40 lines
1.7 KiB
Plaintext
40 lines
1.7 KiB
Plaintext
Automatic updates are a great way of making sure your application gets security updates as soon as they are available.
|
|
Once a vendor releases a security update, it is crucial to apply it in a timely manner before malicious actors exploit the vulnerability.
|
|
Relying on manual updates is usually too late, especially if the application is publicly accessible on the internet.
|
|
|
|
== Ask Yourself Whether
|
|
|
|
* there is no specific reason for deactivating all automatic updates.
|
|
* you meant to deactivate only automatic major updates.
|
|
|
|
There is a risk if you answered yes to any of those questions.
|
|
|
|
== Recommended Secure Coding Practices
|
|
|
|
Don't deactivate automatic updates unless you have a good reason to do so. This way, you'll be sure to receive security updates as soon as they are available.
|
|
If you are worried about an automatic update breaking something, check if it is possible to only activate automatic updates for minor or security updates.
|
|
|
|
== Sensitive Code Example
|
|
|
|
[source,php]
|
|
----
|
|
define( 'WP_AUTO_UPDATE_CORE', false ); // Sensitive
|
|
define( 'AUTOMATIC_UPDATER_DISABLED', true ); // Sensitive
|
|
----
|
|
|
|
== Compliant Solution
|
|
|
|
[source,php]
|
|
----
|
|
define( 'WP_AUTO_UPDATE_CORE', true ); // Minor and major automatic updates enabled
|
|
define( 'WP_AUTO_UPDATE_CORE', 'minor' ); // Only minor updates are enabled
|
|
define( 'AUTOMATIC_UPDATER_DISABLED', false );
|
|
----
|
|
|
|
== See
|
|
|
|
* https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[OWASP Top 10 2021 Category A5] - Security Misconfiguration
|
|
* https://wordpress.org/support/article/editing-wp-config-php/#disable-wordpress-auto-updates[Wordpress.org] - Disable WordPress Auto Updates
|
|
* https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration.html[OWASP Top 10 2017 Category A6] - Security Misconfiguration
|
|
|