[wp-trac] [WordPress Trac] #54598: Site Health makes downright wrong and dangerous suggestions
WordPress Trac
noreply at wordpress.org
Wed Dec 8 00:40:03 UTC 2021
#54598: Site Health makes downright wrong and dangerous suggestions
--------------------------+-----------------------------
Reporter: peterhoegsg | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: General | Version:
Severity: normal | Keywords:
Focuses: |
--------------------------+-----------------------------
1. "Background updates are not working as expected"
We absolutely do not want background updates to run. We want to carefully
manage updates by performing them in a test environment before we then
deploy the changes to staging and finally production. Too much breakage
otherwise. White screen of death anyone?
2. "Some files are not writable by WordPress:"
The wordpress files are served from a read-only store and having the web
application have access to modify itself is a *terrible* recommendation
from a security point of view.
3. "Inactive plugins are tempting targets for attackers.".
How is an inactive plugin special in terms of attackability? Surely "Code
that runs on an internal accessible is a tempting target for attackers".
Whether they are active or not, plugins *in general* should be kept to a
minimum to minimize the attack surface. Also, how is an inactivate plugin
a target in the first place? If it's deactivated, surely it doesn't run.
If there is a way to execute code in a deactivated plugin surely *that*
needs to be addressed.
4. "You should remove inactive themes"
Same as with plugins.
5. Some plugins will also detect that auto-updates are disabled and add to
the noise
One example is "MonsterInsights" that reports "Automatic updates are
disabled". See item 1.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/54598>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list