[wp-hackers] wordpress security

Chris Jean gaarai at gaarai.com
Fri Oct 16 18:33:36 UTC 2009

Nathan is making a great point here, and I think a large number of
people are missing it. The idea of the notification isn't for people
like those of us reading this thread. The regular everyday WordPress
site admin is not subscribed to this list, they have no voice here.
Thus, it is our responsibility to try to anticipate what those missing
voices would say.

There are people who have said that admins can easily subscribe to an
RSS feed. Great, who will tell them about the RSS feed and what it means
to them? There certainly isn't such a notification currently.

In addition, even as a techy person, I hate RSS. I'm going to run yet
another program to demand my attention? No thanks. Most people that run
a WP site use email, a significantly smaller portion also actively check
RSS feeds.

There are those here who have voiced an opinion that it is an annoyance
as they have a multitude of blogs. Oh well... Deal with it. Most people
are only going to have one to three blogs, a very manageable number.

The reason that such an email notification feature is a recommendation
is to help those who aren't like the members of the hackers list and
don't keep up with all the latest WP buzz. So, for members of this list
to say that they wouldn't like it, oh well, it's not aimed at you, it's
aimed at everyone else.

Some people are saying that only nerds need apply when running a
WordPress blog. Really? Are we elitist now? The idea of WordPress is
that even your average non-techy person can run their own site easily.
The fact of the matter is that having more non-techy people on WP helps
WP keep growing and diversifying. How about we give the non-techy person
a hand and help them deal with security in a smart/informed way?

I fully back Nathan's idea. I think that having it in core and not as a
plugin is essential.

g30rg3_x says that it will only be acceptable if it includes plugin
update notifications. I think that expanding the functionality to
plugins would be great. However, I think we should do this a step at a time.

    * First, add the WP version update email message to core.
    * Second, polish out any kinks from the implementation and get feedback.
    * Third, looking at the feedback, implement a system that notifies
      about plugin update availability as well. This notification period
      can be tuned to notify immediately as new versions are available,
      provide a daily digest of updates, provide a weekly digest, or
      turn it off.

That's my recommendation. If we throw everything at everyone
immediately, a huge backlash will form, and a good idea would be wasted
due to hasty implementation.

Chris Jean

Nathan Rice wrote:
> No, because I subscribe to all the WordPress feeds, random WP-related blogs,
> and follow countless people on Twitter that are happy to notify me when a
> new version is released. I don't need to be alerted by email. Plus, I don't
> use the automatic upgrade feature. All my blogs are updated via SVN once per
> hour.
> I'm not normal.

More information about the wp-hackers mailing list