Jb Audras 9:53 pm on July 15, 2020
Tags: 5.5 ( 87 ), auto-update ( 24 ), auto-updates ( 13 ), dev-notes ( 520 ), feature plugins ( 120 ), feature projects ( 50 ), feature-autoupdates ( 26 )

Controlling Plugin and Theme auto-updates UI in WordPress 5.5

Site security is an integral part of modern websites. Keeping sites up to date by running the latest versions of WordPress, PHPPHP The web scripting language in which WordPress is primarily architected. WordPress requires PHP 5.6.20 or higher, and any installed plugins or themes is highly recommended as an easy way to keep a site safe from any known security vulnerabilities.

By default, WordPress itself is configured to automatically update when new minor versions become available. While the code to auto-update plugins and themes has been in CoreCore Core is the set of software required to run WordPress. The Core Development Team builds WordPress. for just as long, it’s seldom used by site owners because it requires the use of a filterFilter Filters are one of the two types of Hooks https://codex.wordpress.org/Plugin_API/Hooks. They provide a way for functions to modify data of other functions. They are the counterpart to Actions. Unlike Actions, filters are meant to work in an isolated manner, and should never have side effects such as affecting global variables and output. hook.

This past February, a feature plugin was created in response to the 9 Projects for 2019/2020 to explore introducing a user interface that allows site administrators to easily manage pluginPlugin A plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the WordPress.org Plugin Directory https://wordpress.org/plugins/ or can be cost-based plugin from a third-party and theme auto-updates right from the dashboard. After 5 months of development on the GitHub repository, user feedback (the plugin was available on the WordPress.org plugin directory), testing (which includes over 1,000 active installs), and iterating by the contributors of the #core-auto-updates team, this feature pluginFeature Plugin A plugin that was created with the intention of eventually being proposed for inclusion in WordPress Core. See Features as Plugins. was merged into Core in [47835] and will be released in WordPress 5.5.

A screenshot of a site’s Plugins page in the dashboard with the new “Automatic Updates” column (click to open this image in a new tab).

These new controls will allow website owners to keep their sites up-to-date and secure with less time and effort.

Note: Plugin and theme auto-updates are disabled by default. Administrators and site owners need to enable this feature to receive automatic plugin and theme updates. However, language packs for plugins and themes have always auto-updated when new updates are available. The new interface will not adjust language pack updates.

By default, all users with the update_plugins and update_themes capabilities are able to toggle auto-updates for plugins and themes respectively. On multisitemultisite Used to describe a WordPress installation with a network of multiple blogs, grouped by sites. This installation type has shared users tables, and creates separate database tables for each blog (wp_posts becomes wp_0_posts). See also network, blog, site installations, only networknetwork (versus site, blog) administrators have this capability, and only when in the context of the network dashboard.

A number of hooksHooks In WordPress theme and development, hooks are functions that can be applied to an action or a Filter in WordPress. Actions are functions performed when a certain event occurs in WordPress. Filters allow you to modify certain functions. Arguments used to hook both filters and actions look the same. are included for plugin authors and WordPress developers to customize the new feature to fit their needs. Let’s have a look at the available functions and hooks and how they can be used to tailor the plugin and theme auto-update experience.

New function: wp_is_auto_update_enabled_for_type()

This function indicates whether auto-updates are enabled for a given type. The two types accepted are theme and plugin.

// Check if auto-updates are enabled for plugins.
$plugin_auto_updates_enabled = wp_is_auto_update_enabled_for_type( 'plugin' );

Disable the auto-update user interface elements

It is possible to disable the new interface elements if desired. Returning false to the plugins_auto_update_enabled and themes_auto_update_enabled filters will disable the user interface elements for plugins and themes respectively. By default, these are enabled (true).

Note: This does not enable or disable auto-updates. It controls whether to show the user interface elements.

The following snippet will disable the plugin and theme auto-update UIUI User interface elements:

// Disable plugins auto-update UI elements.
add_filter( 'plugins_auto_update_enabled', '__return_false' );

// Disable themes auto-update UI elements.
add_filter( 'themes_auto_update_enabled', '__return_false' );

Modifying auto-update action links

Sometimes, a plugin or theme may want to manage updates on their own. This is common when they are not hosted on the WordPress.orgWordPress.org The community site where WordPress code is created and shared by the users. This is where you can download the source code for WordPress core, plugins and themes as well as the central location for community conversations and organization. https://wordpress.org/ directories. For these instances, there are filters in place so plugin and theme authors can modify the auto-update related HTMLHTML HyperText Markup Language. The semantic scripting language primarily used for outputting content in web browsers. output in certain locations.

