Marketing Pilgrim's "Blogging" Channel

Sponsor Marketing Pilgrim's Blogging Channel today! Get in front of some of the most influential readers in the Internet and social media marketing industry. Contact us today!

Pay No Attention to the WordPress Hacking Threats; Look at the Shiny rssCloud!



What would you rather have? A safe, secure WordPress platform that doesn’t require a half-dozen plugins in order to run effectively, or, faster distribution of your RSS feed?

If, like me, your vote went to option A, then you’re probably not going to be too thrilled about the latest update from the WordPress mothership. If you drooled over option B, then you’re probably a big geek and will need a change of underwear when you see what WordPress has in store for you.

WordPress founder Matt Mullenweg just flicked the switch on rssCloud–or RSS Cloud, or RSSCloud, take your pick–which means 7.5 million blogs now have the capability to push out updates in real time.

Why is this important? Right now how most people interact with feeds is by checking that it updated every now and then, usually about once an hour. Can you imagine waiting an hour to get your emails? (The world would probably be more productive.) RSS Cloud is an extra element in your RSS feed that allows subscribers to say “Hey, let me know as soon as you’ve updated, kthx.”

The only problem is that there’s only one RSS reader that currently supports rssCloud–and it ain’t Google Reader! So, while the future looks bright–and fast–the announcement is pretty superficial. Unless you consider it a slight of hand.

Slight of hand? That’s what my good friend @Ed suggests over at Twitter:

@Ed

As you can see, he’s responding to the comments from another good friend of mine–and self-appointed Twitter conscience–@GrayWolf, who’s somewhat annoyed that WordPress would roll out an update that is both a) not immediately beneficial, and b) not a high priority for many WordPress users.

@Graywolf@Graywolf 2

I have to agree with him. While the timing may or may not be designed to take the heat of yet more hacking threats to WordPress.org users, I’m somewhat frustrated that WordPress lacks many basic features and continues to suffer attack after attack.

So, what about you? I’m sure this post will get on Matt Mullenweg’s radar, so leave a comment and let him know what you think WordPress should make a priority.

  • http://www.theistudio.com/muse Judith

    What’s great about WP is that the developer community works to create this great product and integrate new features. But I agree with Michael Gray that some of the basics like contact forms and sitemaps should really be a no-brainer at this point without having to use plugins.

    But even if you have no plugin required contact forms and sitemaps, without stable code and security covered — it is all for naught. Whenever anything gains steam or visibility online, like WP has in the last several years, you have a target on your back. And, the hackers will work extra doubly hard to crack you simply because of that visibility. Part of the territory … territory I am sure Matt is well aware of.

    The bottom line is that no matter what type of software or application you are talking about you have to update when updates come out or you risk the consequences of not doing so — including your MSIE browser! ;-)
    .-= Judith´s last blog ..Social Media Friends: Are they really friends? =-.

  • http://theproviso.com Moriah Jovan

    @graywolf and I (@MoriahJovan) were talking about this last night. I deliberately didn’t upgrade because when I upgraded to 2.8.2, it broke my photo galleries and my shopping carts. I lost sales and about two days trying to fix them. Not only that, but these were known issues and there were no answers to them that I could see. Can’t blame the plugin guys; they do what they can and I have to assume they’re as buried in the fallout as everyone else.

    This was ridiculous, but rubbing salt in the wound were the WP fanboys going, “If you got hit, it’s your own damn fault for not upgrading when you were told to.”
    .-= Moriah Jovan´s last blog ..WordPress Attack =-.

  • http://dougal.gunters.org/ Dougal Campbell

    In case you didn’t notice, the secure version of WordPress that was NOT affected by the worm (2.8.4) was released weeks ago. And anytime there’s a newer version than the one you’re running, a nag will appear in the Dashboard, letting you know that you should upgrade. And they mentioned some time ago (long before this recent worm came about) that they are having a professional security audit done on the WP codebase.

    Also, when a plugin “breaks” due to a WordPress update, 9 times out of 10 it’s because the plugin author neglected to use the API correctly, and was doing something to muck with the WP internals in some odd fashion. This kind of breakage rarely happens on point-releases, which typically only contain bug and security fixes.

