. Replace it with true only when the site is already validated for automatic major core upgrades.

    The account running WP-CLI must be able to write /wp-config.php/. If the command fails with a permissions error, fix the file ownership or mode first, or update the constant through the same configuration workflow that normally manages that file.

  6. Enable plugin auto-updates only for the plugin slugs that are safe to update unattended. 
    $ wp plugin auto-updates enable hello
Success: Enabled 1 of 1 plugin auto-updates.

    Review the plugin list first and opt in only the extensions with a predictable release history and a tested rollback path.

    --all applies the same policy to every installed plugin. Reserve that for staging or estates where plugin compatibility has already been standardized.

  7. Enable theme auto-updates for the theme slugs that can safely track upstream releases. 
    $ wp theme auto-updates enable twentytwentyfour
Success: Enabled 1 of 1 theme auto-updates.

    Inactive parent themes can still matter when a child theme depends on them, so review both the active theme and any parents before deciding what should auto-update.

    Do not enable automatic updates on a heavily customized theme just because the toggle exists. Keep bespoke themes on a reviewed release path unless they are rebuilt from source on every deploy.

  8. Verify the saved policy after enabling the intended scope. 
    $ wp config get WP_AUTO_UPDATE_CORE --type=constant
minor

$ wp plugin auto-updates status hello --format=table
name	status
hello	enabled

$ wp theme auto-updates status twentytwentyfour --format=table
name	status
twentytwentyfour	enabled

    WordPress normally checks plugin and theme auto-updates twice per day. If scheduled updates do not run, review Tools → Site Health for cron or filesystem errors before assuming the policy was ignored.