Plugins screen: single site and multisite

With the plugin_auto_update_setting_html filter, it’s possible to filter auto-update column content, including the toggle links and time till next update attempt.

This filter pass the default generated HTML content of the auto-updates column for a plugin, with two additional parameters:

$plugin_file: The path to the main plugin file relative to the plugins directory.
$plugin_data: An array of plugin data.

For example, let’s say the “My plugin” plugin wants to prevent auto-updates from being toggled and its path relative to the plugins directory is my-plugin/my-plugin.php. The following example will change what is displayed within the auto-update column for that plugin:

function myplugin_auto_update_setting_html( $html, $plugin_file, $plugin_data ) {
	if ( 'my-plugin/my-plugin.php' === $plugin_file ) {
		$html = __( 'Auto-updates are not available for this plugin.', 'my-plugin' );
	}

	return $html;
}
add_filter( 'plugin_auto_update_setting_html', 'myplugin_auto_update_setting_html', 10, 3 );

Below is the result:

In the screenshot above, the default toggling action in the auto-updates column for one particular plugin has been modified using the previous example (click to open this image in a new tab).

For reference, here is the default HTML content:

<a href="…" class="toggle-auto-update" data-wp-action="…">
	<span class="dashicons dashicons-update spin hidden" aria-hidden="true"></span>
	<!-- The following text is replaced with "Disable auto-updates" when auto-updates are already enabled for this plugin -->
	<span class="label">Enable auto-updates</span>
</a>

Themes screen: single site only

Filtering the auto-update HTML content for Themes screen is a bit more tricky since this screen is rendered with a JavaScriptJavaScript JavaScript or JS is an object-oriented computer programming language commonly used to create interactive effects within web browsers. WordPress makes extensive use of JS for a better user experience. While PHP is executed on the server, JS executes within a user’s browser. https://www.javascript.com/. template. However, it is possible to hook into this screen using the theme_auto_update_setting_template filter and returning a modified $template (the rendering template used for every theme on the Themes page).

Note: since this template is used for each theme on the page, using a conditional statement to check for the theme being targeted is highly recommended. This can be done by utilizing the data.id JSJS JavaScript, a web scripting language typically executed in the browser. Often used for advanced user interfaces and behaviors. parameter (which contains the theme slug).

Full documentation about the properties available for the theme data object is available in wp_prepare_themes_for_js() DevHub page.

The following example will replace the text auto-update HTML content for the my-theme and twentytwenty themes:

function myplugin_auto_update_setting_template( $template ) {
	$text = __( 'Auto-updates are not available for this theme.', 'my-plugin' );

	return "<# if ( [ 'my-theme', 'twentytwenty' ].includes( data.id ) ) { #>
		<p>$text</p>
		<# } else { #>
		$template
		<# } #>";
}
add_filter( 'theme_auto_update_setting_template', 'myplugin_auto_update_setting_template' );

Below is the result:

In the screenshot above, the default toggling action for auto-updates has been modified using the previous example (click to open this image in a new tab).

For reference, here is the default template output:

<div class="theme-autoupdate">
	<# if ( data.autoupdate ) { #>
		<a href="{{{ data.actions.autoupdate }}}" class="toggle-auto-update" data-slug="{{ data.id }}" data-wp-action="disable">
			<span class="dashicons dashicons-update spin hidden" aria-hidden="true"></span>
			<span class="label">' . __( 'Disable auto-updates' ) . '</span>
		</a>
	<# } else { #>
		<a href="{{{ data.actions.autoupdate }}}" class="toggle-auto-update" data-slug="{{ data.id }}" data-wp-action="enable">
			<span class="dashicons dashicons-update spin hidden" aria-hidden="true"></span>
			<span class="label">' . __( 'Enable auto-updates' ) . '</span>
		</a>
	<# } #>
	<# if ( data.hasUpdate ) { #>
		<# if ( data.autoupdate ) { #>
			<span class="auto-update-time">
		<# } else { #>
			<span class="auto-update-time hidden">
		<# } #>
		<br />' . wp_get_auto_update_message() . '</span>
	<# } #>
	<div class="notice notice-error notice-alt inline hidden"><p></p></div>
</div>

Themes screen: multisite only

On multisite installs, the Themes screen can be modified in a way similar to the Plugins screen detailed above. Using the theme_auto_update_setting_html filter, the auto-update column content can be filtered, including the toggle links and time till next update.

