Bug#1118951: marked as done (wordpress: Debian WordPress patches break auto-updates with contradictory permission checks)

[Debian Bug Tracking System]

Your message dated Mon, 19 Jan 2026 20:27:54 +1100
with message-id 
<CALy8Cw6TONg1qrUp6sTWiGKO8u=5vTmJ4x4DGCKmkxVwtif=q...@mail.gmail.com>
and subject line Re: wordpress: Debian WordPress patches break auto-updates 
with contradictory permission checks
has caused the Debian Bug report #1118951,
regarding wordpress: Debian WordPress patches break auto-updates with 
contradictory permission checks
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1118951: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1118951
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: wordpress
Version: 6.8.1+dfsg1-1
Severity: important
X-Debbugs-Cc: thomaslloa...@gmail.com

Dear Maintainer,

Dear Debian WordPress Maintainers,

I am reporting a usability and compatibility issue with the Debian-packaged
WordPress (version 6.8.1+dfsg1-1) that makes automatic updates impossible
without manual intervention, due to conflicting permission checks and core
file modifications. This issue persists in testing/unstable (6.8.3+dfsg1-1,
verified at
https://salsa.debian.org/php-packages/team/wordpress/-/blob/debian/6.8.3%2Bdfsg1-1/debian/patches/series),
as the problematic patches remain unchanged.

### Summary
The Debian package modifies core WordPress files (e.g.,
wp-admin/includes/class-wp-site-health-auto-updates.php) with patches that:
- Rename and invert the logic of `test_all_files_writable` to
`test_all_files_unwritable`, using `is_writable()` (without `!`) to flag
writable core files (e.g., wp-cron.php, wp-blog-header.php) as a security
failure in Site Health ("Some files are writable by WordPress").
- Add `test_debian_note` to note "Updates are managed by the Debian package
system".

This creates a contradiction:
- Site Health marks writable core files as a **failure** (security risk).
- But WordPress auto-updates **require** writable core files (e.g.,
wp-admin/includes/update-core.php) and fail with "Permission denied in
class-wp-filesystem-direct.php:309" due to Debian's strict permissions
(644, owner root).

The official WordPress 6.8.3[](
https://github.com/WordPress/WordPress/blob/6.8.3/wp-admin/includes/class-wp-site-health-auto-updates.php)
uses `test_all_files_writable` with `! is_writable()` to ensure directories
like wp-content are writable for updates, without flagging core files as
risky.

Debian's approach prioritizes security (non-writable core files = good) but
breaks auto-updates, a core WordPress feature. Users expecting standard
behavior (e.g., WP_AUTO_UPDATE_CORE = true) must:
- Temporarily set `chown www-data:www-data` and `chmod 664` on core files
(contradicting Site Health).
- Or use `apt install --only-upgrade wordpress`, which lags behind official
releases (e.g., Debian 12 Bookworm has 6.8.1 vs official 6.8.3).

These patches disrupt the user experience by altering core WordPress
behavior without clear documentation or an opt-in for auto-updates.

### Steps to Reproduce
1. Install WordPress via `apt install wordpress` on Debian 13.1.
2. Site Health reports "Some files are writable by WordPress" (e.g.,
wp-cron.php) as a failure.
3. Enable auto-updates in wp-config.php: `define('WP_AUTO_UPDATE_CORE',
true); define('FS_METHOD', 'direct');`.
4. Attempt update to 6.8.3 via Dashboard > Updates: Fails with "The update
cannot be installed because we will be unable to copy some files. This is
usually due to inconsistent file permissions.:
wp-admin/includes/update-core.php" and "Permission denied" error.

### Expected Behavior
- Debian package should align with upstream WordPress auto-update
standards: Focus Site Health checks on writable directories (wp-content,
plugins) rather than flagging core files as risky.
- Or, explicitly disable auto-updates in the admin interface with a clear
notice linking to `apt` instructions, and avoid modifying core files to
invert upstream logic.
- Provide documentation in README.Debian on enabling auto-updates safely
(e.g., a script to toggle permissions).

### Workaround (Temporary)
- Temporarily: `sudo chown -R www-data:www-data /usr/share/wordpress &&
sudo chmod -R 664 /usr/share/wordpress/wp-admin
/usr/share/wordpress/wp-includes && sudo chmod 664
/usr/share/wordpress/*.php`.
- Update via admin interface.
- Revert: `sudo find /usr/share/wordpress -type f -exec chmod 644 {} \; &&
sudo find /usr/share/wordpress -type d -exec chmod 755 {} \; && sudo chown
-R root:root /usr/share/wordpress && sudo chmod -R 775
/usr/share/wordpress/wp-content && sudo chown -R www-data:www-data
/usr/share/wordpress/wp-content`.

