[wp-hackers] Wordpress 3.0, can we finally get a LTS version?

Jeremy Clarke jer at simianuprising.com
Fri Jun 18 14:01:18 UTC 2010

+1 for backporting security patches by one version. This will let enterprise
sites have ~6months between mandatory upgrades instead of 3, which would
make a big difference, while also keeping it reasonable for the devs.

For the record there are so many good reasons why the 2.0 LTS experiment
failed that its IMHO not even worth considering it when contemplating future

   - It was driven by the demands of Debian and not the
   community/developers. This alone probably doomed it.
   - 2.0 was probably the buggiest release of WP ever. It added a ton of new
   features that kind of worked but felt really strange. It had a full UI
   reworking without the user testing that went into subsequent UI overhauls.
   It was also the first use of the visual editor, and it was a nightmare that
   needed to be disabled immediately.
   - The plugin API was very immature at that point compared to everything
   since 2.5 or so.
   - Few enterprises (LTS customers) were using WP because compared to today
   it really was 'just a blog'. There were few CMS-y plugins and no big players
   (NYT) had committed to it yet.
   important one. The large-scale WP exploits didn't start until around version
   2.2/2.3. That was when we all started freaking out about upgrades and
   demanding that all users upgrade on release day or be damned. By the time
   security became a big issue everyone had already moved on past 2.0,
   especially plugin and theme developers. Once we knew that versions and
   upgrading were issues we should pay attention to it was already too late for
   the 2.0 branch. The only "LTS" option was to build new sites using an almost
   completely dead branch of the software which also happened to be  buggy and

I was probably one of the few people who kept running 2.0.x for years on my
own personal site. I ended up getting hacked despite staying on top of the
releases, though I was mostly expecting it by the time it happened, since
there had been no new releases for so long.

Here's to a secure 3.0 (and 3.1 and 3.2)!

As far as I'm concerned 3.0 is the release that comes after the longest safe
period in the history of WP, I can't even remember when the last real
exploit wave happened that wasn't more than a release behind the current
one. I'm pretty sure 2.8.4 is still secure, a testament to all the work
that's been put into WP since 2.0 and those tragic dark ages of 2.3.x :D

Jeremy Clarke
Code and Design | globalvoicesonline.org

More information about the wp-hackers mailing list