This filter is passed the default generated HTML content of the auto-updates column for a theme with two additional parameters:

$stylesheet: The directory name of the theme (or slug).
$theme: The full WP_Theme object.

For example, let’s say the network administrator of a multisite network wants to disallow auto-updates for the Twenty Twenty theme. The following example will change what is displayed within the auto-update column for that theme:

function myplugin_theme_auto_update_setting_html( $html, $stylesheet, $theme ) {
	if ( 'twentytwenty' === $stylesheet ) {
		$html = __( 'Auto-updates are not available for this theme.', 'my-plugin' );
	}

	return $html;
}
add_filter( 'theme_auto_update_setting_html', 'myplugin_theme_auto_update_setting_html', 10, 3 );

Blanket auto-update opt-in

If a developer wants to enable auto-updates for all plugins and/or themes (including any that are installed in the future), the auto_update_plugin/auto_update_theme filters can be used.

// Enable all plugin auto-updates.
add_filter( 'auto_update_plugin', '__return_true' );

// Enable all theme auto-updates.
add_filter( 'auto_update_theme', '__return_true' );

Note: Any value returned using these filters will override all auto-update settings selected in the adminadmin (and super admin). Changes made using these filters also will not be reflected to the user in the interface. It is highly recommended to use these filters in combination with the hooks detailed above to inform the user of the auto-update policy being enforced.

This approach will not be appropriate for all sites. It’s recommended to use the new UI to manage auto-updates unless you’re sure blanket opting-in is right for your site.

Also note: This filter was added to the codebase in WordPress 3.7.0 and is likely being used to blanket enable auto-updates for plugins and themes on sites today. If it appears the new UI elements are not changing the auto-update behavior for plugins or themes on your site, this may be why. #50662 has been opened to notify site owners that this filter is being used in Site Health.

For information, refer to the following tickets on TracTrac An open source project by Edgewall Software that serves as a bug tracker and project management tool for WordPress.: #50052, #50280.

This post is the first part of the plugins and themes auto-updates dev notesdev note Each important change in WordPress Core is documented in a developers note, (usually called dev note). Good dev notes generally include a description of the change, the decision that led to this change, and a description of how developers are supposed to work with that change. Dev notes are published on Make/Core blog during the beta phase of WordPress release cycle. Publishing dev notes is particularly important when plugin/theme authors and WordPress developers need to be aware of those changes.In general, all dev notes are compiled into a Field Guide at the beginning of the release candidate phase. for WordPress 5.5.

Thanks @desrosj and @pbiron for technical review and proofreading.

#5-5, #auto-update, #auto-updates, #dev-notes, #feature-plugins, #feature-projects, #feature-autoupdates

Stephen Cronin 12:31 pm on July 16, 2020

This is nice, but I have a concern about external plugins/themes (ie not hosted on the wp.org repos). The user can click the Enable Auto-updates link for these plugins/themes and it appears that it’s been turned on. I guess it HAS been turned on, but of course, it will never actually update.

PluginPlugin A plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the WordPress.org Plugin Directory https://wordpress.org/plugins/ or can be cost-based plugin from a third-party and theme authors can modify the action link as shown above, but there are tens of thousands of plugins and themes out there and not all authors are going to do that.

One of the most common security tips is to keep your plugins and themes updated. Users who ‘turn on’ auto updates for plugins/themes outside the repo will have a false sense of security, thinking that now they don’t need to worry about keeping these plugins/themes up to date. They will stop looking for updates in the appropriate place. This will potentially open them to security threats.

Wouldn’t it be safer to only show the Enable Auto-updates link for plugins/themes that have a slug that matches a plugin/theme in the respective repo and display “Auto updates unavailable” for any that don’t match?

Have I missed something? Please tell me I’ve got something wrong! I’d be very happy if so.
- Timothy Jacobs 5:22 pm on July 16, 2020
  
  @stephencronin as long as the pluginPlugin A plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the WordPress.org Plugin Directory https://wordpress.org/plugins/ or can be cost-based plugin from a third-party hooksHooks In WordPress theme and development, hooks are functions that can be applied to an action or a Filter in WordPress. Actions are functions performed when a certain event occurs in WordPress. Filters allow you to modify certain functions. Arguments used to hook both filters and actions look the same. into the WordPress updater, that is the user can update it through WP-Adminadmin (and super admin), then auto updates will work, even if the plugin is not hosted on WordPress.orgWordPress.org The community site where WordPress code is created and shared by the users. This is where you can download the source code for WordPress core, plugins and themes as well as the central location for community conversations and organization. https://wordpress.org/. If the plugin requires downloading the latest version from a site, and manually updating, then auto updates won’t work.
  
  Because there isn’t a proper updates APIAPI An API or Application Programming Interface is a software intermediary that allows programs to interact with each other and share data in limited, clearly defined ways. for third party plugins to hook into, I’m not sure there is a good way to check if updates are delivered thru WP-Admin.
  - Ipstenu (Mika Epstein) 7:22 pm on July 16, 2020
    
    What if the 3rd party pluginPlugin A plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the WordPress.org Plugin Directory https://wordpress.org/plugins/ or can be cost-based plugin from a third-party doesn’t have an updater included? Sadly many do not. And we don’t really have a way of knowing. Which means both including and excluding non-org plugins from the updater has risks.
    
    Perhaps a middle road would be a flag “3rd Party” with a pop-up on hover “This plugin is not hosted on WordPress.orgWordPress.org The community site where WordPress code is created and shared by the users. This is where you can download the source code for WordPress core, plugins and themes as well as the central location for community conversations and organization. https://wordpress.org/ and we cannot promise it will be able to auto-update.” I don’t know if that would be too FUDdy though :/
    - Timothy Jacobs 8:45 pm on July 16, 2020
      
      I don’t know. I guess theoretically plugins that do include an updater would be more likely to be actively maintained and could add a filterFilter Filters are one of the two types of Hooks https://codex.wordpress.org/Plugin_API/Hooks. They provide a way for functions to modify data of other functions. They are the counterpart to Actions. Unlike Actions, filters are meant to work in an isolated manner, and should never have side effects such as affecting global variables and output. to remove the “3rd Party” warning before 5.5 is released?
      - Ipstenu (Mika Epstein) 3:49 pm on July 17, 2020
        
        It would be a reasonable assumption that if a pluginPlugin A plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the WordPress.org Plugin Directory https://wordpress.org/plugins/ or can be cost-based plugin from a third-party has an updater, then it’s meant to be … updated. Yes.
        
        Timothy Jacobs 9:31 pm on July 17, 2020
        
        🤣
  - Stephen Cronin 11:53 pm on July 16, 2020
    
    @timothyblynjacobs – the problem is we can’t rely on non-repo plugins/themes having an updater (some do, some don’t), and we can’t rely on them filtering the link to say updates not available either (some will, some won’t).
    
    If this was a proposal to change a filterFilter Filters are one of the two types of Hooks https://codex.wordpress.org/Plugin_API/Hooks. They provide a way for functions to modify data of other functions. They are the counterpart to Actions. Unlike Actions, filters are meant to work in an isolated manner, and should never have side effects such as affecting global variables and output. name or something, we’d never do it because we couldn’t tell which plugins are using it and it wouldn’t be backward compatible. It’s the same thing. We can’t rely on plugins/themes opting out of this, which will lead to an increased security risk.
    
    I’m not too familiar with the wp.org polling mechanism, but couldn’t coreCore Core is the set of software required to run WordPress. The Core Development Team builds WordPress. look at what’s coming back from that, then store which plugins / themes have a matching slug in the repo and which ones don’t. Yes, that would make this a more complex change and we’d have to work out how to store that in the DB, but then ‘Enable Auto-updates’ could only shown for wp.org plugins/themes. Everything else would have an “Auto-updates not available” message. External plugins/themes could then override that if they have an updater that will work with auto-updates through core. Opt in rather than opt out. Much better for security (and user experience).
    
    Anyway here is a real example of an affected pluginPlugin A plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the WordPress.org Plugin Directory https://wordpress.org/plugins/ or can be cost-based plugin from a third-party (just the first eg I found). The Bridge theme on ThemeForest (140K sales) has a companion plugin called Bridge Core. This is included in the theme zip file and installed via the TGM Plugin Activation class. You can update it under Appearance > Install Plugins (screenshot: https://envato.d.pr/yoEQ4v/eMESFTlKKU ). It will report Update Required on the Plugins screen, but you aren’t given an update prompt there.
    
