“Critical” plugin updates
-
Hello and thanks for providing this free WordPress plugin!
I find it very unfortunate that Wordfence regards every new plugin update – even if someone has only corrected a spelling error – as a CRITICAL issue. Means that I had to turn off notifications for critical issues, and when something seriously bad is going on, I will not get the memo. Maybe downgrade those routine updates to “high” serverity level and leave the critical warnings for confirmed threats? Thanks for considering.
-
Thanks for the clarification. The message I received reads as follows:
Critical Problems:
- The Plugin xyz needs an upgrade (1.2.3 -> 1.2.4).
Update includes security-related fixes.
Vulnerability Severity: 6.4/10.0 (Medium) Vulnerability Information
https://ww.wp.xz.cn/plugins/xyz/#developers9 existing issues were found again and are not shown.
There are two things I find confusing:
- I received a critical alert because of a medium vulnerability (in this case, storerd cross site scripting by contributors on a site that doesn’t allow for contributors and that doesn’t even have the plugin activated). Of course it would be best to receive critical alerts for vulnerabilities only that pose an actual threat to my site(s). So I’m wondering about the threshold – will I receive critical alerts for plugin updates with “low” vulnerability severity as well?
- If the alert is set to critical only, imho I should not be told how many existing issues were found again, but rather how many critical issues were found again (if any). To me, security alerts are only as useful as the time they save: I am alerted so I don’t have to check myself. But if the alerts suggest that I might have overlooked something, the usefulness diminishes – first time I will go and check, second time I might ignore the message altogether, which defeats the purpose of receiving such alerts in the first place.
The topic ‘“Critical” plugin updates’ is closed to new replies.
