How to fully disable WP/bedrock plugn & theme auto-update attempts & notifications?

pgdisc · April 11, 2023, 10:21pm

i run WP 6.2

it’s composer-installed, using bedrock framework scaffold.

plugins & themes are also composer-installed.

in the Admin UI, since it’s composer-installed, there’s no option to auto-enable updates.
as expected … updates are to be managed by composer.

still, i’m getting regular email notifications from my install that plugins have been auto-updated. e.g.,

-------- Original Message --------
From: example.com [mailto:noreply@wp.example.com]
Sent: Tuesday, April 11, 2023 at 6:01 PM EDT
To: wp@example.net
Subject: [example.com] Some plugins were automatically updated

> Howdy! Some plugins have automatically updated to their latest versions on your site at https://example.com. No further action is needed on your part.
> 
> 
> These plugins are now up to date:
> - Conditional Fields for Contact Form 7 (from version 2.3.5 to 2.3.6) : https://wordpress.org/plugins/cf7-conditional-fields/
> - Simple Cloudflare Turnstile (from version 1.18.1 to 1.18.2) : https://wordpress.org/plugins/simple-cloudflare-turnstile/
> 
> 
> If you experience any issues or need support, the volunteers in the WordPress.org support forums may be able to help.
> https://wordpress.org/support/forums/
> 
> The WordPress Team

but, if i check via composer, those^^ plugins have NOT been updated, and ARE available to be updated,

composer update --dry-run
	Loading composer repositories with package information
	Info from https://repo.packagist.org: #StandWithUkraine
	Updating dependencies
	Lock file operations: 0 installs, 3 updates, 0 removals
	  - Upgrading roave/security-advisories (dev-latest 892a245 => dev-latest 13fc947)
	  - Upgrading wpackagist-plugin/cf7-conditional-fields (2.3.5 => 2.3.6)
	  - Upgrading wpackagist-plugin/simple-cloudflare-turnstile (1.18.1 => 1.18.2)
	Installing dependencies from lock file (including require-dev)
	Package operations: 0 installs, 3 updates, 0 removals
	  - Upgrading roave/security-advisories (dev-latest 892a245 => dev-latest 13fc947)
	  - Upgrading wpackagist-plugin/cf7-conditional-fields (2.3.5 => 2.3.6)
	  - Upgrading wpackagist-plugin/simple-cloudflare-turnstile (1.18.1 => 1.18.2)
	17 packages you are using are looking for funding.
	Use the `composer fund` command to find out more!
	No security vulnerability advisories found

checking

wp-cli config list | grep AUTOMATIC_UPDATER_DISABLED
	AUTOMATIC_UPDATER_DISABLED      1       constant

where are update &/or notification for the composer-managed plugins disabled?

strarsis · April 11, 2023, 10:27pm

While Bedrock sites are basically read-only on production (twelve-factor-app approach), it is possible to still allow plugin updates, if the need for it arises.

Note that the plugin versions in the composer.json (and composer.lock in the version constraints of composer.json) are meant as those that are known to be working / working best with the site. This ensures that the site can be reverted to well-known versions.
When WordPress updates the plugins on its own (or manually, e.g. putting plugin files there yourself), composer is not involved at all, hence the composer will not be updated.

Usually plugin updates are disabled on production and handled at each site deployment.
E.g. a CI pipeline with a tool like greenkeeper or renovate bot automatically updates the plugins and dependencies, runs tests to verify that the site still works (plugin updates can easily break things) and, after an optional manual confirmation step, deploy the site with updated plugin versions.

pgdisc · April 11, 2023, 11:00pm

Sure, that’s clear. And how I’d expect it to work - i. é., nothing gets updated until I tell it to update - - with composer.

My point is that WP is attempting to do the updates without my intervention (and failing) , and sending email notifications about it.

I’d like to Stop the attempts and notifications.

Question is, simply, how?

strarsis · April 11, 2023, 11:26pm

I do not get those emails on production sites, so I guess something is not completely configured, though.

thunderdw · April 12, 2023, 1:53am

Is DISALLOW_FILE_MODS set to true on your production environment? Setting that should disable any update attempts and notifications.

Out of the box Bedrock sets DISALLOW_FILE_MODS to true unless your WP_ENV is set to development. If you haven’t modified the Bedrock config files I’d double check what WP_ENV is set to in your .env file; it should be production for a live environment.

WP documentation on DISALLOW_FILE_MODS: