WordPress “Site Health Status” trust it or myself for its security advice?


I’m using WordPress to host a few sites. Lately it includes this feature called Site Health Status. This information has in part been valuable, but it also itches me the wrong way somehow that I can’t get it to show "green" due to something I’d consider non-issues 😉

Here is how the "critical issue" looks.

Relevant snippet from Site Health Status

Here’s the relevant text excerpt, because search engines aren’t all too good with indexing text from screenshots:

1 critical issue

Background updates are not working as expected [Security]

Background updates ensure that WordPress can auto-update if a security update is released for the version you are currently using.

  • Warning The folder /vhosts/sitename was detected as being under version control (.hg).
  • Error Your installation of WordPress prompts for FTP credentials to perform updates. (Your site is performing updates over FTP due to file ownership. Talk to your hosting company.)

The folder /vhosts/sitename is indeed under version control and the actual blog is under /vhosts/sitename/blog and that’s what the web server serves as webroot. However, /vhosts/sitename/wp-config.php contains the blog configuration. As WordPress allows it to live outside of the webroot, that’s what I opted for out of security reasons. Anyway, the conclusion from this first (yellow) point should be that there’s no way anyone could glean the contents of the version control system, since it lives entirely outside the webroot.

The second (and red) point is about FTP credentials. This one I find particularly unnerving. I have scripts in place, I have 2FA, and the servers in question are only accessible via SSH (and by extension SFTP). WordPress doesn’t support SFTP nor would I want to enable this at all. In fact the files inside the webroot have tight file modes so that even in case a breach occurred very little could be done. In other words, I am updating WordPress in a semi-automated fashion triggered manually. Unlike some setups of WordPress I have seen or administrated in the past with FTP enabled, I haven’t had a breach, going by all the indicators I have available. So to me this is the desired setting. But someone decided to categorize this as a critical issue.

So my questions (two actually):

  • Is there a way to dismiss and ignore these exact two items in the future?
  • Should I trust some WordPress dev who doesn’t know my exact setup more for security advice than myself or should I spend (mental) energy on actively ignoring the issue (under the assumption that it can’t be dismissed and ignored for the future)?

NB: I am not interested in having the overall feature (or the visible widget) removed. I simply want this feature to be valuable and that means not raising the alarm when nothing is wrong, as far as I’m concerned.