Introduction

WordPress regularly releases updates with new features and bug fixes. It is advised to update asap, so monitoring your website for new WordPress updates is critical to ensure your website is fully patched against potential attacks. Automatic background updates were introduced in WordPress 3.7 in an effort to promote better security, and to streamline the update experience overall. By default, only minor releases – such as for maintenance and security purposes – and translation file updates are enabled on most sites. In special cases, plugins and themes may be updated.

In WordPress, there are four types of automatic background updates:

  1. Core updates
  2. Plugin updates
  3. Theme updates
  4. Translation file updates

Core Updates

Core updates are subdivided into three types:

  1. Core development updates, known as the “bleeding edge”
  2. Minor core updates, such as maintenance and security releases
  3. Major core release updates

By default, every site has automatic updates enabled for minor core releases and translation files. 

Update Configuration

Automatic updates can be configured using one of two methods: defining constants in wp-config.php, or adding filters using a Plugin.

Configuration via wp-config.php

Using wp-config.php, automatic updates can be disabled completely, and core updates can be disabled or configured based on update type.

Constant to Disable All WordPress Updates

The core developers made a conscious decision to enable automatic updates for minor releases and translation files out of the box. Going forward, this will be one of the best ways to guarantee your site stays up to date and secure and, as such, disabling these updates is strongly discouraged.

To completely disable all types of automatic updates, core or otherwise, add the following to your wp-config.php file:

Constant to Configure Core WordPress Updates

To enable automatic updates for major releases or development purposes, the place to start is with the WP_AUTO_UPDATE_CORE constant. Defining this constant one of three ways allows you to blanket-enable, or blanket-disable several types of core updates at once.

WP_AUTO_UPDATE_CORE can be defined with one of three values, each producing a different behavior:

  • Value of true – Development, minor, and major updates are all enabled
  • Value of false – Development, minor, and major updates are all disabled
  • Value of 'minor' – Minor updates are enabled, development, and major updates are disabled

Note that only sites already running a development version will receive development updates. For other sites, setting WP_AUTO_UPDATE_CORE to true will mean that it will only get minor and major updates.

For development sites, the default value of WP_AUTO_UPDATE_CORE is true. For other sites sites, the default value of WP_AUTO_UPDATE_CORE is minor.

How to check for WordPress Updates

  1.  Add the IP addresses of the Nagios servers that need access to the Allowed array in check_wordpress_updates.php”
  2. Put check_wordpress_updates.php in the root of you WordPress installation”
  3. Put check_wordpress_updates.sh in you Nagios plugin folder and call it from Nagios interface”

The result should look like this:

Wordpress updates plugin output

Thanks to Kong Jin Jie and hteske on whose scripts this is based.

Willem D'Haese
Expert Monitoring at Digipolis
Expert Monitoring with a demonstrated history of working in the information technology and services industry. Strong ICT skills such as monitoring, virtualization, automation.

5 Comments

  1. Hi Willem,

    I hope this e-mail finds you well. If in between the nagios server and website server there is a Proxy. How can i change the script to cater for the proxy that is now in between since I cannot place the proxy IP in the allowed IP’s else everyone will be able to execute that script.

    Thanks and keep up the good work!!

    1. Good question Tony that I cannot answer because I’m unable to replicate this in any way, as there is no proxy between my Nagios server and the websites I’m monitoring. In order to get this done, I guess the Bash script would need to be changed, so a custom header can be added. Then the php script could check if the request contains this specific header. Grtz

      1. That might actually work 🙂 … Thanks a lot Willem, I will try your suggestion and let you know!

  2. Hi Willem,

    this is really a super script; good work!
    i can open it on the commandline and will get the correct result!
    WARNING: Version: 4.8.1 (Up to date), 2 plugin updates available, no theme updates available.

    but when i use it in wato / check_mk i will get:
    404 Not Found Not Found The requested URL /check_wordpress.php was not found on this server. Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request. Apache/2.4.25 Server at xxx.xxx.xxx.xxx Port 80

    curl -s shows the correct output,
    i can see the correct output, when i open the website with a browser,
    wget shows the correct output
    but only the value in check_mk is wrong.

    Any Idea?

    Best regards
    yogi

    1. Sry Yogi, I have no idea, I’m using Nagios XI where it works fine. Please make a GitHub issue and describe the problem to start with. Tx

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code class="" title="" data-url=""> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong> <pre class="" title="" data-url=""> <span class="" title="" data-url="">

8 − 3 =