[wp-hackers] wordpress security
Lynne Pope
lynne.pope at gmail.com
Mon Oct 19 00:10:33 UTC 2009
2009/10/17 Jeff Chandler <jeffc at wptavern.com>
> ....
>
> When I first started using WordPress, I signed up to the WordPress
> Announcements mailing list because I wanted to be notified of when a new
> update was available via Email because I check email 100 times a day versus
> RSS feeds or the dashboard. Well, that list is as good as dead. The only
> time I've received an email from that list is a big announcement email
> regarding WordPress 2.7 from Matt Mullenweg. That's it, in the span of two
> years. So this would turn the WP Announcements mailing list into something
> automated controlled by the blog owner for the site administrator since the
> middle man ain't cutting it anymore.
>
I am opposed to adding an email alert function into the core for two
reasons:
1. Users can become reliant on receiving an email to alert them to the
availability of an upgrade. If the email does not arrive they will feel
confident that there hasn't been an upgrade.
The non-techy user may not understand that the emails may be getting caught
by spam filters. They may also not be aware that their servers do not
necessarily allow PHP Mailer. You just have to look at the forums to see how
many people complain, "my email doesn't work". Those who need the SMTP mail
plugin would be capable of also installing the email notification to admin
plugin.
Even so, an email to an admin can cause issues. A site may have several
admins without clear roles as to who does what. A blog admin is not
necessarily the same person who is responsible for keeping the site updated
- these people, who may have server but not blog admin status, need to be
able to get notifications.
2. I don't feel that a new core feature is needed. It's simply a bandaid
for the projects lack of clear communication channels.
We have feeds, blog announcements, dashboard notices, dashboard feeds, and
hundreds of blogs that leap into action with announcements anytime anything
changes. We even have a WordPress Twitter account people can follow, and a
feed from this if people want to keep track of it in a feed reader.
What is lacking is a centralised, "should subscribe to" place for receiving
important notices. The WP Announcements list is a logical place for this. A
"Subscribe to Announcements" link underneath the download link on the
WordPress home page would encourage people to subscribe to this list. Adding
this to the readme in the core would also encourage newcomers to subscribe -
especially if it was accompanied by a notice saying that the mailing list is
used for announcements about new releases and security patches.
I agree with Nathan and others that more can be done to educate
inexperienced users. I just don't agree with the concept of emailing admins
from within WordPress itself.
Lynne
http://twitter.com/elpie/
More information about the wp-hackers
mailing list