[wp-trac] [WordPress Trac] #50280: Enable auto-updates shows for plugins with no support
WordPress Trac
noreply at wordpress.org
Thu Jul 16 12:38:17 UTC 2020
#50280: Enable auto-updates shows for plugins with no support
-------------------------------------------------+-------------------------
Reporter: elrae | Owner: audrasjb
Type: enhancement | Status: reopened
Priority: normal | Milestone: 5.5
Component: Upgrade/Install | Version: trunk
Severity: normal | Resolution:
Keywords: has-patch dev-feedback commit has- | Focuses: docs,
dev-note | administration
-------------------------------------------------+-------------------------
Changes (by StephenCronin):
* status: closed => reopened
* resolution: fixed =>
Comment:
I left a comment on the dev note just published, but will raise the
concern here too.
I agree that this will raise a false sense of security for plugins/themes
outside the repo.
The user can click the Enable Auto-updates link for these plugins/themes
and it appears that it's been turned on. I guess it HAS been turned on,
but of course, it will never actually update.
Plugin and theme authors can modify the action link as shown above, but
there are tens of thousands of plugins and themes out there and not all
authors are going to do that.
One of the most common security tips is to keep your plugins and themes
updated. Users who 'turn on' auto updates for plugins/themes outside the
repo will have a false sense of security, thinking that now they don't
need to worry about keeping these plugins/themes up to date. They will
stop looking for updates in the appropriate place. This will potentially
open them to security threats.
Wouldn't it be safer to only show the Enable Auto-updates link for
plugins/themes that have a slug that matches a plugin/theme in the
respective repo and display "Auto updates unavailable" for any that don't
match?
I'll reopen this to make sure it gets seen - apologies if that's the wrong
thing to do!
--
Ticket URL: <https://core.trac.wordpress.org/ticket/50280#comment:21>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list