Now, in version 3.7 and above, WordPress has added a feature where you'll automatically get updates to the core, WordPress software.
Automatic Background Updates (codex.wordpress.org)
For WordPress 3.7+, you don’t have to lift a finger to apply minor and security updates. Most sites are now able to automatically apply these updates in the background. If your site is capable of one-click updates without entering FTP credentials, then your site should be able to update from 3.7 to 3.7.1, 3.7.2, etc. (You’ll still need to click “Update Now” for major feature releases.)
This is good because it'll make the Internet more secure. There will be less websites out there with the risk of being hacked. Of course, no software is secure or hack-proof, but this will help for sure. We like that.
If your website requires that you enter in your FTP information to install plugins, then you won't get these updates automatically. Instead, you'll see a message that says:
This site is not able to apply these updates automatically. But we’ll email [administrator's email address] when there is a new security release.
And if you want to further diagnose why FTP credentials are needed, you can install a plugin called Background Update Tester that will give you some more information.
Here are some reasons why automatic upgrades may not work:
Automatic Core Updates, an update (make.wordpress.org)
In order for Automatic Updates to be enabled, there are a few simple requirements:
- If the install uses FTP for updates (and prompts for credentials), automatic updates are disabled
- If the install is running as a SVN or GIT checkout, automatic updates are disabled
- If the constants DISALLOW_FILE_MODS or AUTOMATIC_UPDATER_DISABLED are defined, automatic updates are disabled
- If the constant WP_AUTO_UPDATE_CORE is defined as false, automatic updates are disabled
- Your WordPress install also needs to be able to contact WordPress.org over HTTPS connections, so your PHP install also needs OpenSSL installed and working
- Wp-Cron needs to be operational, if for some reason cron fails to work for your install, Automatic Updates will also be unavailable
There may be some reasons why you want automatic upgrades turned off but this is usually with more advanced users.
If you try to do upgrades or install plugins and WordPress is asking for your FTP login, then there are some things you can do. First, the reason why WordPress is asking for this is because permissions don't line up. Here's some more info on this:
Can I install/update wordpress plugins without providing ftp access? (stackoverflow.com)
WordPress will only prompt you for your FTP connection information while trying to install plugins or a wordpress update if it cannot write to /wp-content directly. Otherwise, if your web server has write access to the necessary files, it will take care of the updates and installation automatically. This method does not require you to have FTP/SFTP or SSH access, but it does require your to have specific file permissions set up on your webserver.
In summary, if you do not want to (or you cannot) change permissions on wp-content so your web server has write permissions, then add this to your wp-config.php file:
define('FS_METHOD', 'direct');
Also, another explanation:
[resolved] Plugin Install Asks for FTP Details (wordpress.org)
WordPress asks for your FTP credentials when it can't access the files directly. This is usually caused by PHP running as the apache user (mod_php or CGI) rather than the user that owns your WordPress files (suPHP or FastCGI). Switching over to using suPHP or FastCGI would probably fix it.
You want to make sure that your wp-content directory is never set to 777. Sure, that's one way around this but having those open permissions leaves your website open to being compromised/hacked.
For our clients (both for the ones we host and the ones with their own hosting), we provide WordPress upgrades through our Website Maintenance Department. They aren't free but they're just a part of the cost of owning and running a website. We will send you an email when a new update comes out or you can sign up for our WordPress Upgrade Program to have them done by us (manually) when they come out.
WordPress Does Upgrades Automatically Now, So Why Do This?
Yes, WordPress now does have automatic upgrades to the core software. This isn't the case with plugins. If a plugin isn't up to date, you could have a hole that could be exploited. Your website is only as secure as its weakest part. To make sure you're as secure as can be, your plugins need to be upgraded. Do not just reply on the automatic upgrades that WordPress supplies. That's not enough.
Also whenever an update is applied, testing should be done. You don't want to find out later that your forms stopped working or your e-commerce stopped working for some, strage reason. Testing does need to be done with any upgrade - either the core software or plugins. This is why we continue to provide this service to our clients.
Yes, it's great the WordPress now has automatic upgrades. Again, we see how that'll make the Internet even more secure, which is great. Can you rely on just those updates to have a secure website? No. Your plugins need to also be upgraded and whenever any upgrade is done, you need to do testing or have someone do it for you.
-Tony
