Support » Requests and Feedback » Auto Instal Of 2020 and 2019 Themes During Updates

  • A number of times I have noticed that during WordPRess Core updates the TwentyNineteen and TwentyTwenty Themes get installed automatically.

    As per good security process I remove all un-needed code to ensure a smaller attack surface for crackers.

    One part of this is removing all unused themes. These themes are not 100% secure, as evidenced by security updates etc in the past.

    What is now happening is during some updates the themes are getting re-installed. I just rescued a site with WP 4.9 on it, got the code up to scratch and ran updates. 2019 and 2020 themes were reinstalled – and then to add insult to injury stated they were out of date versions and themselves needed to updated to a more modern version (0.5 version leap from memory).

    1 – Core updates should never add in themes, plugins and other similar code. That’s purely a user’s choice
    2 – Core updates are for just that – core. Not extra code like themes.

    Is there some way to ensure this doesn’t happen again. Its happened a few times. The first couple I thought I was getting old and and forgotten to clean them out – but a test proved it wasn’t me going nuts.

    I know how to stop it – make folders with the same names as the themes and lock them at file level – but I suspect that would just add a failure to the updates process.

    TIA

Viewing 4 replies - 1 through 4 (of 4 total)
  • Moderator Samuel Wood (Otto)

    (@otto42)

    WordPress.org Admin

    The default themes are part of the core and maintained by the core team. They are not “extra” and they will be installed as part of core updates.

    The default theme should not be removed as it is there as a backup, and the core software is hardcoded to switch to it when necessary.

    Thanks for the response but I disagree.

    The wordpress security pages themselves state that extra code should be removed for security and also state, explicitly mentioning 2020 , that it can be removed for security purposes.

    A theme is not core wordpress. There is a requirement for a theme to be present but not the 2020 theme.

    Further more even if 2020 was required it does not require 2019.

    This update breaks WP security recommendations and good security practice.

    It’s also another example of the creeping loss of control users are experiencing with WP.
    Thanks
    Shane

    Look I don’t appreciate things being marked resolved when they aren’t.

    WordPress is breaking security in its updates.

    Seriously – Don’t just mark this as resolved all the time – its not resolved. Actually engage with your users

Viewing 4 replies - 1 through 4 (of 4 total)
  • You must be logged in to reply to this topic.