Automatic updates are a great way of making sure your application gets security updates as soon as they are available. Once a vendor releases a security update, it is crucial to apply it in a timely manner before malicious actors exploit the vulnerability. Relying on manual updates is usually too late, especially if the application is publicly accessible on the internet.

Ask Yourself Whether

• there is no specific reason for deactivating all automatic updates.
• you meant to deactivate only automatic major updates.

There is a risk if you answered yes to any of those questions.

Recommended Secure Coding Practices

Don’t deactivate automatic updates unless you have a good reason to do so. This way, you’ll be sure to receive security updates as soon as they are available. If you are worried about an automatic update breaking something, check if it is possible to only activate automatic updates for minor or security updates.

Sensitive Code Example

define( 'WP_AUTO_UPDATE_CORE', false ); // Sensitive
define( 'AUTOMATIC_UPDATER_DISABLED', true ); // Sensitive

Compliant Solution

define( 'WP_AUTO_UPDATE_CORE', true ); // Minor and major automatic updates enabled
define( 'WP_AUTO_UPDATE_CORE', 'minor' ); // Only minor updates are enabled
define( 'AUTOMATIC_UPDATER_DISABLED', false );

See

• OWASP - Top 10 2021 Category A5 - Security Misconfiguration
• Wordpress.org - Disable WordPress Auto Updates
• OWASP - Top 10 2017 Category A6 - Security Misconfiguration