One of the core principles of the WordPress project is that WordPress allows everyone to build a site over which they have complete control. Automatic updates ask users to cede some of that control; they’re essentially a mechanism for injecting code into a live web application. WordPress professionals (and those who aspire to the knowledge of professionals) may find that idea unappealing, which is one reason so many WordPress sites have automatic updates turned off.
It’s important to understand what automatic updates can change. Major releases are not installed automatically. Plugin and theme updates are not covered by automatic updates. Only minor point releases, which often carry security patches, are part of the automatic update system.
I understand why professionals turn off automatic updates, but it’s a mistake to turn them off on a site that will be handed over to a client. Non-technical WordPress users often neglect to update their sites, and the resulting security vulnerabilities make the web a worse place for everyone.
WordPress is intended to make it easy for everyone to publish on the web. To do that, it has to straddle a fine line between features that experts find useful and those that serve non-technical users. Automatic updates are aimed squarely at the latter: people who don’t understand the necessity of updates, are likely to become tired of updating WordPress frequently, and who often simply ignore update notifications. The majority of hacked WordPress sites are compromised because they are vulnerable in ways that updated sites are not.
There are good reasons for professionals to turn off automatic updates in some cases. Updates can break things, and although it’s unlikely that a minor update will introduce incompatibilities or serious bugs, it’s a risk many professionals aren’t prepared to take. The risk is greater on sites with custom plugins or alterations to WordPress Core, but users who make those sort of modifications should be prepared to manually update. If the site is to be managed by non-technical users, making modifications to WordPress Core is a bad idea anyway.
It’s true that allowing a third party to inject code into your website can be dangerous — for some it’s a trust too far. Professional users have every right to make that decision. But it’s not wise to make it on behalf of the non-technical users who will manage a site. The risk of WordPress’s update infrastructure being hacked is tiny. The risk of an unpatched WordPress installation being hacked is anything but tiny. Hacked WordPress sites present a danger to the site’s owners, to its users, and to the wider web.
On balance, automatic updates are a good thing. As a WordPress professional, you are free to decide whether or not to use automatic updates, but if you plan to hand over a site to be managed by a non-technical user or a user who can’t be relied on to update their site promptly, the smart choice is to leave automatic updates turned on.