    If you click ‘Enable auto-updates’, the prompt changes to ‘Disable auto-updates’, making the user think that they are safe. However, it won’t actually schedule an update for it (screenshot showing AMP plugin scheduled, Bridge Core not scheduled: https://envato.d.pr/kwfTIW/dqAqPSHVMx ). I waited an hour just in case and the AMP plugin updated, but the Bridge Core one did not.
    
    I’m guessing that’s going to be the same for all themes/plugins that use TGM PA (which is a lot). Clever users will work out that it says Update Required but never schedules it. Many will not notice or just think “I turned on auto updates so I’m safe” and never think about it. Then they won’t bother to go to the Appearance > Install Plugins screen and actually update the plugin.
    
    Now the Bridge author is almost certainly going to do something about this because they are a serious author, but there are tens of thousands of non wp.org themes/plugins out there, many of which use TGMPA or do something custom (not through the core updater) or don’t have any update mechanism. We can’t rely on all of those authors taking action, so it would be MUCH better if this was an opt in thing.
    - Ipstenu (Mika Epstein) 3:55 pm on July 17, 2020
      
      I looked back at the Modifying auto-update action links section.
      
      This could be resolved by having the default for 3rd party plugins be ‘updates not available.’ Then the onus is on the 3rd part to add in …
      a filterFilter Filters are one of the two types of Hooks https://codex.wordpress.org/Plugin_API/Hooks. They provide a way for functions to modify data of other functions. They are the counterpart to Actions. Unlike Actions, filters are meant to work in an isolated manner, and should never have side effects such as affecting global variables and output. to ‘plugin_auto_update_setting_html’ to say it’s available. Or possibly a filter that changes their response to ‘yes available.’
      
      if ( pluginPlugin A plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the WordPress.org Plugin Directory https://wordpress.org/plugins/ or can be cost-based plugin from a third-party is NOT on .org ) and ( plugin has not set ‘have updates’ to true) then “No update available”
      
      Else update available.
      - Stephen Cronin 1:42 am on July 18, 2020
        
        That’d be great.
        
        The ‘Enable auto-updates’ link appears for all wp.org plugins/themes. A “not available” message appears instead for all non wp.org plugins/themes, until they do what they need to do, so that auto updates will work for that pluginPlugin A plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the WordPress.org Plugin Directory https://wordpress.org/plugins/ or can be cost-based plugin from a third-party/theme. Then they opt in to this.
        
        It’s the opt out part of this that I think is the problem (because many won’t), and that should solve that issue.
  - David Anderson 8:33 am on July 18, 2020
    
    Experience working on Easy Updates Manager (https://wordpress.org/plugins/stops-core-theme-and-plugin-updates/) shows that lots of plugins only load their updater code upon `admin_init`. That means that it’s not there when cron runs, and can’t be invoked via other mechanisms (e.g. ManageWP, UpdraftCentral, etc.) without ugly hacks.
- Paul Biron 9:36 pm on July 17, 2020
  
  First, the `plugin_auto_update_setting_html`, etc filters are not only for use by plugins for which updates aren’t available (altho that is a primary use case). They are also for use by plugins that control auto-updates for other plugins (which could output something like
  
  Auto-updates for this pluginPlugin A plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the WordPress.org Plugin Directory https://wordpress.org/plugins/ or can be cost-based plugin from a third-party are controlled by My Cool Auto-update Controlling Plugin.
- Paul Biron 9:39 pm on July 17, 2020
  
  Second, just because a pluginPlugin A plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the WordPress.org Plugin Directory https://wordpress.org/plugins/ or can be cost-based plugin from a third-party is not in the .org repo and does not have it’s own update code that hooksHooks In WordPress theme and development, hooks are functions that can be applied to an action or a Filter in WordPress. Actions are functions performed when a certain event occurs in WordPress. Filters allow you to modify certain functions. Arguments used to hook both filters and actions look the same. into the WP Updates APIAPI An API or Application Programming Interface is a software intermediary that allows programs to interact with each other and share data in limited, clearly defined ways. does not mean that updates aren’t available.
  
  For example, a client hires me to take over managing their existing site. That site has a plugin that used to be in the .org repo but has been pulled (or a custom plugin written just for the site and the developer that wrote it is no longer reachable).
  
  In that case, I commit that plugin to a GitHubGitHub GitHub is a website that offers online implementation of git repositories that can easily be shared, copied and modified by other developers. Public repositories are free to host, private repositories require a paid subscription. GitHub introduced the concept of the ‘pull request’ where code changes done in branches by contributors can be reviewed and discussed before being merged be the repository owner. https://github.com/ repo (owned by the client) and then use the GitHub Updater plugin (which hooks into the WP Updates API) to provide future updates.
  
  So, it is not really possible for coreCore Core is the set of software required to run WordPress. The Core Development Team builds WordPress. to know whether whether a plugin (or theme) could ever have updates.
  - Stephen Cronin 2:49 am on July 18, 2020
    Hi @pbiron. I think I didn’t explain what I was saying clearly enough.
    
    CoreCore Core is the set of software required to run WordPress. The Core Development Team builds WordPress. doesn’t need to know whether a pluginPlugin A plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the WordPress.org Plugin Directory https://wordpress.org/plugins/ or can be cost-based plugin from a third-party/theme could ever have updates. It just needs to make this an opt in thing for those that do. I’m suggesting logic such as this:
    
    All plugins/themes on wp.org are automatically opted in and get the ‘Enable auto-updates’ link.
    
    By default, all other plugins/themes get a message that updates are not available.
    
    Then developers who have a 3rd party theme/plugin can manually opt in, using whichever method is most appropriate. If they are using the GithubGitHub GitHub is a website that offers online implementation of git repositories that can easily be shared, copied and modified by other developers. Public repositories are free to host, private repositories require a paid subscription. GitHub introduced the concept of the ‘pull request’ where code changes done in branches by contributors can be reviewed and discussed before being merged be the repository owner. https://github.com/ updater they can turn on the ‘Enable auto-updates’ link. If they want people to update manually via FTPFTP FTP is an acronym for File Transfer Protocol which is a way of moving computer files from one computer to another via the Internet. You can use software, known as a FTP client, to upload files to a server for a WordPress website. https://codex.wordpress.org/FTP_Clients. or go to a different screen (eg Appearance > Install Plugins for TGM PA), then they can filterFilter Filters are one of the two types of Hooks https://codex.wordpress.org/Plugin_API/Hooks. They provide a way for functions to modify data of other functions. They are the counterpart to Actions. Unlike Actions, filters are meant to work in an isolated manner, and should never have side effects such as affecting global variables and output. the message with the appropriate instructions.
    
    There is a trade off here. Either way there will be many authors who do not update their items for this. I’m saying that it is less important for 3rd party plugins/themes with an update mechanism (hooking into the core updater) to automatically get the ‘Enable auto-updates’ link, than it is for those without one to get the link and have it look like auto updates are turned on when in fact the user should be doing something else to get updates.
    
    As it currently stands, core will be actively distracting users from finding the proper update path for thousands of plugins/themes. It’s basically saying to users “You’re safe, this plugin is being updated” when it’s not!
    
    So, I’m suggesting flipping that so it’s opt in, instead of opt out.
    - Stephen Cronin 10:06 am on July 18, 2020
      
      Umm, that should have been:
      
      I’m saying that it is less important for 3rd party plugins/themes with an update mechanism to automatically get the ‘Enable auto-updates’ link, than it is for those without one to NOT get the link and have it look like auto updates are turned on when in fact the user should be doing something else to get updates.
    - Paul Biron 4:26 pm on July 23, 2020
      
      Sorry, meant to reply earlier…but got distracted by other things.
      
      I understand what you’re saying, but I just disagree with it.
      
      To the extent there is a “a false sense of security”, it actually has nothing to do with the new UIUI User interface in 5.5.
      
      Consider a site running 5.4, with no plugins that provide a UI for managing pluginPlugin A plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the WordPress.org Plugin Directory https://wordpress.org/plugins/ or can be cost-based plugin from a third-party/theme auto-updates (such as the auto-updates feature pluginFeature Plugin A plugin that was created with the intention of eventually being proposed for inclusion in WordPress Core. See Features as Plugins., Easy Updates Manager, Jetpack, etc)…that is, ALL plugin/theme updates are manual.
      
      Further suppose the site has 2 plugins installed: Plugin A is in the .org repo, and gets regular updates, Plugin B is not in the .org repo and has no means of hooking into the WP Updates APIAPI An API or Application Programming Interface is a software intermediary that allows programs to interact with each other and share data in limited, clearly defined ways., and so will never get updates (manual nor automatic).
      
      Every so often, when an adminadmin (and super admin) user logs in, they are informed that an update is available for Plugin A, they go to the plugins screen and do a (manual) update.
      
