Dreamhost automatically updating Wordpress?

Dreamhost has updated all of my Wordpress sites, apparently automatically. Is this SOP?

For each site, Dreamhost sent me an email saying my Wordpress had been updated “as requested.” I didn’t make any such requests, unless possibly I somewhere a long time ago authorized DH to do so without pre-notifying me.

I spent a lot of time over the past couple of months cleaning up from hackers and implementing security to thwart future attacks. My fear is that maybe a hacker somehow put in a WP update request in order to knock out some of my security measures or something. The email I got from Dreamhost does say it’s possible the updating would cause some custom plugins to stop working.

I’m spot checking my sites for any vulnerabilities but it’d be a hassle to have to re-do all my site-fortifying again.

So does anyone know why Dreamhost would update all my Wordpress sites “as requested,” if I didn’t request it? Here’s the email I get:

We just upgraded your install of wordpress as requested at:


Important! Please visit http://mysite.com/wp-admin/upgrade.php
to update your database tables! Otherwise, you may see database errors or missing entries.

Any custom skins or plug-ins you might have added may need to be re-installed… your old installation is still available at the same place
you used to have your installation, but with a “.old” tacked on.

If for some reason you need to restore it, just rename the directories
with your FTP client.

The Happy DreamHost 1-Click Robot!

Visit the one-click installer page in the panel and click on “manage installed applications” and you will most likely find that you have them set for auto updates.

Also this is relevant: http://www.dreamhoststatus.com/2012/04/20/wordpress-3-3-2-update-available-for-one-click-installs/

I will do that, and if that’s the case, I will be relieved. Though I may uncheck it for future installs.[hr]

You were right, that’s exactly what it was. I’m glad to know it was nothing nefarious.

I’m resetting everything from “upgrade automatically” to “notify me.” Although auto upgrade is convenient, I did notice that in the process of upgrading WP it changes the file and folder permissions I had set to be extra-secure.


Yeah I think sometime in the past few months they made “auto-update” for wordpress an “opt-out” only program without notifying customers (WOW). For the past year I havent gotten an “auto-update” that deleted my NON WORDPRESS files. Today, however, it deleted my custom index.php file for my wedding (which is 3 weeks from today, btw), even though wordpress was not installed in the same directory (or even a child directory) of my domain. And then when I complained told me that I must have used the same index file and modified it (which is complete poppycock because I archived the entire wordpress directory before I started development–my profession). I was told my “auto-update” flag was flying and that it was my fault for not having this off, but again, this site has been up OVER a year and no problems until today. I’m really kind of upset about this because I thought this was a trusted host, but I’m starting to wonder if someone acquired the company recently. Dreamhost is no longer in the front of my list of trusted hosts to my clients. Sad face.

I have Wordpress installs done by the one-click that do auto update as you described. I also have Wordpress installed where the install was manual, no auto updates happen on these.

Also if you follow Wordpress standard hierarchy your customizations shouldn’t get overwritten. https://developer.wordpress.org/themes/basics/template-hierarchy/

I’m not near my laptop right now to look, but one-click updates used to archive your old install into an “old” directory. Likely you just need to poke around to find your archived file.

FWIW, WordPress will also do its own auto-updates. You can read more here. When it does, the WordPress email begins

Updating to new, stable versions is one of the best ways to maintain security. Most of the hacked WordPress sites I’ve seen, hackers have gotten in through out-of-date themes, plugin, or core. I’ve seen the same with other CMSs, as well.