This workaround is cumbersome and contradicts Site Health recommendations,
making the package frustrating for users.

### Proposed Fix
- Update the package to upstream 6.8.3 and revise patches: Replace
`test_all_files_unwritable` with `test_all_files_writable` (align with
upstream), or make it optional via a config flag.
- Add upstream coordination: Submit patches back to WordPress for better
Debian support (e.g., a "packaged mode" flag).
- Improve documentation: Include a section in README.Debian on enabling
auto-updates safely.

This issue persists in testing/unstable (6.8.3+dfsg1-1) and affects
usability, forcing manual workarounds. Auto-updates worked fine before
Debian's stricter patches. Please prioritize this for the next upload.

References:
- Official WordPress 6.8.3 source:
https://github.com/WordPress/WordPress/blob/6.8.3/wp-admin/includes/class-wp-site-health-auto-updates.php
- Debian patches:
https://salsa.debian.org/php-packages/team/wordpress/-/blob/debian/6.8.3%2Bdfsg1-1/debian/patches/series
- Similar upstream issues:
https://wordpress.stackexchange.com/questions/385330/wordpress-update-this-is-usually-due-to-inconsistent-file-permissions-wp-adm

Thank you for maintaining the package. I appreciate your work on security
but hope for better compatibility with upstream features.

Best regards,
Thomas LLOANCY
thomaslloa...@gmail.com

-- System Information:
Debian Release: 13.1
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500,
'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 6.14.3-x86_64-linode168 (SMP w/1 CPU thread; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE
not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages wordpress depends on:
ii  apache2 [httpd]                         2.4.65-2
ii  ca-certificates                         20250419
ii  default-mysql-client                    1.1.1
ii  libapache2-mod-php                      2:8.4+96
ii  libapache2-mod-php8.4 [libapache2-mod-  8.4.11-1
    php]
ii  libjs-cropper                           1.2.2-2
ii  libjs-lodash
 4.17.21+dfsg+~cs8.31.198.20210220-9
ii  libjs-underscore                        1.13.4~dfsg+~1.11.4-3
ii  mariadb-client [virtual-mysql-client]   1:11.8.3-0+deb13u1
ii  nginx [httpd]                           1.26.3-3+deb13u1
ii  php-gd                                  2:8.4+96
ii  php-getid3                              1.9.23+dfsg-1
ii  php-mysql                               2:8.4+96
ii  php8.4-gd [php-gd]                      8.4.11-1
ii  php8.4-mysql [php-mysqlnd]              8.4.11-1

Versions of packages wordpress recommends:
ii  wordpress-l10n                    6.8.1+dfsg1-1
ii  wordpress-theme-twentytwentyfive  6.8.1+dfsg1-1

Versions of packages wordpress suggests:
ii  mariadb-server [virtual-mysql-server]  1:11.8.3-0+deb13u1
ii  php-curl                               2:8.4+96
ii  php-imagick                            3.8.0-2
ii  php-mbstring                           2:8.4+96
pn  php-ssh2                               <none>
pn  php-xml                                <none>
ii  php-zip                                2:8.4+96
ii  php8.4-curl [php-curl]                 8.4.11-1
ii  php8.4-imagick [php-imagick]           3.8.0-2
ii  php8.4-mbstring [php-mbstring]         8.4.11-1
ii  php8.4-zip [php-zip]                   8.4.11-1

-- Configuration Files:
/etc/wordpress/htaccess changed [not included]

-- no debconf information

-- 
*Determinets.com <http://determinets.com>*

--- End Message ---

--- Begin Message ---

> I am reporting a usability and compatibility issue with the
Debian-packaged
> WordPress (version 6.8.1+dfsg1-1) that makes automatic updates impossible

No, that's actually done on purpose. You have two options

#1 You use Debian packages and Debian updating. In this case you do not
want your wordpress files in /usr/share/wordpress to be writable to the
webserver and you do not want to use the WordPress updates.

#2 You do not use the Debian packages and download WordPress directly off
their website. In this case you do want the webserver to be able to write
to the files (and they probably should not be in /usr/share/wordpress too)
and you use the WordPress automatic updates.

Having something remotely download and update the contents of a Debian
package fundamentally breaks how Debian packaging works.

It's one or the other, you cannot mix the two.

 - Craig

--- End Message ---