WP Tavern › Forums › Create Topic
Mike I’m pro-disclosure, but I’m very unhappy with how this was handled. For two reasons: (1) Only about 5 days passed between release and disclosure? This is a massive vulnerability that takes less than a minute to exploit once you know what you’re doing. They knew once they disclosed they’d be inviting hackers into hundreds of thousands of sites. Surely they could’ve better emphasized the security concerns before disclosing, or waited more than a week. (2) The announcement of the disclosure was made via an update to the bottom of the original 4.7.2 announcement post. Are you kidding? I didn’t see it. How would I? Why would I check the announcement post again? I guess I should’ve known enough to have been subscribed to the Make WordPress Core blog? (Unsubscribed to that a long time ago because of all the “Dev Chat Summary” cruft showing up in my email.) I would bet a vast swath of WPers get this type of information via the feed in their WP dashboards — that’s one of the most reliable ways to disseminate information to standalone WP sites — so by not posting about the disclosure specifically, we didn’t find out about it until days afterward (and for many, after it’s too late and a hack had taken place). Really disappointed.
Mike
I’m pro-disclosure, but I’m very unhappy with how this was handled. For two reasons:
(1) Only about 5 days passed between release and disclosure? This is a massive vulnerability that takes less than a minute to exploit once you know what you’re doing. They knew once they disclosed they’d be inviting hackers into hundreds of thousands of sites. Surely they could’ve better emphasized the security concerns before disclosing, or waited more than a week.
(2) The announcement of the disclosure was made via an update to the bottom of the original 4.7.2 announcement post. Are you kidding? I didn’t see it. How would I? Why would I check the announcement post again? I guess I should’ve known enough to have been subscribed to the Make WordPress Core blog? (Unsubscribed to that a long time ago because of all the “Dev Chat Summary” cruft showing up in my email.) I would bet a vast swath of WPers get this type of information via the feed in their WP dashboards — that’s one of the most reliable ways to disseminate information to standalone WP sites — so by not posting about the disclosure specifically, we didn’t find out about it until days afterward (and for many, after it’s too late and a hack had taken place). Really disappointed.
Name *
Email *
Website:
Topic Title (Maximum Length: 80):
Forum: — No forum —AI and WordPress Articles Blocks Showcase Discussions Events Introductions Jobs and Working in WordPress Podcast Episodes Site and Block Editor
Enter your email address to subscribe to this blog and receive notifications of new posts by email.
Email Address
Submit
Enter the destination URL
Or link to existing content
