Recently in wordpress Category
I feel sorry for the Wordpress developers, but I feel even more sorry for their users.
Over the past year WP users who have been keeping track of updates etc., have had to update and upgrade their installs so many times that it's not funny.
The way I see it Wordpress users fall, broadly speaking, into two main categories:
Lots of designers like working with the Wordpress templates.
Neither the casual user or the designer is going to be signed up for security alerts from Secunia or Security Focus or any of the other security sites.
Geek users are probably more likely to play with stuff and are probably going to install lots of plugins.
Now a hardcore geek might check into the source of a plugin to see if the code is "sane", but the average blog jockey probably isn't that concerned with security.
They're not going to worry about the security holes that CMS with php code in its templates could actually cause.
Why would they?
So Wordpress has had security issues in the past.
Surely the latest version resolves all of these?
Surely a major update would bring more than just eye candy?
Seemingly not.
According to Security Focus WP 2.5 is open to SQL injections.
What does that mean in English?
It means, simply, that an evil person could inject data into your blog's database ie. content
There's a longer article discussing some of the implications over here with some back and forth between the author and Mr Wordpress - Matt Mullenweg.
In typical fashion Mullenweg tries to attack the author instead of addressing user concerns.
A simple "we aren't aware of any issues" or something along those lines would have been so much more graceful, but no, that was not the case.
I'm no longer a Wordpress user, so I can't tell first hand, but is there a glaring big flashing light going off on WP installs if the software is out of date and needs to be upgraded to address security issues? Is there?
Open X has had that for ages. It practically forces you to upgrade as soon as you login to an out of date install. They also don't mind telling users about security holes, instead of adding them as an afterthought.
Now whether or not the latest security hole is a real danger or not is irrelevant. It doesn't matter. Seriously.
What does matter is that people trusted Wordpress, but are now being embarrassed when their sites are defaced or hijacked
Transparency and honesty nearly always win out and taking a proactive stance on webapp security should be part and parcel of any developer's modus operandi. Shiny interfaces may help the bubble 2.0 crowd, but when the bubble bursts it would be nice to see things with a proper foundation.
(And WP isn't the only webapp with a dire security history - I'm looking at you Joomla and you PhpBB)
Over the past year WP users who have been keeping track of updates etc., have had to update and upgrade their installs so many times that it's not funny.
The way I see it Wordpress users fall, broadly speaking, into two main categories:
- Casual users
- Geeks
Lots of designers like working with the Wordpress templates.
Neither the casual user or the designer is going to be signed up for security alerts from Secunia or Security Focus or any of the other security sites.
Geek users are probably more likely to play with stuff and are probably going to install lots of plugins.
Now a hardcore geek might check into the source of a plugin to see if the code is "sane", but the average blog jockey probably isn't that concerned with security.
They're not going to worry about the security holes that CMS with php code in its templates could actually cause.
Why would they?
So Wordpress has had security issues in the past.
Surely the latest version resolves all of these?
Surely a major update would bring more than just eye candy?
Seemingly not.
According to Security Focus WP 2.5 is open to SQL injections.
What does that mean in English?
It means, simply, that an evil person could inject data into your blog's database ie. content
There's a longer article discussing some of the implications over here with some back and forth between the author and Mr Wordpress - Matt Mullenweg.
In typical fashion Mullenweg tries to attack the author instead of addressing user concerns.
A simple "we aren't aware of any issues" or something along those lines would have been so much more graceful, but no, that was not the case.
I'm no longer a Wordpress user, so I can't tell first hand, but is there a glaring big flashing light going off on WP installs if the software is out of date and needs to be upgraded to address security issues? Is there?
Open X has had that for ages. It practically forces you to upgrade as soon as you login to an out of date install. They also don't mind telling users about security holes, instead of adding them as an afterthought.
Now whether or not the latest security hole is a real danger or not is irrelevant. It doesn't matter. Seriously.
What does matter is that people trusted Wordpress, but are now being embarrassed when their sites are defaced or hijacked
Transparency and honesty nearly always win out and taking a proactive stance on webapp security should be part and parcel of any developer's modus operandi. Shiny interfaces may help the bubble 2.0 crowd, but when the bubble bursts it would be nice to see things with a proper foundation.
(And WP isn't the only webapp with a dire security history - I'm looking at you Joomla and you PhpBB)
I came across this earlier this evening.
I don't use certain types of language in my own writing and have mentioned this more than once in the past, but can a company offering a blog hosting service suspend a site for language use?
Where exactly do you draw the line?
What exactly is "offensive"?
Thoughts on a postcard ....
