The fact that it’s security and minor releases only is a very important distinction here. These generally do not break anyone’s website, plugin or themes. If you’re using a plugin that gets broken due to a security release, then that raises a red flag and a few questions about how that plugin is interacting with the WordPress core.
If you want to make changes to WordPress default behavior of keeping your site current with security/minor releases, you will need to edit your wp-config.php file.
I asked Andrew Nacin if there is a plan to expose the core update configuration options to the UI in the future. He replied that there is “no good reason for an opt-out UI now, but as we grow more confident, I imagine an opt-in UI for major versions could be next.” So maybe this is around the corner, but for now, read on to learn how to configure your updates.
3 Basic Options for Core Updates in WordPress 3.7
Let’s simplify things here. You basically have three options for WordPress core updates:
1. Update the core for minor versions (on by default):
If you’re running WordPress 3.7, there’s nothing you need to do to turn this on. You’ll be automatically updated for security and minor releases. Here’s what it would look like in wp-config.php:
define( 'WP_AUTO_UPDATE_CORE', 'minor' );
2. Disable all core updates:
If you’re uncomfortable with WordPress keeping your site current with minor releases and security updates, here’s how you turn it off. Add this to your wp-config.php file:
define( 'WP_AUTO_UPDATE_CORE', false );
However, I would encourage you to read this definitive guide from Nacin before turning off core updates completely.
3. Get all updates, including development, major and minor releases:
This is the cowboy option that is probably more likely something you’d want to enable on a personal blog. If you turn this on in wp-config.php, you’ll be automatically updated for every release that WordPress puts out:
define( 'WP_AUTO_UPDATE_CORE', true );
You can also apply all of the above via new filters added in WordPress 3.7, as outlined in the codex article on Configuring Automatic Background Updates. Filters are also available for plugin, theme and translation updates should you want to add those in the mix, too.
If you’re scratching your head and trying to get your brain around all of these options, wondering what to do, then just leave the default options in place and don’t mess with it. WordPress strongly discourages disabling the automatic security updates. These updates have been heavily tested and are quite safe. Getting hacked because you didn’t want to take security updates would be really lame. The best option is to leave security updates in place.
Can we have accurate reporting please?
would be an important distinction, but its not true. Its all minor updates, not just security updates. There is no way to select ‘security releases only’.