Site security is an integral part of modern websites. Keeping sites up to date by running the latest versions of WordPress, PHPPHP The web scripting language in which WordPress is primarily architected. WordPress requires PHP 5.6.20 or higher, and any installed plugins or themes is highly recommended as an easy way to keep a site safe from any known security vulnerabilities.

By default, WordPress itself is configured to automatically update when new minor versions become available. While the code to auto-update plugins and themes has been in CoreCore Core is the set of software required to run WordPress. The Core Development Team builds WordPress. for just as long, it’s seldom used by site owners because it requires the use of a filterFilter Filters are one of the two types of Hooks https://codex.wordpress.org/Plugin_API/Hooks. They provide a way for functions to modify data of other functions. They are the counterpart to Actions. Unlike Actions, filters are meant to work in an isolated manner, and should never have side effects such as affecting global variables and output. hook.

This past February, a feature plugin was created in response to the 9 Projects for 2019/2020 to explore introducing a user interface that allows site administrators to easily manage pluginPlugin A plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the WordPress.org Plugin Directory https://wordpress.org/plugins/ or can be cost-based plugin from a third-party and theme auto-updates right from the dashboard. After 5 months of development on the GitHub repository, user feedback (the plugin was available on the WordPress.org plugin directory), testing (which includes over 1,000 active installs), and iterating by the contributors of the #core-auto-updates team, this feature pluginFeature Plugin A plugin that was created with the intention of eventually being proposed for inclusion in WordPress Core. See Features as Plugins. was merged into Core in [47835] and will be released in WordPress 5.5.

These new controls will allow website owners to keep their sites up-to-date and secure with less time and effort.

Note: Plugin and theme auto-updates are disabled by default. Administrators and site owners need to enable this feature to receive automatic plugin and theme updates. However, language packs for plugins and themes have always auto-updated when new updates are available. The new interface will not adjust language pack updates.

By default, all users with the update_plugins and update_themes capabilities are able to toggle auto-updates for plugins and themes respectively. On multisitemultisite Used to describe a WordPress installation with a network of multiple blogs, grouped by sites. This installation type has shared users tables, and creates separate database tables for each blog (wp_posts becomes wp_0_posts). See also network, blog, site installations, only networknetwork (versus site, blog) administrators have this capability, and only when in the context of the network dashboard.

A number of hooksHooks In WordPress theme and development, hooks are functions that can be applied to an action or a Filter in WordPress. Actions are functions performed when a certain event occurs in WordPress. Filters allow you to modify certain functions. Arguments used to hook both filters and actions look the same. are included for plugin authors and WordPress developers to customize the new feature to fit their needs. Let’s have a look at the available functions and hooks and how they can be used to tailor the plugin and theme auto-update experience.

New function: wp_is_auto_update_enabled_for_type()

This function indicates whether auto-updates are enabled for a given type. The two types accepted are theme and plugin.

// Check if auto-updates are enabled for plugins.
$plugin_auto_updates_enabled = wp_is_auto_update_enabled_for_type( 'plugin' );

Disable the auto-update user interface elements

It is possible to disable the new interface elements if desired. Returning false to the plugins_auto_update_enabled and themes_auto_update_enabled filters will disable the user interface elements for plugins and themes respectively. By default, these are enabled (true).

Note: This does not enable or disable auto-updates. It controls whether to show the user interface elements.

The following snippet will disable the plugin and theme auto-update UIUI User interface elements:

// Disable plugins auto-update UI elements.
add_filter( 'plugins_auto_update_enabled', '__return_false' );

// Disable themes auto-update UI elements.
add_filter( 'themes_auto_update_enabled', '__return_false' );

Modifying auto-update action links

Sometimes, a plugin or theme may want to manage updates on their own. This is common when they are not hosted on the WordPress.orgWordPress.org The community site where WordPress code is created and shared by the users. This is where you can download the source code for WordPress core, plugins and themes as well as the central location for community conversations and organization. https://wordpress.org/ directories. For these instances, there are filters in place so plugin and theme authors can modify the auto-update related HTMLHTML HyperText Markup Language. The semantic scripting language primarily used for outputting content in web browsers. output in certain locations.

Plugins screen: single site and multisite

With the plugin_auto_update_setting_html filter, it’s possible to filter auto-update column content, including the toggle links and time till next update attempt.

This filter pass the default generated HTML content of the auto-updates column for a plugin, with two additional parameters:

• $plugin_file: The path to the main plugin file relative to the plugins directory.
• $plugin_data: An array of plugin data.

For example, let’s say the “My plugin” plugin wants to prevent auto-updates from being toggled and its path relative to the plugins directory is my-plugin/my-plugin.php. The following example will change what is displayed within the auto-update column for that plugin:

function myplugin_auto_update_setting_html( $html, $plugin_file, $plugin_data ) {
	if ( 'my-plugin/my-plugin.php' === $plugin_file ) {
		$html = __( 'Auto-updates are not available for this plugin.', 'my-plugin' );
	}

	return $html;
}
add_filter( 'plugin_auto_update_setting_html', 'myplugin_auto_update_setting_html', 10, 3 );

Below is the result:

For reference, here is the default HTML content:

<a href="…" class="toggle-auto-update" data-wp-action="…">
	<span class="dashicons dashicons-update spin hidden" aria-hidden="true"></span>
	<!-- The following text is replaced with "Disable auto-updates" when auto-updates are already enabled for this plugin -->
	<span class="label">Enable auto-updates</span>
</a>

Themes screen: single site only

Filtering the auto-update HTML content for Themes screen is a bit more tricky since this screen is rendered with a JavaScriptJavaScript JavaScript or JS is an object-oriented computer programming language commonly used to create interactive effects within web browsers. WordPress makes extensive use of JS for a better user experience. While PHP is executed on the server, JS executes within a user’s browser. https://www.javascript.com/. template. However, it is possible to hook into this screen using the theme_auto_update_setting_template filter and returning a modified $template (the rendering template used for every theme on the Themes page).

