[wp-hackers] wordpress security

[Taunja Palmer-Stone]

I have been watching the discussion about sending an email when a security
update is available with interest. I am neither as savvy as most (any?) of
you on the coding side of things, nor as technically challenged as those who
need to hire someone to set up their blogs (if you're wondering what I'm
doing on the list, I'm watching & learning).

Today I received an email notification that there is a WordPress security
release. After months of (1) missing them and (2) signing up for the mailing
list promising e-mail updates on the WP.org download page, I made my own
from the official feed using FeedBurner. Works like a charm.

I don't blog regularly due to time restrictions and also have two
installations using WordPress more as a CMS (which is becoming a common use
for WordPress), so while the update notice is handy when I do log in, it's
not as helpful to me as it is to those who blog more regularly. The official
mailing list, for whatever reason, has not sent out a single e-mail in all
the time that I've been subscribed to it despite promises of notification
for new stable releases (I could have sworn it used to say 'updates' but
either way I never get anything from that list).

Even though I only had the link up for subscribing to this update-only feed
for a few months on one of my blogs that got very little traffic, I still
got other people signing up for it who found it through Google (I had posted
about my frustration at not getting e-mail updates & my solution).

There is a need for an e-mail notification system, but I agree that doing it
through the installation may not be the best approach. The existing mailing
list on WP.org, if it was used, might be the best solution: (1) voluntary,
(2) one e-mail per user instead of per installation for those with multiple
installations, (3) officially sanctioned, (4) not reliant on the server
being properly configured for email, (5) can't be turned off if the
WordPress installation is compromised.

If the text for the default first post was changed as has been suggested
earlier, information on how to subscribe could be included in that text.
Alternatively there is the heavy-handed approach of forcing people to sign
up before they can download WordPress (I'm not a fan of this method--I much
prefer voluntary).

Just a few thoughts from the sidelines,
Taunja



> ------------------------------
>
> Message: 2
> Date: Mon, 19 Oct 2009 18:11:36 +0100
> From: mrmist <listswphackers at mist.org.uk>
> Subject: Re: [wp-hackers] wordpress security
> To: wp-hackers at lists.automattic.com
> Message-ID: <Aq1KYaBI3J3KFwZ9 at dsl-217-155-35-239.zen.co.uk>
> Content-Type: text/plain;charset=us-ascii;format=flowed
>
> In message
> <f38206c90910190752p6257046bk217941cabb21feed at mail.gmail.com>, Jeremi
> Bergman <jeremib at gmail.com> writes
> >I would agree with this.  As an admin of multiple WP sites, I do not login
> >to each admin panel unless needed to.
> >
> >Would be nice to get an email that said an update was available.
> >
>
> But then as an admin of multiple sites, you do not fit the supposed core
> target for such a feature, that being the average Jo user.
>
> A feature such as email inform might be useful, but it'd have to be
> pretty customisable - e.g. the to address not necessarily being the
> "admin" user - and warn users that the feature is dependant on server
> email config being correct.
>
> I also believe that the points made by others already in this thread,
> such as the aspect of creating reliance on such an email, are pretty
> valid and I could see it creating more support load in the forums than
> it solves.
>
> On balance, I'd say that the demographic that ignore or who are bothered
> by the upgrade nag screen, would ignore or be bothered by an email, and
> that those who fall outside of this demographic would have either
> already upgraded based on the nag screen, or represent a small enough
> set that it's just feature bloat to stick it in core.
> --
> mrmist
>
>