    That said, was the RSSCloud announcement a bit of feel-good hand-waving? I don’t know. It might be. But I have the notion that it might tie into something that is still coming down the pipe that we don’t know about yet. For instance, I wonder if it could be related to Automattic’s recent purchase of blo.gs from Yahoo…
    .-= Dougal Campbell´s last blog ..Most Useless iPhone 3.0 Feature =-.

  • http://workbench.cadenhead.org/ Rogers Cadenhead

    RSSCloud is an interesting approach, but I expect that WordPress will have real trouble supporting it. It has been around since 2000, and the only company that tried it shut off its cloud servers several years ago because of scaling issues. I go into this in detail on my blog:

    http://workbench.cadenhead.org/news/3555
    .-= Rogers Cadenhead´s last blog ..There’s a Reason RSSCloud Failed to Catch On =-.

  • Pingback: RssCloud: Getting blogs back into the realtime conversation — Social Mallard

  • http://ma.tt/ Matt

    We’ve met before, so I’m surprised you would malign my intentions like this.

    Security is always worked on before any features, which is why we have an excellent reputation in the security community for responding to reports quickly, responsibly, and transparently, often turning around an update within 24 hours including a full QA cycle.

    The answer to this is not bloating the core code with functionality like contact forms creating more code that needs to be audited and more vectors for attack, it’s focusing more on the core platform aspects that allow people to easily install and keep up to date with as many modules as they like. You can install a contact form plugin (or any plugin) in one-click on WP 2.7 and above. (RSS Cloud is a plugin, too.)

    Our biggest challenge now is created by our success — now that there are thousands of plugins, themes, and we’ve made WP accessible to millions of people who are not systems-savvy, how do we make it easy for them to administrate their blog in a responsible manner while still having the ease-of-use and functionality they starting using WordPress for. This has not been done before, we’re blazing new territory, and there will be some bumps along the way, but it’s the primary focus of me and the WP community to solve this problem, as one-click installs of core, plugins, update notifications, plugin updates, theme installs, and core upgrades show.

    We’re also capable of working on multiple things at once — later today we’re going to announce an acquisition but that doesn’t mean that the folks working on core WP are distracted or even involved.
    .-= Matt´s last blog ..RSS Cloud =-.

  • Pingback: Call Me A Geek, I Want RSSCloud

  • http://www.marketingpilgrim.com Andy Beal

    @Matt – yes, we’ve met before and I enjoyed our conversation. I hope that there’s not anything in this post that you take personally. Hopefully, you’re open to both the positive and negative feedback of some of WordPress’s hardcore fans.

    That out of the way, there is a big problem that I’d love to hear your thoughts on. Every time I upgrade WordPress, at least one of my plugins breaks. Every time!

    Knowing this, it poses a dilemma (as Moriah explains in the comment above). Upgrade WP and I’m secure but with a busted blog. Don’t upgrade and my plugins work, but I’m open to a security breach. This cycle will forever continue because WP doesn’t want “bloating the core code.” Without official features, then we are at the mercy of plugin developers to update their plugins.

    I appreciate that you have to weigh the needs of the many over the small vocal minority, but I hope you’re still open to us having the discussion.

  • http://ma.tt/ Matt

    Let’s list those plugins that always break and work with the developers to make them forward-compatible. Let’s sponsor development for them to be up to date. This is the beauty of Open Source, there’s no problem we can’t fix as a community.
    .-= Matt´s last blog ..RSS Cloud =-.

  • http://www.wolf-howl.com graywolf

    hi @matt I’d much rather have programmers who are working on combating hacking vulnerabilities and things like malformed URL’s and XSS hacks than stuff like ajaxy admin dashboards. I know how important these things are since I was combating them 6+ years ago. I know it’s not a easy to get programmers and developers who want to work on security stuff as opposed to all the cool new shiny things, but the security audits are mission critical, ajax dashboard widgets aren’t.

    Like I said if it was my show to run I would have told every single programmer security was now job number one, and if they didn’t like, stop by personnel and fill out your resignation.

