With the release of Joomla 5.4 and Joomla 6.0 on 14 October 2025, the Joomla project introduces a significant innovation: automatic updates for the core system. This feature makes it possible to keep Joomla installations up to date reliably and without manual intervention – an important step towards increasing the security and maintainability of Joomla websites.

First of all: why? 

You might wonder why this feature was shipped in the first place. Joomla has lived 20 years without it, so why bother? 

Well, first of all: users asked for it – it's one of the most requested features on the wishlist and a great addition to Joomla's feature set.

But more importantly, it solves a crucial issue: whenever a new Joomla version fixes a security issue, attackers start analyzing the new version in order to find out what the fixed vulnerability was. And once they find out, they start developing automated scripts to hack as many sites as possible.

Analyzing the patch, understanding the issue and developing the script takes time - and if a site owner does not update a site before that window closes, the site might get hacked. And hackers are fast! For critical, easy to exploit issues, we are talking about a time window of 10-12 hours - and that's just not enough time for everyone to update all sites.

That's where automated updates come into play: the Joomla project can now actively push updates (and thereby security fixes) to sites to make sure that sites are indeed updated in time.

Automated Updates - A remote control for an existing feature

At its core, the new feature just utilizes existing functionality:

• Joomla is able to detect new available updates
• Joomla is able to download and extract the new version
• Joomla is able to apply any post-update scripts

So far, these features were limited to a backend user, relying on a person to actually click a bunch of buttons. The new feature now exposes those features to a centralized server running on the joomla.org infrastructure: the site registers itself and hands over a 'key'. With that key, the update server can check the site health and trigger the detection, download and extraction steps.

What's important to emphasize is that the updates in question are not "pushed" to the Joomla site - there is no 'upload;  feature for a centralized server. Instead, the update server purely relies on the actual site to perform the mentioned tasks. That's a key part of the security architecture: even if the automated update infrastructure is compromised, the worst case scenario is that an attacker would actually apply a pending update to a site - which seems like a pretty fair outcome.

Requirements and restrictions

The automatic update function is enabled by default for new installations. However, when updating from an older version to 5.4 or 6.0, automatic updates are disabled by default and must be enabled manually by the administrator. The following requirements must be met:

• The website must be publicly accessible on the internet (no intranet or localhost).
• The 'Standard' update server must be used (backend setting).
• The minimum stability of the updates must be set to 'Stable'.
• The Joomla version must be 5.4 or higher.
• PHP version, database, operating system and extensions must be compatible.
• Optional but important! The website should be secured with a complete backup concept.

Under the hood

The endpoints in the individual site are implemented using the Joomla webservices system: new endpoints have been added for com_joomlaupdate. The infrastructure on joomla.org is mainly a custom application which of course is open source too.

The challenges

At the end of the day, implementing the actual auto updater wasn't that complex - but the preparation work, most importantly a secure update discovery process was a challenging process. So, from the first ideas to the final implementation, five years have passed - a long time, but with a happy end!

Conclusion

With automatic updates starting with Joomla 5.4 and 6.0, the Joomla project is significantly improving the maintainability, security and user-friendliness of its CMS platform. The feature is particularly interesting for administrators who rely on a stable, up-to-date Joomla installation without regular manual intervention.

Thank you!

Last but not least, I would like to thank Harald Leithner, Benjamin Trenkle and Robert Deutz for making this feature happen, Richard Fath and Heiko Lübbe for testing and merging and Brian Teeman for the language tweaks and fixes.