Content Marketing

Understanding WordPress Autoupdates and How to Host Your Own or Disable Them

Douglas Karr Douglas KarrOct 22, 2025
4 minutes read

WordPress has evolved into an incredibly self-sustaining ecosystem, and one of its most important modern features is automatic updates. These updates can keep your site secure and current without requiring manual intervention. Still, they also introduce risks for developers and site owners who rely on customized themes or interdependent plugins.

Understanding how autoupdates work and how to manage them is essential for anyone maintaining a professional WordPress installation.

How WordPress Autoupdates Work

Since WordPress 5.5, both plugins and themes can update automatically. Administrators can enable or disable this feature through the WordPress dashboard or by using filters in code.

When autoupdates are enabled, WordPress periodically checks the version metadata provided by each plugin or theme’s update URI. This metadata is compared to what’s installed on your site. If a newer version is available, WordPress downloads the ZIP file from the source URL, unpacks it, replaces the old files, and logs the update in the site’s event records.

WordPress connects to two different types of update endpoints:

  • Official WordPress.org repository: By default, WordPress checks api.wordpress.org for updates to any plugin or theme downloaded from the public repository. When an update is published there, the system automatically includes it in the next scheduled check.
  • Custom-hosted plugins or themes: Developers can override the default update source and point WordPress to a self-hosted server. This means you can publish updates privately, which is ideal for proprietary or paid plugins, client work, or when you prefer not to use the official repository.

Hosting Your Own Plugin Update Server

You can host plugin updates on your own server by including a custom update checker in your plugin. This allows WordPress to treat your hosted files exactly as it would the official repository. The most straightforward approach is to use a lightweight library like YahnisElsts’s Plugin Update Checker.

The steps are as follows:

  1. Host your plugin ZIP and metadata: Create a directory on your server to store both the .zip file and a JSON metadata file that describes the version, download URL, and changelog.
  2. Add an update checker to your plugin: Include the library in your plugin directory, then initialize it like this:
require 'plugin-update-checker/plugin-update-checker.php';
$myUpdateChecker = Puc_v4_Factory::buildUpdateChecker(
    'https://yourserver.com/updates/plugin.json',
    __FILE__,
    'your-plugin-slug'
);
  1. Define your JSON file: Your JSON should look like:
{
  "name": "My Custom Plugin",
  "slug": "my-custom-plugin",
  "version": "1.2.0",
  "author": "Your Name",
  "homepage": "https://yourdomain.com/",
  "download_url": "https://yourdomain.com/updates/my-custom-plugin.zip",
  "requires": "6.0",
  "tested": "6.7",
  "last_updated": "2025-10-22",
  "sections": {
    "description": "Bug fixes and performance improvements."
  }
}
  1. Update normally: Whenever you release a new version, update the JSON with a higher version number and a new ZIP URL. WordPress will detect it and update automatically if autoupdates are enabled.

This setup mimics how WordPress handles repository updates but gives you complete control. It’s handy for agencies, SaaS platforms, or developers distributing private tools.

Why I’ve Considered Hosting My Own Plugins

When I discovered that the WordPress repository might not belong to the open-source community but was instead operated by Automattic or its founder, I became hesitant to publish new plugins there. This came to a head when access to the original ACF plugin was removed, and Automattic modified and released it as their own.

While the official repository remains an invaluable distribution channel, the governance model and review delays sometimes feel restrictive for independent developers. For my own projects, like the custom plugins I’ve built over the years, self-hosting updates would preserve autonomy while ensuring users receive timely improvements. It’s a practical middle ground between open contribution and complete control.

Disabling Autoupdates for Plugins and Themes

There are valid reasons to block automatic updates, particularly for clients who’ve modified code directly or rely on deprecated functions. For instance, I’ve had customers who customized the default theme (a poor choice when child themes exist) and others who depended on plugin features that were later removed in new versions.

Quick and Dirty Method

The simplest but least elegant way to prevent an update is to artificially set a very high version number in your plugin or theme’s header. WordPress will believe it’s already newer than what’s available and ignore updates. For example:

Version: 99.0.0

While this works, it’s not maintainable and can create confusion later.

The Better Way: Using Filters

You can programmatically disable updates by using WordPress filters.

For plugins:

add_filter('site_transient_update_plugins', function($value) {
    if (isset($value->response['your-plugin-slug/your-plugin.php'])) {
        unset($value->response['your-plugin-slug/your-plugin.php']);
    }
    return $value;
});

For themes:

add_filter('site_transient_update_themes', function($value) {
    if (isset($value->response['your-theme-slug'])) {
        unset($value->response['your-theme-slug']);
    }
    return $value;
});

These filters effectively remove the plugin or theme from the update list before WordPress processes it, ensuring it never appears in the admin update panel or is replaced during bulk updates.

You can also define constants to stop automatic updates globally:

define( 'AUTOMATIC_UPDATER_DISABLED', true );
define( 'WP_AUTO_UPDATE_CORE', false );

These stop WordPress from automatically updating any component, though they should be used cautiously.

Best Practices

When managing client or production environments, balance automation with control. Automatic updates are vital for security, but they should be paired with staging environments, version control, and off-site backups.

For developers, hosting your own plugin updates offers independence and professionalism—an ideal compromise for proprietary tools. Conversely, disabling updates in customized environments can prevent disaster when clients modify code in ways that core updates would otherwise overwrite.

Ultimately, WordPress’s flexibility in managing updates is one of its greatest strengths. It allows developers to decide whether to embrace automation, self-manage, or selectively opt out—depending on how much control, risk, or convenience the situation demands.

Related Martech Zone Content

Guide to Hardening WordPress
WordPress Security: A 10 Step Guide To Hardening and Securing Your Website in 2024
List of the Best WordPress Plugins
Best WordPress Plugins For Business in 2025
How to host WordPress on Amazon Web Services (AWS)
How To Host WordPress With Amazon Web Services (AWS)
WordPress Challenges
10 Challenges Working With WordPress As A Content Management Platform in 2025

Douglas Karr Douglas KarrOct 22, 2025
4 minutes read
Douglas Karr

Douglas Karr

Douglas Karr is a fractional Chief Marketing Officer specializing in SaaS and AI companies, where he helps scale marketing operations, drive demand generation, and implement AI-powered strategies. He is the founder and publisher of Martech Zone, a leading publication in… More »
Back to top button
Close

Adblock Detected

We rely on ads and sponsorships to keep Martech Zone free. Please consider disabling your ad blocker—or support us with an affordable, ad-free annual membership ($10 US):

Sign Up For An Annual Membership