[wp-trac] [WordPress Trac] #54598: Site Health makes downright wrong and dangerous suggestions

WordPress Trac noreply at wordpress.org
Wed Dec 8 04:17:00 UTC 2021 

#54598: Site Health makes downright wrong and dangerous suggestions
--------------------------+------------------------------
 Reporter:  peterhoegsg   |       Owner:  (none)
     Type:  defect (bug)  |      Status:  new
 Priority:  normal        |   Milestone:  Awaiting Review
Component:  General       |     Version:
 Severity:  normal        |  Resolution:
 Keywords:                |     Focuses:
--------------------------+------------------------------

Comment (by peterhoegsg):

 We might going slightly off-topic (changes to Site Health vs general
 security), so if there is a better way to address that, please let me
 know.

 > 1. for background updates, what would you suggest is wrong with the
 statement?

 I would suggest having an official set of security guidelines that
 explains how to handle updates:
   a. never directly in production, but instead offline and then
 subsequently deployed after testing (like you would for any other web
 application)
   b. *not* having auto-updates enabled

 I agree, it's better to have a possibly broken site than one that is
 vulnerable, but that should only ever be the recommendation if it cannot
 be done properly.

 > 2. writable files: there is no recommendation in that statement of fact.

 Correct, but it's shown as an "issue", which for the purpose of auto-
 updates is correct, but from the point of keeping things secure, it very
 much isn't.

 > 3. inactive plugins: PHP files in the plugins folder can be executed by
 addressing them directly.
 > 4. same

 The takeaway here should be to force plugins and themes to include guard
 statements in every file so they do nothing if not enabled. For plugins
 distributed via wordpress.org/plugins, surely there's a CI step that
 approves new versions where this could be enforced.

 > 5. Do you mean plugins that report separately or add in to the Site
 Health page? Either way, that's something for that plugin to change.

 I mean the latter and you are of course correct - this is a plugin issue.
 However, wordpress should be providing the infrastructure that makes it
 easy for plugins to handle  properly.


 The 2 main issues with "Site Health" as I see it are as follows:

 1. some of the recommendations made fly against industry best practice and
 thus makes things unnecessarily insecure

 2. customers (here I'm talking companies for whom the sites are built, not
 the end-users) *will* see this and *will* raise issues. "It says my site
 has critical issues - fiiiiix iiiiiit".

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/54598#comment:2>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list