1. 6

  2. 5

    This is a good thing but it relies on the greater evil; WordPress requires write permission to your document root folder. That’s one of the WordPress Original Sins that creates so many of the other issues. Web applications with auto update are inherently insecure because they have to be able to write to their entire folder structure.

    Verifying the integrity of the update archive is nice but that’s only one vector by which WordPress could be compelled to write to itself.