    How many security updates have we had in the past 6 months … sure it’s only 15 or 20 minutes to update but if you run multiple blogs that’s exponential.

    if you don’t start taking security seriously someone is going to be drinking your milkshake in less than a year …
    .-= graywolf´s last blog ..How I Got Lost Using Google Maps and the iPhone =-.

  • http://www.marketingpilgrim.com Andy Beal

    @Matt – I guess the tough part is that those developers aren’t always interested in updating their plugin–maybe they got their backlinks/PR and don’t really care to maintain the plugin. (Note: it’s not always the same plugin that breaks)

    I have a saying that I am fond of using: it is, what it is.

    In this case, I’m unhappy with the lack of what I believe should be core functionality in WP and perceived lack of security. You’re totally confident in the WP way of doing things are will likely not change that model.

    It is, what it is, so perhaps we just accept that or move on. :-)

    I’ll still use WordPress and promote it to others–simply because it’s the best platform out there. I guess I just believe there’s an opportunity for perfection. ;-)

  • http://wpblogger.com Ben Cook

    Matt, while you guys do great on responding to threats & hacks, what I’d like to see, and I think what Graywolf is alluding to, is predicting issues before they become exploits.

    As Michael mentioned, some of these things have been around for quite a while, and it would be nice to see WordPress making advances in preventive security measures, rather than only responding to exploits and advancing in other “bells & whistles” type features.

  • http://ma.tt/ Matt

    We definitely do a lot of preventative security measures which are noted in release notes on every upgrade but most people don’t notice because it’s not sexy and even if you prevented 20 possible problems people just hear about the 1 that got through. However if you read through every major release since 2.3 there have been major proactive security measures in everything from user model, nonces, cookie encryption, password hashing, and more.
    .-= Matt´s last blog ..Automattic Aquires AtD =-.

  • http://www.wolf-howl.com graywolf

    @matt listen you released 2.8.0 in june we’re now on 2.8.4 only three months later because of security updates. So you may think you are paying attention to security but I feel confident saying that most wordpress users really would like to spend less time updating wordpress … especially because of security issues that you guys should be looking at.

    Whatever your internal security audits include they aren’t getting the job done …
    .-= graywolf´s last blog ..How I Got Lost Using Google Maps and the iPhone =-.

  • http://wpblogger.com Ben Cook

    Matt,
    I realize time is spent on security & preventative measures and that you’ll never prevent every new hack or exploit. But as evidenced by the recent 2.8.3 release, it’s obviously not enough.

    Don’t get me wrong, like probably everyone commenting on this post, I love WordPress and will continue to use it. However, a release where basically the developers say “Sorry I missed a few spots” completely defeats any argument that you’re doing enough when it comes to security.

    Also, the things that have been hitting us recently aren’t brand new to the online world. It’s not like they’ve been exploits of brand new features etc, they’ve just hadn’t been applied to WordPress before now.

    I realize you probably feel like we’re all attacking your baby and your mother hen instincts are kicking in, but arguing with anyone that has any type of criticism isn’t going to help WordPress. If nothing else, take the info you’ve received from this and other threads, and realize that WordPress has a perception problem & figure out ways to combat that instead of being defensive.
    .-= Ben Cook´s last blog ..Hidden Administrator Attack Hitting Outdated WordPress Sites =-.

  • http://jozsoft.com Joe Hall

    I love it when people complain about things they never invested time or money into making them better!

  • http://www.marketingpilgrim.com Andy Beal

    @Joe – but we’re not all capable of doing the actual upgrades. Sometimes the most important task is identifying the problem, so someone else (with the talent) can fix it. ;-)

  • http://mashable.com Frederick Townes

    I’m trying to understand that positions of various folks that are trying to question the intentions and philosophies of the automattic team, but I just cannot concede the point. Look at all of the other software out there from open source operating systems and compare to closed source products from microsoft (for example) and look at how often an update pushed down our throats forces us to be offline (for a different reason) and hope that we have a restore point that will undo the security fix that hosed our systems.

    With applications being used and stretched in so many directions it’s the responsibility of the community to participate in and support the software that’s being provided for free and appreciate that fact that developers would rather inconvenience people and acknowledge their fallibility instead of placate users and leave everyone with compromised servers and failing businesses.

