Starting in WordPress 3.7, automatic updates were enabled for websites/hosts that have been configured to allow this. Please remember that this is only for minor updates - not major updates. Here is what WordPress says:
Updating WordPress (codex.wordpress.org)
For WordPress 3.7+, you don’t have to lift a finger to apply minor and security updates. Most sites are now able to automatically apply these updates in the background. If your site is capable of one-click updates without entering FTP credentials, then your site should be able to update from 3.7 to 3.7.1, 3.7.2, etc. (You’ll still need to click “Update Now” for major feature releases.)
When there's a major update of WordPress (like WordPress 3.9), you will need to manually go in and update WordPress - do not expect an automatic update.
If you do not know what to do to upgrade WordPress and all plugins, then you should check out the Webstix WordPress Automatic Update Program. We manually go in to your website whenever there's a release/update/patch for WordPress and take care of the update for you. So it's not "automatically automatic" but "manually automatic" meaning that you're authorizing our staff to go in, update WordPress for you (along with plugins) and then do testing to make sure everything works right. It's a great program and a MUST for anyone with a WordPress website since you do need to keep it up to date.
If you're still not convinced that you should worry about updating WordPress, thank about this... there are more websites made from WordPress than any other CMS software out there. Or... there are more WordPress websites out there than any other kind of website.
What that means is that hackers are going to target it. They want to do as much damage as possible, so they're naturally going to target the software that most websites use.
The thing is, when there's a new vulnerability discovered, what that vulnerability is, is published. Everyone's going to know about it if they don't already know (like on hacker forums and boards). It's reported to the public. Hackers are going to write scripts to look for versions of WordPress that are out of date. These programs they write (sometimes called "robots" or "bots") automatically go out, find all these website and break into them. It's not necessarily personal (targetting you personally) - they just want control of as many websites (or web servers) as possible and because you didn't upgrade your version of WordPress, you get hacked. It's not a matter of "if" but a matter of "when."
If "cost of ownership" is a new phrase for you, then you should learn what that means if you own something like a website. It means that it's going to cost you some money to own it - like a house, for example. There's upkeep and maintenance. If you neglect doing it, it's going to become broken down, it's not going to be as strong, it's not going to look good and it's going to lose value.
And even Google checks WordPress websites to see what version they're using. If the website's out of date, it's more likely to get hacked and Google wants to give the best results it can to people searching - so it just makes sense that Google would not rank websites as high if they are not up to date. Bam! How's that for some truth?
You only get out of something what you put into it. If you neglect your website, it's not going to work as hard for you. Keep it up to date. Always.
-Tony
