[wp-hackers] wordpress security

Jeremy Clarke jer at simianuprising.com
Mon Oct 19 18:44:32 UTC 2009

On Mon, Oct 19, 2009 at 9:46 AM, Otto <otto at ottodestruct.com> wrote:
> On Fri, Oct 16, 2009 at 2:36 PM, Nathan Rice <ncrice at gmail.com> wrote:
>> Do you really think that adding an email notification option will be
>> completely useless to the millions of WordPress users out there?
> Yes. I do. I think it is absolutely and utterly useless, and will not
> help anybody anywhere.

I don't know why you are so emotionally set against this idea but that
sentence is *way* to confident. How could you possibly make a sane
prediction that it would help no one? It *could* be more annoying than
useful, but there would definitely be many people who would get the
email and add the upgrade to their to do lists.

> Good grief man, even when the notification was added to the admin
> screens, people clamored and yelled for some way to disable *that*. Do
> you really think that an admin email enabled by default will go over
> well? I've already seen too many posts out there complaining about how
> WP is too naggy. This is only going to make things worse, and increase
> (not decrease) many people's opinion that WordPress is insecure.

The admin screen notices are a good point of consideration, but I
think in this case people are likely to be more forgiving. The problem
with the admin nag is that if you've seen it, considered it, and
decided to wait there's no way to communicate that to the nag. It's
there, on every screen, no matter what. After you log in, as you are
writing, as you moderate comments. It starts to grate on the nerves.

The email on the other hand would only arrive once per upgrade
notification. It should also include a link to your settings page
where you can disable the notifications if you don't want similar
emails in the future.

If anything what you're saying points out how maybe there should be a
built in system for silencing (temporarily or permanently) the upgrade
nag in admin, something like "hide this for 1 week".

On Mon, Oct 19, 2009 at 2:30 PM, Ozh <ozh at planetozh.com> wrote:
> Another thing to consider might be legitimacy of such an email. I can
> predict naive users being tricked into downloading a fake archive from
> w0rdpresss.org because they received a forged email seemingly from
> wordpress at their-domain

That applies equally to any update related email, including those
(that should be) sent by the core maintainers, hosting providers etc.
Also: If the email links to your own site where it tells you to log in
and update then it would be pretty damn safe.

Jeremy Clarke | http://jeremyclarke.org
Code and Design | http://globalvoicesonline.org

More information about the wp-hackers mailing list