    I think open source developers deserve far more respect. The amount of free code out there that is sustaining the blogoshere at this point is unprecendented and it’s the people that do not contribute to sustaining it that seem to have the most negative things to say.
    .-= Frederick Townes´s last blog ..HOW TO: Plan a Wedding on the Web =-.

  • http://wpblogger.com Ben Cook

    Frederick – you’re missing the point. The criticism here is that WordPress developers are spending too much time working on things like RSScloud when there have been so many security issues lately.

    Whether any one in this thread spends their time contributing to the code base of WordPress doesn’t change the facts that are being discussed.

    Do I appreciate WordPress and the developers that work on it? Absolutely. But it’s not like Automattic is a charity either. So I’m sorry, but I don’t buy the argument that something being free makes it beyond reproach or somehow wrong to criticize.
    .-= Ben Cook´s last blog ..Hidden Administrator Attack Hitting Outdated WordPress Sites =-.

  • http://mashable.com Frederick Townes

    I don’t think I’ve missed the point at all. The fact that they release security updates frequently shows me that they care about it even if it makes them look bad as I already said. They have different teams that work on different things concurrently. By the logic people are using in this post we’d still be on windows XP because of all the security issues in window. So what if they have a feature announcement on the heels of discussion that should not be news. Big deal.
    .-= Frederick Townes´s last blog ..Hierarchy of Digital Distractions Topped by iPhone, Email, and Retweets [PIC] =-.

  • http://www.wolf-howl.com graywolf

    @frederick I can tell you that 5 years ago when I was in the position of being the main support for an ecommerce and gift registry software package, we had to deal with XSS and malformed URL’s so this isn’t some new issue. We took the time fixed the problem and where done with it, because security is a mission critical function. So these types of problems aren’t new, they are just new to wordpress.

    things like ajax dashboards and rssclouds should always be lower down the priority scale. if wordpress needs to call all hands on deck and pull people off of other projects to fix security issues thats what needs to be done
    .-= graywolf´s last blog ..How I Got Lost Using Google Maps and the iPhone =-.

  • http://mashable.com Frederick Townes

    I don’t see where I’ve disagreed with your point. I also don’t see wordpress.com having these issues, while facebook and twitter do.

  • http://www.johnon.com john andrews

    Dougal (dougal@gunters.org), who posted above, has also posted his thoughts to the WordPress developer’s list. I think the evident arrogance in his post is part of the problem:

    In the aftermath of the recent WP worm, there has been the usual raft of FUD flying about. I won’t bother pointing out any particular sources — suffice to say that some of the recent posts about “WordPress Security” were reasonable, and many were not. It seems like every time there is some sort of security issue related to WordPress, regardless of the scope, it becomes a PR nightmare of sorts. Primarily, I think that it goes hand-in-hand with the popularity of WordPress: we are popular, therefore we are a high-profile target, and therefore when something goes wrong, it affects a lot of users, and therefore it gets a lot of attention. It’s the nature of celebrity.

    The nature of celebrity? Celebrities have not been entrusted with control of their fan’s livelihoods. Celebrities don’ t promise anything more than entertainment. WordPress, through its claims, has earned itself popularity, but more so, trust. To scoff at the concern of users who bought the hype about how easy WordPress is, and how easy it is to use plugins, and how easy it is to download those plugins directly from WordPress’ own distribution network, shows an incredible arrogance on the part of Dougla Campbell.

    For those who don’t recognize it, “FUD” is “fear uncertainty and doubt” and FUD is generally considered fear mongering with inaccurate information, usually as part of a competing agenda. Did I mention the arrogance?

    As has been pointed out time and time again, WordPress is easier than ever to keep updated. When a new version is released, a nag appears in the Dashboard. From there, it’s just a couple of clicks to upgrade. And yet, people *still* lag behind. The reasons are varied, and _mostly_ invalid (depending on your perspective). Some of it is simply “fear of breaking something”. Some of it is just simple stubbornness (“I just upgraded, I don’t want to do it again so soon!”). Some of it might be ignorance and laziness (they see the nag, but don’t look at the WordPress News blocks in the Dashboard, or go to the main site to read about it).

