Yes, I know this can be done with a plugin. But raw code in the config.php never gets touched by an update.
I hate automatic updates for pretty much everything, operating systems, software, phones, you name it. I’m not against security, I’m just against something happening with little to no communication to the end user or the administrator who ends up cleaning up the mess when one of those forced updates break something critical like production workflows or daily business operations.
No hackers or malware can compete with the amount of hosed websites that WordPress itself is responsible for breaking with their forced automatic updates. The biggest culprit is really the lack of options during the installation of WordPress to turn this off or opt-out.
Which is why WordPressreleases have been breaking plugins and themes across the world for a few years. I thought I’d remind you that you CAN disable ALL automatic updates in WordPress by adding this line of code in your wp-config.php file:
This will disable all automatic WordPress updates.
define( 'WP_AUTO_UPDATE_CORE', false );
However if you want to receive minor core updates, but disable theme and plugin updates, then you can do so by adding the following filters in your theme’s functions.php file or in a site-specific plugin.
Disable automatic WordPress plugin updates:
add_filter( 'auto_update_plugin', '__return_false' );
Disable automatic WordPress theme updates:
add_filter( 'auto_update_theme', '__return_false' );
Also. WP-Downgrade is one of my Favorite Plugins of all time.