WordPress “Site Health Status” trust it or myself for its security advice?

Đã có trọn bộ đề thi thử THPT Quốc Gia 2022 các môn: vip.dethihsg247.com
Hàng ngàn mã giảm giá shopee 0đ hôm nay cập nhật tại đây

I’m using WordPress to host a few sites. Lately it includes this feature called Site Health Status. This information has in part been valuable, but it also itches me the wrong way somehow that I can’t get it to show “green” due to something I’d consider non-issues 😉

Here is how the “critical issue” looks.

Relevant snippet from Site Health Status

Here’s the relevant text excerpt, because search engines aren’t all too good with indexing text from screenshots:

Background updates are not working as expected [Security]

Background updates ensure that WordPress can auto-update if a security
update is released for the version you are currently using.

The folder /vhosts/sitename is indeed under version control and the actual blog is under /vhosts/sitename/blog and that’s what the web server serves as webroot. However, /vhosts/sitename/wp-config.php contains the blog configuration. As WordPress allows it to live outside of the webroot, that’s what I opted for out of security reasons. Anyway, the conclusion from this first (yellow) point should be that there’s no way anyone could glean the contents of the version control system, since it lives entirely outside the webroot.

The second (and red) point is about FTP credentials. This one I find particularly unnerving. I have scripts in place, I have 2FA, and the servers in question are only accessible via SSH (and by extension SFTP). WordPress doesn’t support SFTP nor would I want to enable this at all. In fact the files inside the webroot have tight file modes so that even in case a breach occurred very little could be done. In other words, I am updating WordPress in a semi-automated fashion triggered manually. Unlike some setups of WordPress I have seen or administrated in the past with FTP enabled, I haven’t had a breach, going by all the indicators I have available. So to me this is the desired setting. But someone decided to categorize this as a critical issue.

So my questions (two actually):

NB: I am not interested in having the overall feature (or the visible widget) removed. I simply want this feature to be valuable and that means not raising the alarm when nothing is wrong, as far as I’m concerned.

After setting define('FS_METHOD','direct'); in wp-config.php – as per recommendation from the one answer at this point – the message changed, but still shows as critical issue 🤨

After setting FS_METHOD=direct

Xin chào các bạn và quý Thầy Cô. Hãy nhập từ khóa mình muốn vào ô tìm kiếm trên Website để tìm kiếm mọi thứ hoặc trên google các bạn hãy nhập từ khóa + dethihsg247.com để tìm kiếm các bài viết của chúng tôi nhé.
  • Hiện tại chúng tôi có hơn 25 nghìn bài văn mẫu các thể loại.
  • Kho tài liệu, đề thi học sinh giỏi các lớp vô cùng phong phú.
  • Mỗi ngày cập nhật hơn 100 đề thi chất lượng từ các website bán tài liệu lớn.

Tải đề thi VIP với giá siêu rẻ tại Vip.Dethihsg247.Com