Since WordPress 6.3 I now see “The upgrade directory exists but is not writable” as a critical issue.
I’m surprised this has been added by WordPress as a critical issue, since removing writable access is a hardening strategy they actually document.
Should Roots add a MU plugin to disable this check?
I feel like that check has been there for awhile.
Reading your linked recommendations I see that they document that the WP content directories should be writable.
/wp-content/User-supplied content: intended to be writable by your user account and the web server process.
And no mention of the upgrade or upload folders that exist there, but they should also be writable.
You might check that the folder and file permissions are correct (744 and 644 respectively)
For Directories:
find /path/to/your/wordpress/install/ -type d -exec chmod 755 {} \;For Files:
find /path/to/your/wordpress/install/ -type f -exec chmod 644 {} \;
Why should it be writable? Composer is managing updates.
The notice has only appeared on our sites after upgrading to 6.3.
I mean it should be writable because their recommendations are that all folders in the content folder should be writable.
I had a hard time digging up the exact addition and found talk about the folder from 2021 and their automatic updating system existed for awhile. This site health check was added in 6.3 I don’t think they will change it any time soon. It is critical to the core and plugin operations.
I’d even feel iffy about adding that check here in bedrock as a MU plugin. In development environment file modification is allowed and I have and I’m sure many users do use the built in upgrade systems to install plugins to upgrade for testing momentarily, and install and test plugins.
Also since everything is managed by composer, you might even question why let the folder even exist. I"m not sure that can be suppressed as easily as automatic updates with AUTOMATIC_UPDATER_DISABLED or hiding the notice from the health checks.
I understand that the majority of users would benefit from this warning, but this is the forum for Bedrock, where in production things are locked down. AUTOMATIC_UPDATER_DISABLED is already set to true in production and so are DISALLOW_FILE_EDIT and DISALLOW_FILE_MODS which suggests to me this “critical issue” has become a Bedrock problem to solve if WordPress are keeping it here.
It also seems a bit silly that it doesn’t complain that the plugins and theme directories are not writable, but it does about the upgrade directory.
For now, I’ve just added the uploads directory with writable permissions but since this is now another place where files can be maliciously written and executed have disabled direct access from the webserver.
Maybe. But still, in development mode it is useful as plugin upgrades would work normally.
I don’t think Roots or Bedrock will add that as their own mu-plugin, looking at past pull requests there was also one for automatic updating being inactive. But that was not accepted.
If you created a package for both of these health status checks it sounds like it would have a place in the docs.