How to Disable WordPress Automatic Updates (Core, Plugins, Themes)

WordPress automatic updates are a feature introduced in WordPress 3.7 (2013) and extended to plugins and themes in WordPress 5.5 (August 2020). They let WordPress install minor core, plugin, theme and translation updates without manual intervention. You can disable them globally via the WP_AUTO_UPDATE_CORE constant in wp-config.php, granularly via the auto_update_plugin and auto_update_theme filters in functions.php, or per-item in the WordPress admin under Plugins and Appearance » Themes.

Should I disable automatic updates in 2026?

For most sites the answer is no. Automatic minor updates close known security holes within hours of release and have an excellent track record since 2013. Disable them only if you have a controlled deployment process, a staging environment with automated tests, or compatibility risks with custom code.

• Keep enabled if: single-site WordPress, no custom plugins, no staging workflow.
• Consider disabling if: mission-critical e-commerce, custom-coded plugins/themes, regulated industry (finance, health), or you run a managed staging → production pipeline.

Which update types can I control?

1. Core major (e.g. 6.4 → 6.5) — disabled by default, opt-in.
2. Core minor (e.g. 6.5.1 → 6.5.2) — enabled by default since WP 3.7.
3. Core development nightlies — opt-in only.
4. Plugin auto-updates — opt-in per plugin since WP 5.5.
5. Theme auto-updates — opt-in per theme since WP 5.5.
6. Translations — enabled by default.

Method 1: Disable via wp-config.php (recommended)

Edit wp-config.php in your WordPress root and add one of the following lines above the /* That's all, stop editing! */ comment:

// Disable ALL core, plugin, theme and translation updates
define( 'AUTOMATIC_UPDATER_DISABLED', true );

// OR: Disable only core auto-updates (keep plugin/theme/translations on)
define( 'WP_AUTO_UPDATE_CORE', false );

// OR: Allow minor + security updates only (default since WP 3.7)
define( 'WP_AUTO_UPDATE_CORE', 'minor' );

// OR: Enable major version auto-updates too
define( 'WP_AUTO_UPDATE_CORE', true );

Constants in wp-config.php override every UI setting and filter, so this is the safest place to enforce policy on production.

Method 2: Disable plugin and theme auto-updates via functions.php

Add to your child theme's functions.php or a custom mu-plugin:

// Disable all plugin auto-updates
add_filter( 'auto_update_plugin', '__return_false' );

// Disable all theme auto-updates
add_filter( 'auto_update_theme', '__return_false' );

// Disable translation auto-updates
add_filter( 'auto_update_translation', '__return_false' );

Method 3: Disable per plugin or theme in the admin UI

Since WordPress 5.5 every plugin and theme has its own toggle:

• Plugins: WP-Admin » Plugins → column "Automatic Updates" → click Disable auto-updates.
• Themes: WP-Admin » Appearance » Themes → click theme → Disable auto-updates.

Why are my auto-updates failing silently?

If updates are enabled but not running, check:

• File permissions: WordPress needs write access to wp-content/ and the WordPress root.
• WP-Cron: auto-updates run via wp_version_check, wp_update_plugins, wp_update_themes cron events. A blocked WP-Cron breaks them.
• DISALLOW_FILE_MODS: if this constant is true in wp-config.php, all updates are disabled.
• Maintenance file: a leftover .maintenance file blocks future updates.

What InspectWP checks

InspectWP reports the detected WordPress core version and the installed plugin and theme versions, and flags outdated or removed plugins from the WordPress.org repository. Run a report after disabling auto-updates to make sure you still patch critical security releases manually.