Should You Auto-Update WordPress? An Honest 2026 Guide

Your WordPress site runs on four layers of software — core, themes, plugins, and PHP — and every one of them needs regular updates to stay secure, fast, and functional. Skip them and you’re exposed. Apply them blindly and you risk breaking something your customers see.

This post cuts through the noise and gives you a practical framework for handling WordPress updates in 2026. We’re talking about software updates here, not editing your content — if that’s what you’re after, see Will I be able to update the site myself?. And for the full picture on keeping your site healthy, start with our complete guide to WordPress maintenance: what it is and what it should cover in 2026.

What “WordPress updates” actually covers

WordPress isn’t a single product. It’s a stack: core software, a theme that controls how your site looks, plugins that add functionality, and the PHP language running it all on the server. Each layer publishes updates independently, and each can break something if it clashes with another.

Core updates split into two types. Minor and security releases (like 6.8.1) patch vulnerabilities and fix bugs — small, low-risk, and WordPress auto-applies them by default. Major releases (like 6.8 “Cecil” or the upcoming 7.0) introduce new features and sometimes change how themes and plugins behave.

The recent trajectory has been rapid: 6.7 “Rollins” in November 2024, 6.8 “Cecil” in April 2025, 6.9 “Gene” in December 2025, and 7.0 scheduled for April 2026.

Plugin and theme updates follow their own schedules. Some ship weekly; some go months without a release. The key point: every outdated component is a potential entry point, and keeping one layer current while ignoring another leaves gaps.

Why update speed matters

The scale of the problem is stark. Patchstack’s 2024 report logged 7,966 new WordPress ecosystem vulnerabilities — up 34% year-on-year — with 96% sitting in plugins and 33% unpatched at the time of disclosure. By 2025, that figure climbed to 11,334 new vulnerabilities, a further 42% rise.

Attackers move fast. The OttoKit / SureTriggers plugin (100,000+ installs) saw its authentication bypass vulnerability exploited just four hours after public disclosure. And the window doesn’t close — SecurityAffairs reported that Wordfence blocked 8.75 million exploit attempts against GutenKit and Hunk Companion flaws across just two days in October 2025, a full year after patches were available.

The maths is simple: every hour a known vulnerability sits unpatched, automated scanners are testing it. Wordfence blocked over 54 billion malicious requests in 2024 alone. For a deeper look at the threat landscape, see our guide to WordPress Security: A UK Guide for Small Businesses.

The debate — auto-update everything or stage with regression testing?

The WordPress community is split, and both sides have credible arguments.

Matt Mullenweg, WordPress co-creator, wants auto-updates to become the default across the entire stack: “I hope security and auto-upgrades not just for core but for plugins and themes becomes the next standard” (ma.tt, 2025). His logic is sound — if the OttoKit exploit landed four hours after disclosure, human-speed updates aren’t fast enough for security patches.

Enterprise agencies see it differently. 10up’s SiteWatch team maintains that “every update passes through version control, peer review, and structured QA” (10up, 2025). Their concern: a plugin update that passes security checks can still break a checkout flow, a contact form, or a page layout. For a site generating revenue, silent front-end breakage can cost more than the vulnerability it was meant to fix.

Neither camp is wrong. They’re solving for different risk profiles. A brochure site with five plugins faces a different calculation than a WooCommerce store processing thousands of pounds daily. The question isn’t whether to update — it’s how much verification you need before each update goes live.

The VRT-backed middle ground

Visual regression testing (VRT) has emerged as the practical compromise. The idea: apply updates automatically, take pixel-level screenshots before and after, compare them, and roll back if something visually breaks.

Kinsta’s Automatic Updates add-on (£3 per environment per month) does exactly this — pixel-level comparison against the homepage plus four random pages, with auto-rollback on failure. WP Engine’s Smart Plugin Manager bundles equivalent functionality on their Managed Plus, Secure, and eCommerce tiers. And 10up has added AI-powered change classification to distinguish genuine breakage from cosmetic drift.

What VRT handles well: standard plugin and theme updates on sites with predictable layouts. What it doesn’t cover: custom back-end logic, API integrations, premium plugins outside the tool’s managed list, or database-level changes that affect functionality without changing appearance.

VRT is a genuine step forward — but it’s a safety net, not a replacement for understanding what your site runs and why.

A decision framework by site type

There’s no single right answer. Here’s a framework based on risk:

The common thread: security patches should always go live as quickly as your process allows. The only variable is how much testing sits between “released” and “live.”

How often should I update my website?

A sensible cadence for most UK SMEs:

• Security releases (core, plugins, themes): immediately, or within hours if using VRT-backed auto-updates.
• Plugin and theme updates: weekly, ideally tested in a staging environment first.
• Core major releases: within 24–72 hours of release, tested in staging.
• PHP version: review quarterly against the official support calendar. Only PHP 8.2, 8.3, 8.4, and 8.5 remain supported as of April 2026.

The principle: security waits for no one; everything else earns a brief pause for verification.

What’s coming — 6.9 Gene, 7.0, and the PHP 8.x baseline

Two developments demand attention before the end of April 2026.

WordPress 7.0 drops PHP 7.2 and 7.3. Make WordPress Core confirmed this in January 2026, with 7.0 scheduled for April 2026 (though currently delayed pending a real-time collaboration data-model rework). If your host still runs PHP 7.x, you’ll need to upgrade before 7.0 lands — or your site will stop receiving core updates.

WordPress 6.9 Gene (December 2025) introduced block-level Notes — the first step in Phase 3 collaborative editing — alongside the Abilities API and PHP 8.5 compatibility. These are foundational changes that affect how themes and plugins interact with the editor, and they signal where WordPress is headed.

Keep your WordPress updates on track

The honest answer to “should you auto-update?” is: it depends on what breaks when something goes wrong. Auto-update where the risk is low, stage and test where revenue or brand reputation is on the line, and never let your site run on end-of-life PHP.

If you’d rather hand this to a team that manages WordPress updates every day, our WordPress Hosting and Maintenance plans start from £35 per month — hosting, updates, monitoring, and people who know WordPress inside out. And for the complete picture on keeping your site healthy, read our full guide to WordPress maintenance: what it is and what it should cover in 2026.