[wp-trac] [WordPress Trac] #54598: Site Health makes downright wrong and dangerous suggestions
WordPress Trac
noreply at wordpress.org
Sun Mar 23 17:49:48 UTC 2025
#54598: Site Health makes downright wrong and dangerous suggestions
--------------------------+------------------------------
Reporter: peterhoegsg | Owner: (none)
Type: defect (bug) | Status: closed
Priority: normal | Milestone: Awaiting Review
Component: Site Health | Version:
Severity: normal | Resolution: invalid
Keywords: | Focuses:
--------------------------+------------------------------
Changes (by qf0wp):
* status: new => closed
* resolution: => invalid
Comment:
No progress?
I absolutely agree with @peterhoegsg. I turn off WP auto updates on my
servers and I don't want users mailing me saying that this is a critical
issue, because it isn't.
Ok, I enable auto security updates on the base Linux server, but WordPress
is a completely different matter. The whole world is out there trying to
get in through the web server and PHP, so WP is locked down: PHP can't
access ''anything'' that isn't necessary for site functionality. The auto
updater completely ignores this philosophy, and is just dangerous - it
requires me to leave the PHP code permanently vulnerable.
And, of course, we all know that security updates can themselves be
dangerous - CrowdStrike anyone?
I have no problem with anyone else turning on auto security updates, but
if I purposefully set WP_AUTO_UPDATE_CORE false then I really shouldn't be
getting messages about critical issues.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/54598#comment:15>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list