[wp-hackers] wordpress security

Mon Oct 19 20:05:10 UTC 2009

On Mon, Oct 19, 2009 at 1:44 PM, Jeremy Clarke <jer at simianuprising.com> wrote:
>> Yes. I do. I think it is absolutely and utterly useless, and will not
>> help anybody anywhere.
>
> I don't know why you are so emotionally set against this idea but that
> sentence is *way* to confident.

Not sure where those letters showed emotion there, but yeah, I'm
pretty confident. :)

> How could you possibly make a sane
> prediction that it would help no one? It *could* be more annoying than
> useful, but there would definitely be many people who would get the
> email and add the upgrade to their to do lists.

I think you're making some fundamental assumptions here that could be
fruitfully addressed.

1. You assume I'm "sane". Not necessarily a good bet.

2. You're assuming that there exists some subset of people whom a) do
not do upgrades regularly now and b) would be motivated to do so by
receiving an email to that effect. I submit that this assumption is
seemingly based on nothing whatsoever, as I am unable to find any
support for this notion in any support forums, blog posting, comments
on blog postings, or indeed in any other part of reality as I can
currently perceive it. This subset of people appears, to me, to be
some idealized notion, a blog owner who is truly helpless and unable
to do something as simple as actually look at his own website from
time to time, despite somehow continuing to write posts on it and
possibly even interact with people through it. Not only that, but if
this mythical blogger was, say, hacked, then he'd be upset for being
so, despite having not looked at the back end of the site in the last
couple of months...

> The admin screen notices are a good point of consideration, but I
> think in this case people are likely to be more forgiving. The problem
> with the admin nag is that if you've seen it, considered it, and
> decided to wait there's no way to communicate that to the nag. It's
> there, on every screen, no matter what. After you log in, as you are
> writing, as you moderate comments. It starts to grate on the nerves.
>
> The email on the other hand would only arrive once per upgrade
> notification. It should also include a link to your settings page
> where you can disable the notifications if you don't want similar
> emails in the future.

And yet an email notification is much more direct and intrusive than a
small yellowing box which is easily ignored (or better yet, heeded). I
would find such an email notification much more annoying.

> If anything what you're saying points out how maybe there should be a
> built in system for silencing (temporarily or permanently) the upgrade
> nag in admin, something like "hide this for 1 week".

No, I must disagree with this as well. The yellow box is necessary to
get people to actually do something about it, like upgrade. When
people who got hacked recently complained, I was quite able to ask
them "why didn't you do anything about that yellow box which has been
there for 2 months" and thus the conversation, such as it was, was
resolved. An email that could be deleted or a box that could be turned
off would get an "I forgot" or "it went in my spam folder" response,
providing yet another out.

The current system strikes me as ideal. No changes are necessary for
it to continue to be ideal, IMO.

-Otto