scottadixon

So I had a reply to my question (from a user called teslapiphone), but I can only see it via the emailed version I got, for some strange reason I cannot see the reply on here. So I am going to copy it here, and respond to each part in turn.

The “critical issue” regarding auto-updating plugins and themes in the Site Health section of WordPress is a default recommendation to ensure that your site remains secure and up to date. While it’s understandable that you may have valid reasons for disabling auto-updates, WordPress considers this an important security measure to prevent vulnerabilities from outdated plugins or themes.

I understand that for people using third-party plugins and themes keeping them up to date is important. In this case though, the theme and plugins on the sites I am referring to are coded by me, and they do not have auto-updating code in them. I update them when I make updates to the codebase. The only thing not mine is WP itself, and the TwentyTwentyThree theme, which WP recommends is always installed as a fall-back, and if it’s not the active theme, then auto-updates are disabled by WP, not me.

I appreciate you are simply answering my query, so these comments are not directed at you, but it does seem over the top to present a “critical issue” warning for something that is essentially unfixable. I cannot turn on auto-updates for the only thing on the system that supports it (i.e. the inactive fall-back theme) as WP turns off auto-updates for it.

The phrase “but settings are still set to be displayed” refers to the fact that even though you have disabled auto-updates, the option to enable them is still visible in the WordPress admin settings. This can be misleading because it gives the impression that auto-updates are available and active, when in reality, they are disabled.

I honestly cannot see how the option to enable auto-updates is remotely misleading. It does not give the impression they are active/enabled, and even if it did, surely the better approach would be to fix that, rather than present some hyperbolic warning about what is essentially a non-problem.

To address this issue, you have a few options:

• Enable auto-updates selectively: Instead of enabling auto-updates for all plugins and themes, you can choose to enable them for specific ones that are trustworthy or critical to your site’s security. This way, you can ensure that essential updates are applied automatically while retaining control over the rest.
• Implement manual updates: If you prefer to have complete control over the update process, you can manually update your plugins and themes whenever new versions become available. This approach requires you to regularly check for updates and apply them manually, ensuring that your site remains secure.
• Use a plugin for granular control: There are plugins available that provide more granular control over auto-updates, allowing you to customize the update settings for individual plugins and themes. For example, you can check out the “Easy Updates Manager” plugin, which offers various options for managing auto-updates. Website: https://www.ads-software.com/plugins/stops-core-theme-and-plugin-updates/ ( https://www.ads-software.com/plugins/stops-core-theme-and-plugin-updates/ )

As I explained in my original post, the theme is developed by me, as are the plugins installed. I know it is common practice for WP users to utilise themes and plugins they didn’t develop, but that is not the case here. I understand the WP system does not understand that, but it certainly does understand that none of the plugins nor the theme contain any auto-update code, and the only thing that does is WP itself and the 2023 theme, which is inactive and WP disabled auto-updates for that the moment I switched to my theme.

Regardless of the approach you choose, it’s important to regularly update your plugins and themes to keep your site secure. If you opt for manual updates or selective auto-updates, make sure to regularly review and apply the available updates to maintain the integrity and security of your WordPress sites.

I do that by updating the code myself when needed. IMHO the WP system needs more nuance when deciding on what to apply the classification of “critical issue” is.

It’s worth noting that the critical issue warning is a general recommendation, and while it’s prudent to keep your plugins and themes up to date, the decision ultimately rests with you as the site owner, taking into account your specific requirements and circumstances.

Again, IMHO “general recommendation” != “critical issue warning”. It certainly is prudent to keep them up to date I agree, but where no auto-update code exists, a warning about auto-updates seems erroneous. When warning about auto-update functionality that is disabled by the system giving you the warning (i.e. the 2023 theme) that also seems erroneous, and unhelpful as it can cause potential alarm where none needs to exist.

As I said, I appreciate your response, even though I cannot see it on this forum, and so please don’t take any of what I have written to be negatively directed at you. Perhaps the WP team could consider tweaking the warning in some way to have it only show when relevant, and to actually make sense.

WP is a great product, that’s why I use it, so please take this feedback as intended, i.e. as constructive ??

Cheers,
Scott