rspec/rules/S6343/php/rule.adoc

Automatic updates are a great way of making sure your application gets security updates as soon as they are available. 
Once a vendor releases a security update, it is crucial to apply it in a timely manner before malicious actors exploit the vulnerability. 
Relying on manual updates is usually too late, especially if the application is publicly accessible on the internet. 

== Ask Yourself Whether

* there is no specific reason for deactivating all automatic updates.
* you meant to deactivate only automatic major updates.

There is a risk if you answered yes to any of those questions.

== Recommended Secure Coding Practices

Don't deactivate automatic updates unless you have a good reason to do so. This way, you'll be sure to receive security updates as soon as they are available. 
If you are worried about an automatic update breaking something, check if it is possible to only activate automatic updates for minor or security updates.

== Noncompliant Code Example

----
define( 'WP_AUTO_UPDATE_CORE', false ); // Sensitive
define( 'AUTOMATIC_UPDATER_DISABLED', true ); // Sensitive
----

== Compliant Solution

----
define( 'WP_AUTO_UPDATE_CORE', true ); // Minor and major automatic updates enabled
define( 'WP_AUTO_UPDATE_CORE', 'minor' ); // Only minor updates are enabled
define( 'AUTOMATIC_UPDATER_DISABLED', false );
----

== See

* https://wordpress.org/support/article/editing-wp-config-php/#disable-wordpress-auto-updates[Wordpress.org] - Disable WordPress Auto Updates
* https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration.html[OWASP Top 10 2017 Category A6] - Security Misconfiguration