| Home | Forum | Advertise | Contact Me | About WPTavern | WPWeekly Show Info |
![]() |
| |||||||
| General WordPress Talk about news, share great posts and more |
![]() |
| | Share | LinkBack (2) | Thread Tools | Display Modes |
| |||
|
I think that to help keep WP out of the honeypot list that there has to be a move towards supporting legacy versions for a given period. At the moment it's very much the case that the only versions supported in any way are the current ones. Now, think about how this looks to a client who's just invested in a large scale, sophisticated theme. It's gone live early in 2010 on 2.8.6. Two months later, 2.9 is released and... then a hole is discovered that affects 2.8.6. It won't be fixed, simple as that. Try explaining to a client that their two month old site needs some major work to be done to work on 2.9 and that there may also need to be a spot of downtime. Oh, and this can't be scheduled - needs to be done NOW! We've patched 2.7 installs to clear up the vulnerabilities, but I feel that there should be some way of central maintenance of legacy WP. Alternatively, somebody else may do this. It's occurred to me that someone could possibly make money here by offering patched, older versions of WordPress. With most systems you don't have to have the latest version of the latest version.... you can stay secure with XP, you can stay secure with Hardy Heron. When Karmic Koala or Windows 7 come out, you won't be forced to upgrade in order to not be hacked. Imagine if Microsoft techies said to XP users "HAH! You got hacked! Serves you right for not upgrading to Vista, dumbnut." |
| ||||
|
If you look at the showcased WP sites many of them run older versions. Even large company's having hi-profile sites have problems keeping up-to-date with releases. I`m sure they got thight servers and custom patches with Verio running 2.7, and Vancouver Convention Center running 2.7.1. The real competence in WP security is found within Automattic, running 1000 servers, and the responsibility to share this competence in a user-friendly way is shared between Matt ( the lead developer and King of everything ), Automattic, the leading opensource devs, and the WP.org "staff" ( I`m never sure if they are considered Automattics or not ) With the new handbooks in development, there should also be a new security handbook, and an accomplishing canonical plugin, with a nag to ask for activation upon installation. The installation is not finished after the famous 5 minute install, theres also an hour in setting up security, and I believe the only way to make masses do this, is by incorporating a core distributed canonical plugin you have to opt out, if you dont want to secure your installation. Quote:
A commercial security plugin, with an online scanner, and access to documentation and paid services together with recommended safe hosting could be a business model. It probably wouldnt make it any safer than following openly published recommendations, but it would be a time saver and it will make you and clients feel safer, and I think people would pay for that feeling. |
| ||||
|
I can't see how supporting old versions serves any purpose whatsoever. If people aren't upgrading, then adding new versions for each point release isn't going to help anything. 99.99% of people who won't upgrade are either stupid, ignorant or have a very peculiar blog setup which can't upgrade easily. |
| |||
|
But Ryan - what's peculiar, isn't all that rare. Why not have a secure 2.7? What's the problem with that? It can be done, so it can be. Now, John suggests that it would be in bad spirit to charge for security updated versions of older WordPress versions, but they would still be GPL. They'd have to be. My worry, however, is whether it would make for a viable business. And then there's all the bitching if you didn't offer free downloads. But that doesn't make for a viable business - I can confirm that with Spectacu.la where we decided to go entirely free to download. In fact, the biggest motivator for people to join is the rebrandable, higher quality user guide. |
| ||||
|
2.6.5: http://www.wordpresssecured.com/wpsecurity/ ![]() If someone is able to put together a suite of products and services that makes customers feel safe and sleep well at night, it might have some nice ROI as a business project. 10.000 customers x 1$ monthly fee = serious business. or 1000 customers x 10$ monthly fee = serious business. Throw in some restoring consulting and a nice rebate with money back-guarantee for members if they get hacked after all, and customers will feel its a good deal even if they get unlucky, and the business brand may keep its brand equity even if x customers get hacked. A non-hacked customer is happy cause he feels safe and isnt hacked. A hacked customer knows where to turn for quick help and gets a rebate if he needs to buy consulting. |
| ||||
|
I was reminded of this thread when I saw Xconomy putting the call out for a PHP, WordPress, Linux, Apache Guru. http://www.xconomy.com/national/2009...s-with-pagers/ |
| |||
|
Heh - yeah... But that's just too many skills. We know a bit about Linux and Apache, but really we stick with PHP and WordPress. We have other people who know the rest. I think sometimes people expect a little too much about developers. You find a point and you can learn everything on both sides, plus a bit from things two points away. Essentially, by the time you get to Linux you're three steps away from WordPress and can't be expected to have deep skills there. One of the things I see too much in the web business is people spreading themselves too thinly. PS. Thanks for the Weblogtools mention and quote. Feel famous now :-) |
| ||||
| Quote:
Allow me to repeat that. ALL web sites NEED maintenance. This is not an option. If you have a client and they say "build me a website" and you don't instantly say "where's your support structure for this website?", then you are intentionally and knowingly ripping off your client. There is no such thing as a website that will not need somebody *constantly* caring for it. A website is interactive, dynamic, changing. No piece of software is static, and internet software is even less static than desktop stuff. And a website is one of the most constantly changing pieces, because it's continuously interacting with customers, changing with new content, adjusting in response to feedback. It's public facing, it's open to the world, and it's a continuous security target. You cannot develop a website and then say "it's done", because no website is ever "done". This is a myth at best, and an outright lie at worst. And if you don't explain this to your client, then you are misleading them. (Note, I'm speaking of modern websites here, not the absolute simplest of cases, a static site that merely provides information and offers nothing in the way of interactivity. Which may be fine for some clients, I know many restaurant sites that have nothing more than a few pretty pages and their menu and directions/phone number, etc. These are essentially just static sites, not "modern" ones like we're discussing here.) |
![]() |
| Thread Tools | |
| Display Modes | |
| |
LinkBacks (?)
LinkBack to this Thread: http://www.wptavern.com/forum/general-wordpress/835-wordpress-security-about-more-than-wordpress.html | ||||
| Posted By | For | Type | Date | |
| WordPress › Blog How to Keep WordPress Secure | This thread | Refback | 09-13-2009 12:47 PM | |
| How to Improve WordPress Security | Interconnect IT - WordPress Consultants, Web Development and Web Design | This thread | Pingback | 09-06-2009 02:02 PM | |