[wp-trac] [WordPress Trac] #47528: Site Health: Add test for file checksums
WordPress Trac
noreply at wordpress.org
Sat Aug 10 21:59:23 UTC 2019
#47528: Site Health: Add test for file checksums
-------------------------------------+-----------------------------
Reporter: swissspidy | Owner: (none)
Type: enhancement | Status: new
Priority: normal | Milestone: Future Release
Component: Site Health | Version:
Severity: normal | Resolution:
Keywords: site-health needs-patch | Focuses:
-------------------------------------+-----------------------------
Comment (by Clorith):
As with anything in core, it can be modified in some way or another if
someone wants to, and the Site Health Check isn't meant to be a security
tool in that regard, more as a helping hand, so yes, I think it would be
acceptable to do this.
It's fine to skip the test if running an alpha/beta/rc build, where
checksums can't be verified.
Some caveats that need to be accounted for, as this does already exist in
the [https://wordpress.org/plugins/health-check plugin version] and a few
scenarios have been discovered through this;
- Any change of locale on the site will make the checksum verification
fail unless the user has re-installed core files, or a major update has
been performed to ensure they've gotten the locales own files.
- There are hosting panels that do strange things, cPanel used to (I can
not confirm if they still do this) modify core files to "break" WordPress
updater if you used their softaculous suite to install anything, so that
any updates had to be validated and pushed by cPanel them selves. We may
need to consider that this is not isolated to that one vendor, and that
others do similar things to core to control it through their own systems,
even if we don't approve of it, as this may cause unnecessary unease for
the user.
I did see your question in the #core room on slack as well, so here is
some more input about the approach I envision here.
The test output needs to be simple and to the point, avoid any listings of
mismatched files which may cause confusion for the user. All that's needed
is a notice that `Some core files may have been modified`, a short
description about what this could mean, to try and avoid user panic as
that can sound scary.
End it with an action link to the Dashboard > Update page where the user
can re-install core files with the click of a button.
Now, for plugins/themes, I'm not sure that's the best thing to include as
well, it gives a greater false indicator if we include those, since we
can't check anything coming from outside wordpress.org, so it would be an
incorrect indicator of those files states (is my thinking at least).
--
Ticket URL: <https://core.trac.wordpress.org/ticket/47528#comment:6>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list