      That admin user gets very used to those notices about (manual) updates for Plugin A and would rightly think that WHEN an update for Plugin B becomes available they will get a notice about that as well. Of course, since Plugin B doesn’t hook into the Updates API, no such notices will ever appear.
      
      Doesn’t that give them a “false sense of security”? And if it does, shouldn’t coreCore Core is the set of software required to run WordPress. The Core Development Team builds WordPress. output something on the plugins screen that Plugin B will never get updates (manual or automatic)? (hint: I don’t think it should).
      
      The point I’m making is that enabling auto-updates for a plugin/theme is does NOT mean that it will ever get updates; all it means is that IF/WHEN an update is available (via the WP Updates API) it will be auto-updated.
      - Stephen Cronin 3:57 am on July 25, 2020
        
        I’m sorry, but I really have to disagree with you on this.
        
        To the extent there is a “a false sense of security”, it actually has nothing to do with the new UIUI User interface in 5.5.
        
        It has everything to do with the new UI. The new UI makes it look like the pluginPlugin A plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the WordPress.org Plugin Directory https://wordpress.org/plugins/ or can be cost-based plugin from a third-party will automatically update, even if it won’t. It actively distracts the user from the actual update path.
        
        It’s one thing for there not to be a message telling users about available updates, it’s whole other level to actively imply that the plugin will be getting updates automatically and the user doesn’t need to worry about it when that’s not true.
        
        enabling auto-updates for a plugin/theme is does NOT mean that it will ever get updates; all it means is that IF/WHEN an update is available (via the WP Updates APIAPI An API or Application Programming Interface is a software intermediary that allows programs to interact with each other and share data in limited, clearly defined ways.) it will be auto-updated.
        
        This is not at all clear to the user. The message being conveyed to the user is “this plugin WILL get updates automatically”. That’s what they are going to take away from the current interface.
        
        I don’t think you can expect them to understand that it will only get updates if that particular plugin is on wp.org or uses a compatible updater, and that if that particular plugin has an alternative update path then they still need to follow that. That needs to be made clear to them.
        
        Given that the opening paragraph of this post indicates that this change is all about improving security by keeping things up to date, it’s not acceptable for this feature to lead users into thinking some plugins/themes are up to date when they are not.
        
        The “Enable auto-updates” link should only appear for plugins/themes for which this will actually work. That means wp.org themes/plugins by default, with an opt-in model for authors of 3rd party themes/plugins.
Mike Schroder 5:09 am on July 23, 2020

Thanks for this post! I’m particularly glad to see that the original filters continue to be supported.

One question — is there any way for hosts to enable auto updates by default for plugins and themes, then allow for users to selectively disable certain ones?

That would really help in terms of hosts helping out with the adoption of auto-updates into the future.

Thanks much!
webaware 11:50 pm on July 24, 2020

Great points already raised above, won’t distract by repeating them.

An additional wrinkle is that plugins from outside the WP.org repo that are installed on multisites, but not activated on the primary site, cannot hook in to manage updates, and that also means they cannot hook in to either opt in or opt out of this new mechanism. This already creates a problem where admins don’t see updates for plugins activated only on subsites, and adding to that problem by implying they will be auto-updated is not going to make that any better.

As a simple example: client asked me to look at a multisitemultisite Used to describe a WordPress installation with a network of multiple blogs, grouped by sites. This installation type has shared users tables, and creates separate database tables for each blog (wp_posts becomes wp_0_posts). See also network, blog, site for $reasons and I noticed that Gravity Forms and its add-ons were all waaaaay out of date. They were all activated only on a subsite and had never intercepted a call for an update check. Gravity Forms is a hugely popular commercial pluginPlugin A plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the WordPress.org Plugin Directory https://wordpress.org/plugins/ or can be cost-based plugin from a third-party that is also a huge target for hackers, thus keeping it updated is hugely important. Implying that this plugin (and its add-ons) are being auto-updated would be hugely risky.

