WordPressと同じ種類のコア更新を実行できるようにしたい Web サイトがあります。
Web サイトのコアを安全に更新できるようにするにはどうすればよいですか? どのような予防策を講じますか?
PHP スクリプトが自分自身を更新できるようになると、セキュリティ上の大きな脅威のように思えます。
If you really want, you can look at the source of /wordpress/wp-admin/includes/class-wp-upgrader.php
which is doing all the heavy lifting in the new background updates. Major releases (3.7 to 3.8, or 3.x to 4.x) require user input. It's just small patches that are coming in automatically.
Your WordPress installation pings the WP servers for available updates.
Your WP downloads archive from their server to yours, and unpacks the archive to a working directory.
Your WP deletes the package archive.
Your WP moves the new files from the working directory to their destination.
Your WP clears the working directory.
Your WP calls filters and hooks 'upgrader_process_complete' which may initiate some new code to execute in order to complete the patches.
Unless a hacker is able to trick WordPress into connecting to a non-WP server for update information or packages, you're getting approved file patches direct from WordPress servers api.wordpress.org
.