14 Comments

  1. Matt

    Can I talk about WordPress consultants for a moment?

    At a marketing meetup in my area, there’s a rash of folks that sell WordPress website creation as a service. Folks that tell me, they “slap some themes together from TF and plugins.” So, when I say rash, I mean I literally break out in one when I hear how they operate their business.

    For example, this defacing happened to a consultant I was talking to. She told me that the client refused to pay for the $18 upgrade to keep the patches coming. The result was the defacing. Of course a business owner is going to say no to a cost they don’t understand. It’s not their fault, it’s the consultant’s fault.

    If you’re consulting with a client on a monthly retainer and you are responsible for their core website technology AND you’re not working these license upgrade fees into your monthly nut — you are doing it wrong.

    If you tell me your monthly retainer can’t take the impact of premium plugin renewals that you installed and continue to use for your client — you are doing it wrong.

    If you cannot position the cost of annual software fees properly to a business owner — you’re probably positioning WordPress wrong and really doing it wrong.

    Report

  2. Peter Cralen (@PeterCralen)

    Its good news. More outdated and un-maintained websites will be hacked, sooner will majority of users know, that outdated or junky plugins/themes are not the way how to build website.
    These type of attacks just make our place better for long term …

    Report

  3. Ted Clayton

    While many developers are not too keen on the possibility of WordPress someday adopting automatic updates for core, plugins, and themes by default, your average website owner would probably probably prefer it over would-be ISIS hackers exploiting the simplest of vulnerabilities to deface their websites.

    Although a forced update program will be able to reduce the prevalence of certain categories of vulnerabilities, old plugins and WP installs are a small part of the security picture.

    Firefox went this route, and we certainly hope its user-ship curves aren’t a harbinger of WordPress’ trajectory.

    Security is so many different things, it has to be an automatic points-deduction to hold forth that any update program will have much effect. The security of a perfectly updated cyber-world would be minimally distinguishable from today’s status.

    In view of these considerations, it seems the purpose of the update-push is not security (which it can’t promote overall), but about other goals which we think won’t be as acceptable as … helping address ISIS aggression.

    It will be interesting to see if the forensics can determine whether ISIS was involved, or whether it could have been some unrelated party.

    Personally, I’ve been an update-fan since the very days (and I recommend it to everybody). I check for updates the way we used to handle dairy cows and farm animals; feed & tend them first, then go have your own breakfast. Then I went in the military, and added their duty & morals ideas. ;)

    No, my concern isn’t that a high-handed update regime is going to deprive me of some intangible, or crash my little empire. No, my concern is that WordPress is seeking to alter its identity in ways that will make it less suitable for the roles that I value.

    Report

  4. Ryan Hellyer

    Auto-update all the things, and these problems will disappear :)

    Report

  5. Amir Helzer

    I was against automated updates for plugins too, but now I think that it’s due. I hope that when WordPress core developers start working on this, they will be open to discussion, so that we can work out together how to allow themes and plugins, both from wordpress.org and outside to get automated security updates.

    If we are not careful, the automated update will backfire on us and people will just disable it globally. We need to be able to mark security updates separately, so that they are auto-updated always, while allowing clients to skip versions which may require them to do any kind of manual work.

    Report

    • Miroslav Glavić

      you could you know, take 60 seconds to check your website to see for updates whenever you wake up in the morning or get to work. tada

      Report

      • rhevesi

        That is not an option for anyone that runs any sort of even small business. Checking hundreds of sites takes a lot of time.

        We have set all our sites to automatically update all plugins automatically. I think of the few hundred sites that are auto updating over the past year maybe 1 has had a minor problem.

        I FULLY support automatic updates of plugins, themes not so much. So many people don’t modify themes correctly to support updating at all. I see this on an almost daily basis.

        Report

  6. Miroslav Glavić

    I go almost every day online and check for updates. It takes me 5 minutes to check and update about 12 sites.

    I then go to clients’s websites and update.

    That is how I keep my sites secure

    When I need feature fgh, I check the choice of plugins that can do fgh and I look for the one that has been updates the soonest. I don’t download plugins that have been upated 6 months or oldere. I prefer plugins with last update within a month.

    Report

  7. Joachim Jensen,Intox Studio

    In a free world, hacks and cracks will always exist, just like physical break-ins and vandalism will always exist. A system can never be fully secure, but there are lots of guides one can follow to avoid being low hanging fruit.

    For a WordPress site, one thing could be, yes, keeping plugins updated. While in general I am a fan of auto-updates and the technology behind, I also oppose it – especially in this time. Centralized systems are very popular in the “hacker communities” (or what they are called), and breaching one would cause major harm. What happens if the auto-update system on wordpress.org is breached? What data does wordpress.org save about websites? When wordpress.org can target very specific websites to be updated, are logs kept about when, where to and what was pushed?
    If these questions are already answered somewhere, please show me as I am all in for transparency in that area.

    The positive aspects of auto-updates and regular pings wordpress.org do outweigh the negative, but simply stating that auto-updates being turned on for everything will keep a site secure is naive. Let’s not turn this fantastic piece of technology into a monster. Education and collaboration are much more important than forced updates.

    Report

Comments are closed.

%d bloggers like this: