I’ve written articles on Jetpack Autoupdate before — you’ll find some of them in the Jetpack blog. For many neglected sites autoupdate of plugins is a good idea. Plugins often have security patches that you should not ignore. Sometimes they have compatibility updates to allow them to work with the latest update to WordPress.
However autoupdate of ANY software, whether on your phone, desktop computer, or mobile device is only as good as the software doing the update. Over the years I have yet to find a single software company that can publish a 100% never-fails update to their software stack. Of all the companies that are pushing software, Apple seems to be the least prone to fatal crashes — the kind that take your business or personal productivity offline for hours or days. They are not infallible by any means and introduce plenty of “oh, that’s a pain in my ass” bugs on a regular basis.
Jetpack plugin updates are an issue
WordPress, on the other hand, is one of the worst platforms for autoupdates — giving the Microsoft crew a run for their money. It is not that WordPress core or most of the software that Automattic puts out is bad. It is the themes and plugins that are the issue. And that is EXACTLY what Jetpack pushes the most of with their desire to get you to enable “autoupdates”. It is not just the core software but the plugins — and it is those very plugins that WordPress and Jetpack are pushing you to update with this autoupdate platform.
Unfortunately 80% of plugin authors write crappy code. Don’t believe that? Turn on WP_DEBUG for a minute and see how many warnings and errors your site dumps in a single page load. 20% of plugin authors take time to even look at debug logs or run QA tests on code — but even they are known to cause problems (read the Redis Object Cache post from earlier today).
Autoupdate established authors only
What does that mean for autoupdate? If you turn this feature on across-the-board you better be damn sure 100% of your plugin authors pushed code that does not crash your site. WordPress doesn’t check it for you besides a rudimentary syntax scan — great for catching 10% of bugs that affect software. In my experience the best option is to ONLY turn on auto update for companies that have some sort of quality control. Automattic. Maybe the people pushing Yoast. A couple other plugins running on millions of sites.
Other than that — LEAVE AUTOUPDATE OFF.
A use case for disabling autoupdate
Case in point — I forgot to check those settings on some of my sites. The main Store Locator Plus site went offline for a few hours today. 3 hours later the documentation site. Why? Autoupdate. A broken version of that Redis Object Cache plugin was pushed by Jetpack to my sites. It crashed them immediately which then makes it impossible for software to auto-correct the error. The only option is manually remove/disable the plugin and install the latest patched version (Redis Object Cache 1.3.8 seems to finally fix the issue).
So why do I leave autoupdate off on all my Jetpack-managed sites? Coders are efficient at creating bugs. WordPress plugins coders are not vetted nor is the code the push to millions of servers every day. If you don’t know/trust the author do not enable autoupdate. Your site may depend on it.