[wp-trac] [WordPress Trac] #55321: Adding new themes in releases without a global theme auto-update setting renders installations insecure
WordPress Trac
noreply at wordpress.org
Tue Mar 15 23:09:51 UTC 2022
#55321: Adding new themes in releases without a global theme auto-update setting
renders installations insecure
-------------------------------+-----------------------
Reporter: bertvandepoel | Owner: pbiron
Type: enhancement | Status: assigned
Priority: normal | Milestone: 6.0
Component: Upgrade/Install | Version:
Severity: normal | Resolution:
Keywords: reporter-feedback | Focuses: ui
-------------------------------+-----------------------
Comment (by bertvandepoel):
Sorry everyone for the slow response on my end. I work with WordPress as a
volunteer at a student non-profit, and my actual job and other
responsibilities got a bit in the way.
Our point of view very much is what @pbiron his last post describes. Most
of the student organisations we host don't have a dedicated webmaster, and
often it's "the boyfriend of a friend of a member who is a mathematician"
and they vaguely understand. Often for them it's enabling auto-updates
everywhere (after us pressuring them about security) and then only going
to the dashboard to add a new post or update a page every few
weeks/months.
I understand that there are plenty of intermediate users who edit their
themes, so I'm not asking to make auto-updating mandatory or anything like
that (as some seem to fear). Mostly it's the fact that when a new version
of WordPress is installed through auto-updates, it doesn't make sense that
it brings along a new component that doesn't receive auto-updates and that
can cause security issues without the user even knowing.
There are several ways to solve this issue:
* Imply auto-updates for themes based on the auto-update status of other
times
* Presume auto-update when the installation of the theme was through an
auto-update
* Have a global setting for auto-updates (in general or for themes
specifically)
* Do not install themes when auto-updating
* Have a setting on the settings page to toggle auto-updates for newly
installed themes/plugins
* Probably more
I personally have a preference for the last option. This would make it
much easier for those wishing to have a full auto-update experience to not
have to worry about it, while they can still disable auto-updates for very
specific components.
In my view it's awesome that WordPress makes it possible for those with
few technical skills to actually maintain a website, but this specific
issue is a burden to them that I think could be eased.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/55321#comment:11>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list