[wp-trac] [WordPress Trac] #54598: Site Health makes downright wrong and dangerous suggestions

WordPress Trac noreply at wordpress.org
Wed Dec 8 00:40:03 UTC 2021

#54598: Site Health makes downright wrong and dangerous suggestions
 Reporter:  peterhoegsg   |      Owner:  (none)
     Type:  defect (bug)  |     Status:  new
 Priority:  normal        |  Milestone:  Awaiting Review
Component:  General       |    Version:
 Severity:  normal        |   Keywords:
  Focuses:                |
 1. "Background updates are not working as expected"

 We absolutely do not want background updates to run. We want to carefully
 manage updates by performing them in a test environment before we then
 deploy the changes to staging and finally production. Too much breakage
 otherwise. White screen of death anyone?

 2. "Some files are not writable by WordPress:"

 The wordpress files are served from a read-only store and having the web
 application have access to modify itself is a *terrible* recommendation
 from a security point of view.

 3. "Inactive plugins are tempting targets for attackers.".

 How is an inactive plugin special in terms of attackability? Surely "Code
 that runs on an internal accessible is a tempting target for attackers".

 Whether they are active or not, plugins *in general* should be kept to a
 minimum to minimize the attack surface. Also, how is an inactivate plugin
 a target in the first place? If it's deactivated, surely it doesn't run.
 If there is a way to execute code in a deactivated plugin surely *that*
 needs to be addressed.

 4. "You should remove inactive themes"

 Same as with plugins.

 5. Some plugins will also detect that auto-updates are disabled and add to
 the noise

 One example is "MonsterInsights" that reports "Automatic updates are
 disabled". See item 1.

Ticket URL: <https://core.trac.wordpress.org/ticket/54598>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list