[wp-trac] [WordPress Trac] #55321: Adding new themes in releases without a global theme auto-update setting renders installations insecure

WordPress Trac noreply at wordpress.org
Tue Mar 15 23:09:51 UTC 2022

#55321: Adding new themes in releases without a global theme auto-update setting
renders installations insecure
 Reporter:  bertvandepoel      |       Owner:  pbiron
     Type:  enhancement        |      Status:  assigned
 Priority:  normal             |   Milestone:  6.0
Component:  Upgrade/Install    |     Version:
 Severity:  normal             |  Resolution:
 Keywords:  reporter-feedback  |     Focuses:  ui

Comment (by bertvandepoel):

 Sorry everyone for the slow response on my end. I work with WordPress as a
 volunteer at a student non-profit, and my actual job and other
 responsibilities got a bit in the way.

 Our point of view very much is what @pbiron his last post describes. Most
 of the student organisations we host don't have a dedicated webmaster, and
 often it's "the boyfriend of a friend of a member who is a mathematician"
 and they vaguely understand. Often for them it's enabling auto-updates
 everywhere (after us pressuring them about security) and then only going
 to the dashboard to add a new post or update a page every few

 I understand that there are plenty of intermediate users who edit their
 themes, so I'm not asking to make auto-updating mandatory or anything like
 that (as some seem to fear). Mostly it's the fact that when a new version
 of WordPress is installed through auto-updates, it doesn't make sense that
 it brings along a new component that doesn't receive auto-updates and that
 can cause security issues without the user even knowing.

 There are several ways to solve this issue:
 * Imply auto-updates for themes based on the auto-update status of other
 * Presume auto-update when the installation of the theme was through an
 * Have a global setting for auto-updates (in general or for themes
 * Do not install themes when auto-updating
 * Have a setting on the settings page to toggle auto-updates for newly
 installed themes/plugins
 * Probably more

 I personally have a preference for the last option. This would make it
 much easier for those wishing to have a full auto-update experience to not
 have to worry about it, while they can still disable auto-updates for very
 specific components.

 In my view it's awesome that WordPress makes it possible for those with
 few technical skills to actually maintain a website, but this specific
 issue is a burden to them that I think could be eased.

Ticket URL: <https://core.trac.wordpress.org/ticket/55321#comment:11>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list