I don't use certain types of language in my own writing and have mentioned this more than once in the past, but can a company offering a blog hosting service suspend a site for language use?
Where exactly do you draw the line?
What exactly is "offensive"?
Thoughts on a postcard ....
Mark Carey is one of the more active MovableType plugin developers. Some of his plugin have to be simply categorised as "cool". There's no other word that sums them up aptly, though I'm sure you could find plenty if you tried.
His latest plugin release is a stroke of genius - Wordpress Interface for Movable Type
It does pretty much what it says "on the tin" and replaces the MovableType "classic" interface with one that not only looks and feels like Wordpress, but also emulates a lot of the behaviour (from a UI perspective).
You can give it a whirl here - username: demo pass: demo
Screenshots and more details on his original post
He may have done it almost as a joke, but it also shows how incredibly flexible Movable Type can be.
Evil thought - you could replace someone's WP install with this and they probably wouldn't even notice!
His latest plugin release is a stroke of genius - Wordpress Interface for Movable Type
It does pretty much what it says "on the tin" and replaces the MovableType "classic" interface with one that not only looks and feels like Wordpress, but also emulates a lot of the behaviour (from a UI perspective).
You can give it a whirl here - username: demo pass: demo
Screenshots and more details on his original post
He may have done it almost as a joke, but it also shows how incredibly flexible Movable Type can be.
Evil thought - you could replace someone's WP install with this and they probably wouldn't even notice!
Byrne Reese is a really cool guy who seems to come up with cool stuff on a regular basis.
He's just released a small plugin for Movable Type that will bring "pingback" to Movable Type and make the transition from Wordpress that bit easier for users.
Very cool!
(It's implemented here as of 5 minutes ago, but may explode!)
He's just released a small plugin for Movable Type that will bring "pingback" to Movable Type and make the transition from Wordpress that bit easier for users.
Very cool!
(It's implemented here as of 5 minutes ago, but may explode!)
I'm back in the office this morning and trying to catch up on emails etc.,
If you've emailed me in the last week or so and haven't got a reply now you know why :)
Of course if your email didn't have a semantic subject line I probably won't find it ever - sorry!
I've also got a bit tired of clients being negatively affected by Wordpress' dumb caching (or simple lack of it!) which has led to this.
All I'll say is this. When this site made it onto the frontpage of Digg the server barely flinched. If I'd been using a default install of Wordpress the site would have taken out the entire server...
If you've emailed me in the last week or so and haven't got a reply now you know why :)
Of course if your email didn't have a semantic subject line I probably won't find it ever - sorry!
I've also got a bit tired of clients being negatively affected by Wordpress' dumb caching (or simple lack of it!) which has led to this.
All I'll say is this. When this site made it onto the frontpage of Digg the server barely flinched. If I'd been using a default install of Wordpress the site would have taken out the entire server...
The latest release of Wordpress was made public earlier today. Since I've stopped using Wordpress I wasn't aware of it until I caught up with my RSS feeds a short time ago.
Whether the new release brings enhancements or new features won't really matter to anyone, as the new release brings with it a new "phone home feature":
Well it seems that it sends a lot more data back to Wordpress than is actually necessary and the lead developer, Matt Mullenweg, doesn't seem to have a reasonable explanation for this.
There's a couple of posts about the issues this raises and a very long discussion of it on the a mailing list (worth reading!)
The key point being raised time and again is that people aren't given an option to opt-out of sending the data. It might also be seen as breaching EU privacy legislation according to one contributor.
UPDATE: You can disable the call home function via a 3rd party plugin. If you read the mailing list thread there's one or two options mentioned.
Whether the new release brings enhancements or new features won't really matter to anyone, as the new release brings with it a new "phone home feature":
Our new update notification lets you know when there is a new release of WordPress or when any of the plugins you use has an update available. It works by sending your blog URL, plugins, and version information to our newHow?api.wordpress.orgservice which then compares it to the plugin database and tells you what the latest and greatest is you can use.
Well it seems that it sends a lot more data back to Wordpress than is actually necessary and the lead developer, Matt Mullenweg, doesn't seem to have a reasonable explanation for this.
There's a couple of posts about the issues this raises and a very long discussion of it on the a mailing list (worth reading!)
The key point being raised time and again is that people aren't given an option to opt-out of sending the data. It might also be seen as breaching EU privacy legislation according to one contributor.
UPDATE: You can disable the call home function via a 3rd party plugin. If you read the mailing list thread there's one or two options mentioned.
If you're seeing this entry in your browser or RSS reader you are looking at the new home for this site.
There are probably a few broken things, but they'll get fixed (I hope!)
There are probably a few broken things, but they'll get fixed (I hope!)
