[wp-hackers] wordpress security

Jason Benesch jason at realestatetomato.com
Mon Oct 19 19:25:46 UTC 2009


Just my 2 cents on a little different approach...

The objective is to eliminate all of the old WP installs.

There are a lot of devs who are going around and setting up individual blogs
for clients.
So now we have 1000s of individual WP blogs who are being managed by those
not savvy enough to set it up on their own, but savvy enough to hire someone
for the setup (thinking they can manage it on their own).
These are most likely the blogs where the worms seem to spread the quickest.

I know when I first started working with WP several years ago, I got up to
300 single WP installs and realized very quickly I was not going to be able
to scale a business setting up individual blogs.
Moving to WPMU was a life saver.  I can update my platform and every blog
(762) is updated quickly, painlessly and instantly.

My point being this:

It is rumored that the WPMU project and WP will be merged together in the
3.0 release.  Maybe if the community comes together to better educate devs
on how to run their own WPMU platform, we can start to eliminate the onesies
that are causing the problems...

While I understand that this isn't a replacement for security patches or
auto emails, the ability to cluster blogs on to one platform, will work
towards helping to eliminate the "set up once and never used again,
soon-to-be-splogs"




On Mon, Oct 19, 2009 at 11:44 AM, Jeremy Clarke <jer at simianuprising.com>wrote:

> On Mon, Oct 19, 2009 at 9:46 AM, Otto <otto at ottodestruct.com> wrote:
> > On Fri, Oct 16, 2009 at 2:36 PM, Nathan Rice <ncrice at gmail.com> wrote:
> >> Do you really think that adding an email notification option will be
> >> completely useless to the millions of WordPress users out there?
> >
> > Yes. I do. I think it is absolutely and utterly useless, and will not
> > help anybody anywhere.
>
> I don't know why you are so emotionally set against this idea but that
> sentence is *way* to confident. How could you possibly make a sane
> prediction that it would help no one? It *could* be more annoying than
> useful, but there would definitely be many people who would get the
> email and add the upgrade to their to do lists.
>
> > Good grief man, even when the notification was added to the admin
> > screens, people clamored and yelled for some way to disable *that*. Do
> > you really think that an admin email enabled by default will go over
> > well? I've already seen too many posts out there complaining about how
> > WP is too naggy. This is only going to make things worse, and increase
> > (not decrease) many people's opinion that WordPress is insecure.
>
> The admin screen notices are a good point of consideration, but I
> think in this case people are likely to be more forgiving. The problem
> with the admin nag is that if you've seen it, considered it, and
> decided to wait there's no way to communicate that to the nag. It's
> there, on every screen, no matter what. After you log in, as you are
> writing, as you moderate comments. It starts to grate on the nerves.
>
> The email on the other hand would only arrive once per upgrade
> notification. It should also include a link to your settings page
> where you can disable the notifications if you don't want similar
> emails in the future.
>
> If anything what you're saying points out how maybe there should be a
> built in system for silencing (temporarily or permanently) the upgrade
> nag in admin, something like "hide this for 1 week".
>
> On Mon, Oct 19, 2009 at 2:30 PM, Ozh <ozh at planetozh.com> wrote:
> > Another thing to consider might be legitimacy of such an email. I can
> > predict naive users being tricked into downloading a fake archive from
> > w0rdpresss.org because they received a forged email seemingly from
> > wordpress at their-domain
>
> That applies equally to any update related email, including those
> (that should be) sent by the core maintainers, hosting providers etc.
> Also: If the email links to your own site where it tells you to log in
> and update then it would be pretty damn safe.
>
>
>
> Jeremy Clarke | http://jeremyclarke.org
> Code and Design | http://globalvoicesonline.org
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>



-- 
Jason Benesch

Real Estate Tomato
Co-owner
www.realestatetomato.com
(619) 770-1950
jason at realestatetomato.com

ListingPress
Owner, Founder
www.listingpress.com
(619) 955-7465
jason at listingpress.com


More information about the wp-hackers mailing list