[wp-hackers] wordpress security

Lynne Pope lynne.pope at gmail.com
Mon Oct 19 22:34:49 UTC 2009

2009/10/20 mccormicky <mccormicky at gmail.com>

> I also think that not doing something because 25 people will complain about
> it but 200,000 will be helped is not reasonable.

One of the problems faced by all FOSS projects is that developers are rarely
able to identify what constitutes an "average user". Another problem is the
assumption that if users don't like a feature, they will complain and we
will all know.

WordPress is downloaded millions of times. If even half of those downloads
result in a live site, then the discrepancy in numbers between installs and
people visiting the forums or mailing lists is huge. Many people who have
complaints over things they don't like don't bother saying anything, they
just change to another open source app. Kudos or complaints are not a good
way to judge if a feature is wanted/liked/not causing issues.

When considering the subsets of users, two important groups were overlooked:

1) Users who do an auto install via a server script such as Fantastico.
These people tend to rely on their auto-installer to help keep them
up-to-date. Some of these scripts send out an email notification, some
don't. Since the auto-installers usually have to be licensed by the hosting
provider these are not always up-to-date and I know of at least one host
that is still providing WordPress 2.5.1 as a one-click install.
Apps are often modified by the auto-installers. The user thinks they are
getting WordPress but what they are really getting is a modified
distribution of WordPress with no guarantee that update nags are even

2) Hosts/ISP's.
Hosts can be a projects best friend or worst enemy. They don't get to see
update notices and an email notification from inside a WordPress install is
not going to help them. If they perceive WordPress to be insecure they
either ban it from their servers or warn their customers not to use it. Or
refuse to help if a site is hacked.
On the other hand, a host that keeps informed about new releases will
usually send out notices or announce the update on their forums. These may
be the only forums a user visits.

In my earlier email I suggested adding an opt-in link to the WordPress
announcements list. When I was thinking more about this I realised that
having any information on the readme or install screens doesn't help the
users in 1). Many of the auto-install scripts remove the install screens.

I have read everyone's arguments for an opt-in email in the core, but am
still firmly convinced that its not the way to go. Most people have enough
clues to check which version they are using (if they don't already know) so
a simple notification that a new release is available and whether that
release is a security release or not should suffice.

The WP-Announce list exists. Everyone can use it, including hosts, to get
email announcements (assuming the list will ever be used). So, what I
propose is this:
Get a commitment from the core team that they will issue announcements on
that list. And that they will state which upgrades are necessary for
Change the sample data - instead of, "this is a post", provide some
meaningful information. With a link to subscribe to WP-Announce.
Make an entry announcing that WP-Announce is being used, so this will show
in the dashboard feeds. Bloggers will quickly pick up on this and news of it
will spread.


More information about the wp-hackers mailing list