Most certainly, this should be an opt-in feature, not an opt-out feature, for all the reasons already stated above _and_ for the problems surrounding plugins on multisite.
apedog 2:23 am on July 27, 2020

A ticketticket Created for both bug reports and feature development on the bug tracker. has been opened relating to the points raised by @stephencronin above.
https://core.trac.wordpress.org/ticket/50778

Also worth of note is this ticket:
https://core.trac.wordpress.org/ticket/32101
Request for adding a pluginPlugin A plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the WordPress.org Plugin Directory https://wordpress.org/plugins/ or can be cost-based plugin from a third-party headerHeader The header of your site is typically the first thing people will experience. The masthead or header art located across the top of your page is part of the look and feel of your website. It can influence a visitor’s opinion about your content and you/ your organization’s brand. It may also look different on different screen sizes. field allowing plugins to self-identify as non-wp.org repo plugins.
If at any point a custom/private plugin, with a custom updater AND a naming conflictconflict A conflict occurs when a patch changes code that was modified after the patch was created. These patches are considered stale, and will require a refresh of the changes before it can be applied, or the conflicts will need to be resolved. with a wp.org plugin, is deactivated – WP coreCore Core is the set of software required to run WordPress. The Core Development Team builds WordPress. will assume it’s the plugin from the wp.org repo.
If auto-updates is enabled for that plugin, core may replace that plugin with the wp.org plugin.
Deni 11:59 pm on August 3, 2020

When using the plugin_auto_update_setting_html filterFilter Filters are one of the two types of Hooks https://codex.wordpress.org/Plugin_API/Hooks. They provide a way for functions to modify data of other functions. They are the counterpart to Actions. Unlike Actions, filters are meant to work in an isolated manner, and should never have side effects such as affecting global variables and output., is there a way to check if auto updates have already been enabled for the pluginPlugin A plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the WordPress.org Plugin Directory https://wordpress.org/plugins/ or can be cost-based plugin from a third-party?
Andrew Wilder 12:14 am on August 4, 2020

Is there any way to delay the auto-updates by a predetermined amount of time? In other words, is there any way to add a delay so a pluginPlugin A plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the WordPress.org Plugin Directory https://wordpress.org/plugins/ or can be cost-based plugin from a third-party will only auto-update 72+ (for example) hours after the update is available?
Nick Halsey 5:55 pm on August 8, 2020

The ability to manage auto-updates is missing from the theme browser in the customizerCustomizer Tool built into WordPress core that hooks into most modern themes. You can use it to preview and modify many of your site’s appearance settings. (customize.php?autofocus[panel]=themes). This is the newest themes interface in coreCore Core is the set of software required to run WordPress. The Core Development Team builds WordPress., dating to WordPress 4.2 and 4.9. It’s a very similar technical implementation to themes.php and should be included with the initial release of this feature.
- Jb Audras 2:40 pm on August 9, 2020
  
  Hi @celloexpressions and thank you for pointing this out,
  
  WP 5.5 is planned for Tuesday and themes auto-updates UIUI User interface is not going to be included in CustomizerCustomizer Tool built into WordPress core that hooks into most modern themes. You can use it to preview and modify many of your site’s appearance settings. screen. It may be included in the next major releasemajor release A release, identified by the first two numbers (3.6), which is the focus of a full release cycle and feature development. WordPress uses decimaling count for major release versions, so 2.8, 2.9, 3.0, and 3.1 are sequential and comparable in scope. but not in WP 5.5. I don’t think this change was already pointed out in an existing ticketticket Created for both bug reports and feature development on the bug tracker., so you are welcome to open a new one 🙂 Otherwise I’ll take care of opening this ticket in the next couple of days 🙂
  
  Thanks again,
  JbA
exidon 3:16 am on August 20, 2020

Is there any way to get rid of those plentiful notifications that something has been updated? The free Easy update Manager pluginPlugin A plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the WordPress.org Plugin Directory https://wordpress.org/plugins/ or can be cost-based plugin from a third-party has done the job well for some time now. With WordPress 5.5 once more I feel forced to use something less functional or intuitive ;-(.
- WordPress Dublin 6:30 pm on August 20, 2020
  
  Agree, surely now with all the disable plugins out there, we should have simple adminadmin (and super admin) panels in Settings to disable these new things. The favicon, gutenbergGutenberg The Gutenberg project is the new Editor Interface for WordPress. The editor improves the process and experience of creating new content, making writing rich content much simpler. It uses ‘blocks’ to add richness rather than shortcodes, custom HTML etc. https://wordpress.org/gutenberg/ etc etc.
- kenian 8:03 pm on August 27, 2020
  
  Completely agree, it’s hard enough mastering the new hierarchy of controls without an incessant influx of update notifications 🙂
- obertscloud 6:29 pm on October 21, 2020
  
  anyone found a solution to disable notifications, I have a lot of websites, these are annoying