WordPress installations are often implemented with the complete site in version control. In this situation, it is imperative to ensure that WordPress itself can not modify plugin, theme or core files, as it would break the version control system. The simplest way to do this is to add define( 'DISALLOW_FILE_MODS', true ); to the sites wp-config.php file, but this causes the update notice to disappear in the admin panel. Keeping the update notice however, is important to ensure that updates are actually implemented.

I have worked on multiple sites now, which ended up not updated for a long time due to the use of that constant. This creates serious security problems. There has been a Trac ticket about this sitting for years, but unfortunately with no progress toward a solution.

Thankfully Jay Dansand of Lawrence University has solved this via an elegant little plugin. Simply install it in your mu-plugins folder (to avoid admins deactivating it) and it will allow you to use the DISALLOW_FILE_MODS constant while still keeping the update notices in place.

https://gist.github.com/jaydansand/2e41490a8b040a199db4