[wp-hackers] wordpress security

Jeremy Clarke jer at simianuprising.com
Mon Oct 19 20:24:38 UTC 2009


On Mon, Oct 19, 2009 at 4:05 PM, Otto <otto at ottodestruct.com> wrote:
> 2. You're assuming that there exists some subset of people whom a) do
> not do upgrades regularly now and b) would be motivated to do so by
> receiving an email to that effect. I submit that this assumption is
> seemingly based on nothing whatsoever, as I am unable to find any
> support for this notion in any support forums, blog posting, comments
> on blog postings, or indeed in any other part of reality as I can
> currently perceive it. This subset of people appears, to me, to be
> some idealized notion, a blog owner who is truly helpless and unable
> to do something as simple as actually look at his own website from
> time to time, despite somehow continuing to write posts on it and
> possibly even interact with people through it. Not only that, but if
> this mythical blogger was, say, hacked, then he'd be upset for being
> so, despite having not looked at the back end of the site in the last
> couple of months...

I'll point out that I, as well as a number of other people in this
thread, have specifically stated that we ourselves would profit from
this, so it's not an idealized notion, its a group of people who you
just claimed don't exist while in conversation with them.

It's also pretty unrealistic to expect all blog admins to visit the
sites they manage on a regular basis. Not only are they likely to set
up sites for friends (who may or may not use them regularly) but in my
experience there are a lot of times when you're managing sites that
are basically retired, but that you don't want to take down because
you don't like dead links on the internet. In both of these cases
(which I think account for a lot of the people on this list who said
it would be useful to them) the email feature would be both a handy
reminder on top of your other organizational tactics and potentially
the only thing that would ever remind you that the site exists and
needs attention (whether it turns out that attention is to be upgraded
or deleted due to being dead/never-used).


> No, I must disagree with this as well. The yellow box is necessary to
> get people to actually do something about it, like upgrade. When
> people who got hacked recently complained, I was quite able to ask
> them "why didn't you do anything about that yellow box which has been
> there for 2 months" and thus the conversation, such as it was, was
> resolved. An email that could be deleted or a box that could be turned
> off would get an "I forgot" or "it went in my spam folder" response,
> providing yet another out.

Okay so you

a) dealt with people on the forums who noticed their blogs were hacked

and

b) noticed that they were all people who had seen the message.

Concluding that all the people who's blogs were hacked had seen the
message from this is wrong. Many sites were and are silently hacked
without the admin ever knowing about it. I don't know the full details
but if the recent wave of attacks was really a 'worm' then these
abandoned blogs are a huge part of the problem. Making them noisier
could only help the situation.

-- 
Jeremy Clarke | http://jeremyclarke.org
Code and Design | http://globalvoicesonline.org


More information about the wp-hackers mailing list