[wp-hackers] wordpress security

[Jeremy Clarke]

For the record I think Lynne made some really excellent points that
made me reconsider my perspective, to summarize:

1 - The real problem here is the announcements list which is made of
FAIL. Someone at Automattic needs to just subscribe that list to
Taunja's Feedburner hack so it can do its job.

2 - The welcome post is currently trash. It should do exactly what she
says and inform people about security and how installation was just
the first step towards a long safe relationship with the platform. I
already do this in my own setup by cloning a base database with the
settings I want including a hello world article based on the info I
want my users to have.

3 - Automated install scripts confound the situation and could lead to
issues where the user gets a message to update and breaks the
auto-update script.

I still think that the proposed update email system could be very
useful for people with archival/abandoned sites though. If anything
though the above indicate that it should be opt-in rather than
opt-out, and that ideally it would be intelligent about things like
whether anyone has logged in and seen the update message. Maybe its
something that could be integrated into one of Jane's polls for
2.10/3.0.

If we can get 1 and 2 though I'm willing to give up on core support.
It would be great if the plugin that does the email thing was featured
in the default post (or on the upgrade screen or wherever else we're
adding new info to emphasize the importance of being aware of updates
as they become available). Closing the 'who has heard of it' gap is
vital in this case IMHO.

-- 
Jeremy Clarke | http://jeremyclarke.org
Code and Design | http://globalvoicesonline.org