WordPress adds 24-hour delay to auto-updates for security

WordPress has added a 24-hour cooldown before plugin and theme releases are pushed through auto-updates, a small technical change with outsized consequences for agencies that manage dozens or hundreds of client sites. Site administrators can still update manually before the delay expires, but the new timing changes how fast changes move across a portfolio, and how much monitoring, QA, and client communication sits on the agency side.

The move came through WordPress’ Protect The Shire post on June 5, 2026, where Matt Mullenweg framed the effort around supply-chain style risk and said WordPress wanted to secure all 78,000 plugins and themes on WordPress.org. The platform has long treated plugin and theme security as a governance issue, but this initiative makes the release pipeline more deliberate. That matters because plugin and theme updates historically move faster and with less central review than WordPress core, which raises the stakes when a bad release or compromised package lands in the ecosystem.

For agencies, the practical question is not whether updates happen, but how they are staged. WordPress first shipped automatic updates for plugins and themes in WordPress 5.5 in 2020, and in 2025 it introduced phased releases as an opt-in 24-hour delay for plugin authors. The new cooldown extends that logic into a broader security posture. Teams that rely on automated patching will need to check which client sites can wait, which ones need manual intervention, and which ones depend on tightly coupled plugin stacks that break under even a minor update.

That makes maintenance retainers easier to justify and harder to ignore. WordPress.org documentation already tells site owners to keep plugins and themes updated to the latest version, and the scale of the ecosystem explains why. The plugin directory lists more than 64,000 free plugins, and the theme directory has over 14,000 free themes. On sites with heavy commerce, membership, or SEO tooling, one delayed release or one rushed update can ripple into crawl issues, uptime problems, or broken integrations.

The new policy also fits a longer hardening push. Starting October 1, 2024, WordPress.org required mandatory two-factor authentication for plugin and theme authors, along with SVN-specific passwords for commits. WordPress has also responded to earlier plugin supply-chain attacks by pausing plugin updates and forcing password resets for authors. Taken together, those changes show a platform trying to preserve trust while keeping its ecosystem attractive to publishers and agencies. For firms managing client growth, the message is clear: security is now part of the operating model, not a separate checklist item.