Note: since this template is used for each theme on the page, using a conditional statement to check for the theme being targeted is highly recommended. This can be done by utilizing the data.id JSJS JavaScript, a web scripting language typically executed in the browser. Often used for advanced user interfaces and behaviors. parameter (which contains the theme slug).

Full documentation about the properties available for the theme data object is available in wp_prepare_themes_for_js() DevHub page.

The following example will replace the text auto-update HTML content for the my-theme and twentytwenty themes:

function myplugin_auto_update_setting_template( $template ) {
	$text = __( 'Auto-updates are not available for this theme.', 'my-plugin' );

	return "<# if ( [ 'my-theme', 'twentytwenty' ].includes( data.id ) ) { #>
		<p>$text</p>
		<# } else { #>
		$template
		<# } #>";
}
add_filter( 'theme_auto_update_setting_template', 'myplugin_auto_update_setting_template' );

Below is the result:

For reference, here is the default template output:

<div class="theme-autoupdate">
	<# if ( data.autoupdate ) { #>
		<a href="{{{ data.actions.autoupdate }}}" class="toggle-auto-update" data-slug="{{ data.id }}" data-wp-action="disable">
			<span class="dashicons dashicons-update spin hidden" aria-hidden="true"></span>
			<span class="label">' . __( 'Disable auto-updates' ) . '</span>
		</a>
	<# } else { #>
		<a href="{{{ data.actions.autoupdate }}}" class="toggle-auto-update" data-slug="{{ data.id }}" data-wp-action="enable">
			<span class="dashicons dashicons-update spin hidden" aria-hidden="true"></span>
			<span class="label">' . __( 'Enable auto-updates' ) . '</span>
		</a>
	<# } #>
	<# if ( data.hasUpdate ) { #>
		<# if ( data.autoupdate ) { #>
			<span class="auto-update-time">
		<# } else { #>
			<span class="auto-update-time hidden">
		<# } #>
		<br />' . wp_get_auto_update_message() . '</span>
	<# } #>
	<div class="notice notice-error notice-alt inline hidden"><p></p></div>
</div>

Themes screen: multisite only

On multisite installs, the Themes screen can be modified in a way similar to the Plugins screen detailed above. Using the theme_auto_update_setting_html filter, the auto-update column content can be filtered, including the toggle links and time till next update.

This filter is passed the default generated HTML content of the auto-updates column for a theme with two additional parameters:

• $stylesheet: The directory name of the theme (or slug).
• $theme: The full WP_Theme object.

For example, let’s say the network administrator of a multisite network wants to disallow auto-updates for the Twenty Twenty theme. The following example will change what is displayed within the auto-update column for that theme:

function myplugin_theme_auto_update_setting_html( $html, $stylesheet, $theme ) {
	if ( 'twentytwenty' === $stylesheet ) {
		$html = __( 'Auto-updates are not available for this theme.', 'my-plugin' );
	}

	return $html;
}
add_filter( 'theme_auto_update_setting_html', 'myplugin_theme_auto_update_setting_html', 10, 3 );

Blanket auto-update opt-in

If a developer wants to enable auto-updates for all plugins and/or themes (including any that are installed in the future), the auto_update_plugin/auto_update_theme filters can be used.

// Enable all plugin auto-updates.
add_filter( 'auto_update_plugin', '__return_true' );

// Enable all theme auto-updates.
add_filter( 'auto_update_theme', '__return_true' );

Note: Any value returned using these filters will override all auto-update settings selected in the adminadmin (and super admin). Changes made using these filters also will not be reflected to the user in the interface. It is highly recommended to use these filters in combination with the hooks detailed above to inform the user of the auto-update policy being enforced.

This approach will not be appropriate for all sites. It’s recommended to use the new UI to manage auto-updates unless you’re sure blanket opting-in is right for your site.

Also note: This filter was added to the codebase in WordPress 3.7.0 and is likely being used to blanket enable auto-updates for plugins and themes on sites today. If it appears the new UI elements are not changing the auto-update behavior for plugins or themes on your site, this may be why. #50662 has been opened to notify site owners that this filter is being used in Site Health.

For information, refer to the following tickets on TracTrac An open source project by Edgewall Software that serves as a bug tracker and project management tool for WordPress.: #50052, #50280.

This post is the first part of the plugins and themes auto-updates dev notesdev note Each important change in WordPress Core is documented in a developers note, (usually called dev note). Good dev notes generally include a description of the change, the decision that led to this change, and a description of how developers are supposed to work with that change. Dev notes are published on Make/Core blog during the beta phase of WordPress release cycle. Publishing dev notes is particularly important when plugin/theme authors and WordPress developers need to be aware of those changes.In general, all dev notes are compiled into a Field Guide at the beginning of the release candidate phase. for WordPress 5.5.

Thanks @desrosj and @pbiron for technical review and proofreading.

#5-5, #auto-update, #auto-updates, #dev-notes, #feature-plugins, #feature-projects, #feature-autoupdates