Since WordPress 3.7, there’s a new feature which allows your WordPress website to automatically perform minor core upgrades when new versions are available. Background updates are very safe and together with the ability of rolling out automatic updates over a longer period proved to be an excellent option.
If you’re running WordPress 3.7, your minor core update are enabled by default. You don’t have to change anything. If by some reason, you want to make changes to the way security/minor releases install, you have to edit your wp-config.php file.
1) Minor updates activated
define( 'WP_AUTO_UPDATE_CORE', 'minor' );
2) All core updates disabled
define( 'WP_AUTO_UPDATE_CORE', false );
3) All updates, including major development (use with extreme caution)
define( 'WP_AUTO_UPDATE_CORE', true );
Some developers may choose to turn off automatic updates, particularly if the website is heavily dependent on plugins and they need some time to test the plugins behavior on or the new versions of WordPress but getting hacked because you didn’t want to install security updates sounds childish. The most common cause of hacked websites and malware injections for WordPress users is outdated scripts.
After any update, we strongly suggest to check every page that uses a different page template:
posts, pages, categories, search results, etc. and do some basic looking around.