[wp-hackers] wordpress security

Nathan Rice ncrice at gmail.com
Fri Oct 16 19:36:28 UTC 2009

On Fri, Oct 16, 2009 at 3:18 PM, Otto <otto at ottodestruct.com> wrote:

> If you're a non-techy person, then you shouldn't be hosting your own
> website in the first place. You should be using a service to do it for
> you, like WordPress.com or Blogger or *something*.
I think that's a bit off the mark. Everybody was a noob once. Even you.
Perhaps you had the good sense to use a hosted service, but the people I
work with don't. And I don't blame them. The hoops you have to jump through
in order to change minor things with your theme on WP.com is ridiculous.
Blogger is a joke. They want to buy or download themes from reputable people
and install it on their own site, and they probably want to use plugins too.

Bloggers aren't the only people who use WordPress. It's a different world
than it was 3 years ago. We can't keep pretending that beginners aren't
using WP. And we can't keep giving them the middle finger for doing so.
WordPress is popular BECAUSE of its low barrier of entry.

If somebody is incapable of the absolutely minimal task of keeping
> their software up-to-date with the current set of tools provided to
> them, then it is my considered opinion that they should not be running
> WordPress or any other self-hosted website system, of any kind.

To someone, the process isn't minimal. You're not thinking like a normal
person, and neither am I.

> Emailing them won't change this. More tools of any kind to make it
> easier won't change this. The simple fact is that upgrading is
> literally one-button click on many hosting systems right now (if you
> ignore things like backups and such... I usually don't bother with
> backing up before upgrades anymore), and they can't even be bothered
> to do that.

Why have the notification at the top of the dashboard at all, then? Why
create the 1-click upgrade? If people can't upgrade with FTP, screw 'em,
right? They're not savvy enough to be using WordPress, right?

5t00p1d n00b5.

> Call me pessimistic, but you could have it sending flowers with a note
> that says "please upgrade your freakin' website" to their house, and
> they'd still not click that damn button.

We're talking about *a single checkbox,* a simple feature** that sends a
single email when a new version is available. A considerable improvement
from the current notification system, and far short of the effort it would
take to send flowers to every WP users' door.

It's not bloat, it's just the next logical step. WordPress has been trying
to make upgrades easier and more seamless in the last couple of releases.
This is the cherry on top. Why skip it?

> Fact of the matter is that you can't help everybody. Adding yet
> another notification system is useless feature bloat. The people here
> discussing it won't use it, and those who don't upgrade will either
> turn it off, ignore the emails, mark it as spam, or stop using
> WordPress.

Do you really think that adding an email notification option will be
completely useless to the millions of WordPress users out there?

Good grief, if they don't like it, they can turn it off. I probably will.
But then, they have no reason to blame WordPress. They CHOSE to not receive
the notifications. WP will have removed every single obstacle from their
upgrade path. If they still get hacked, it's definitivley their own fault.

In the current setup, there are plenty of scenarios where the user could
legitimately claim no fault. Want me to provide examples?

Nathan Rice

More information about the wp-hackers mailing list