Less alarmist Risk indicators
P
Philippe Braun
It would be nice if there was a way to select which risks are displayed on the Sites overview, or to weight those risks.
To me, one or multiple non-active plugins or themes seem a lot less risky than e.g. a plugin that has a known security risk, and they should not be the cause for an alarmingly red icon; I'd put deleting unused / deactivated plugins strictly under «best practice», not «active risk».
Aurelio Volle
Merged in a post:
Ignore indexable risk
Leif Kajrup
Be able to mark indexable as an ignored risk. Sometimes we want a site to not be indexed, if it is a staging site, or maybe an extranet or somehow a site with restricted access. Then we don't want the risk warning that the site is not indexable, if that is by choice.
Aurelio Volle
Merged in a post:
Separate Indexing Status from Security Assessment/Badge
V
Victor Santillan
I have a site intentionally set to “no-index” due to its nature as a private membership site. WP Umbrella flags this as a security issue (red badge), which doesn’t accurately reflect a vulnerability.
To improve user experience, I propose detaching indexing status from the security assessment or adding a confirmation option for users who intentionally set their sites to “no-index.” This way, the badge will reflect actual security risks and reduce warning fatigue.
Aurelio Volle
Merged in a post:
Please stop shouting wolf wolf
Rune Rasmussen
We have previously looked at https://wp-umbrella.canny.io/features-request/p/correct-the-missleading-your-php-version-is-outdated - which in my opinion still is a bit problematic.
Then we also have this one about the mails sent for plugin "vulnerability": https://wp-umbrella.canny.io/features-request/p/plugin-vulnerability-priority
Taking that further we now have a "big read flag" in WP-Umbrella about "Perfect Brands WooCommerce", with a scary 85 (8.5) rating. But when you follow the link on it to Patchstach, they have a totally different story to tell, it has so low priority that they don't even care to patch it, as it is unlikely to be exploited.
Continuing this way, people will probably start ignoring your "red flags", just as in the story "The Boy Who Cried Wolf".
So, if you're using the general score from Patchstack, consider changing that into rater use their actual priority, which in this case is LOW. And also stop flagging low priority "issues" with red etc., rather use traffic lights.
Just my 5 cents...
Rune Rasmussen
Today I got a mail about a vulnerability in WooCommerce, telling me "Immediate Action Required" and also:
"Secure Now, Update Later
Activate the Site-Protect add-on to automatically block known vulnerabilities even before plugin authors release a fix."
Going into WPU it didn't display any issues on the site in question, I had to do a new scan first. Then following the link to Patchstack, it tells me it have a general 5,9 rating, while it actually is a "Low priority - Mitigation unnecessary" in WP world. Which is meaning adding site protection have no value at all, they don't do anything about this as it's unlikely to be exploited - again ...
Please ...
*Turning of the mails now, and ignores your red flags - I trust Wordfence more on those things.
M
Michael
Absolutely agree!
M
Michael
+1 ... already reported this as bug to the support team. Ideally the check can be reversed, so if the private member site ever becomes visible it's flagged as error...
Victor Santillan: did you also notice, that the uptime monitor is not very reliable for sites that are set to noindex?
V
Victor Santillan
Michael That might be a useful feature for some, to set the preferred indexing status and to alert if it changes. I haven't had issues with the uptime monitor, so far it's worked great for me. How many sites set to noindex do you manage with WP Umbrella? I currently only have one; so my experience is quite limited here.
Phil B.
Maybe an option to «mark» some risks as hidden would help.
We're also working with SpinupWP Environment and all Sites having 1 Risk (Your WP_DEBUG is set to true).
I hate getting flashed by any risk indicators! 😀
tijn22
+1 for this suggestion. The risks indicator on the main Sites overview screen should not display lower-risk issues that are listed under "needs attention" such as inactive plugins and inactive themes. There may be a good reason why a plugin/theme is inactive, and it's easy to neglect more serious vulnerabilities if these low risks are prominently displayed on the overview screen.
P
Philippe Braun
The «Debug mode available» risk also should be selectable: SpinupWP installations by default have debug set to TRUE, but writing to the log file, where they pose little if any risk.
G
Gabriel
Good and reasonable suggestion! The same with inactive plugins. These should not be classified as "risk" respectively should be able to be marked as ignored risk as there can be many reasons to deactivate a plugin, e.g. only temporarily or similar. Deactivating a plugin does not mean that you will no longer use it and it should be deleted.
Load More
→