    Dougal conveniently neglected to mention the other reasons people don’t just upgrade. Like because a previous time they did “just upgrade”, they were nailed with problems that were not fixed until several days later when another release came out, to fix the broken release that had broken their website. Of course they tried desperately to make that first (broken) release work, because they didn’t actually know it had errors until the new new update came out. (the WordPress developer community seems to be fond of keeping the public in the dark until they are ready to not announce a fix to a broken update, but another update). Like Dougal here, they seem to have no clue about how their own constituents use their software, even though many are using it just the way they have been told to use it.

    For working people responsible for websites, that few days of hell between one “bad” update and the next “good” one could at best cause turmoil in the workplace, and at worst, completely corrupt an install.

    Or how about the FACT that WordPress has evolved over time, and many custom themes are not 100% compliant with the *latest* WordPress API standards? Ever try to get budget approval for a theme rewrite that will look almost the same, but include code changes in line with the new API features?

    There are many other of very valid, legitimate reasons why people don’t want to “just upgrade because we told you to upgrade”.

    The bottom line is.. WordPress is NOT easy, it is NOT robust and reliable because of the great community of developers behind it, and it is NOT something to just trust if you are not a programmer. Unless you have a throw-away blog you can just rebuild off a new install whenever necessary, or are a PHP developer capable of wading through the code and developer list discussions… then it is probably awesome.

    Unless I am incorrect. I might be; I am just going by my own experiences using WordPress for several years, and monitoring the dev list and SVN. Your mileage may vary.
    .-= john andrews´s last blog ..Google Owns Your Internets =-.

  • http://jozsoft.com Joe Hall

    @Andy I would say around around 70% of my clients come to me and say. “Heres my problem, please identify it, and fix it.” You don’t need to understand the WordPress API, PHP, or even HTML to hire someone that does. You don’t even need to know what a blog is to hire someone to fix it! (I have had those before). Most developers are used to talking to complete idiots about their sites. But you know what makes those idiots big time winners? The fact that they took the intuitive to hire someone to take care of their blog.

    So its really easy to complain and moan about a piece of free software that you depend on every second of everyday, but its a lot harder to accept that you need help maintaining it.
    .-= Joe Hall´s last blog ..WhosTalkin.com Moves To Media Temple! =-.

  • http://www.indojepara.blogspot.com/ @hmad

    i cant figure out how to manage this kind of worm, are we realy secure in these world wide??? i dont think so
    .-= @hmad´s last blog ..Intel Core i5 750 Processor Review =-.

  • Pingback: Small Business Mavericks » Blog Archive » What’s More Important – Faster RSS Or More Security?

  • http://www.marketingpilgrim.com Andy Beal

    @Matt – just to demonstrate my point. I just went to install After the Deadline plugin and was given this message:

    “Warning: This plugin has not been tested with your current version of WordPress.”

    I’m running the latest version of WP.

    :-P

  • http://wpblogger.com Ben Cook

    Andy,
    To be fair, that’s not the same as saying that the plugin WON’T work with the newest version, it just hasn’t been fully tested with the newest version.

    A lot of plugins that haven’t been tested still work. It’s obviously not ideal, but I usually just install them and test them myself.
    .-= Ben Cook´s last blog ..Hidden Administrator Attack Hitting Outdated WordPress Sites =-.

  • http://www.marketingpilgrim.com Andy Beal

    @Ben – that is true, it will likely work, but not guaranteed. And if this plugin–now officially owned by WordPress–is not even updated, what chance do we have with other plugins?

    Still, it’s the security issues that are the bigger focus.

  • http://dougal.gunters.org/ Dougal Campbell

    @John: I’m not sure why you feel like I was being arrogant in my posting to the wp-hackers mailing list — it certainly wasn’t my intention. And I think that the word “celebrity” is perfectly applicable to WordPress as a product and how it is perceived by much of the user community. I could have just said “popularity”, and the meaning and intent would have been pretty much the same. But I think that “celebrity” has some extra connotations that apply to any product as popular as WordPress is. I think many would agree that many brands have “celebrity” on their own, separate from the actual people associated with them (Starbucks, Nike, McDonald’s, Coca Cola, etc, just to name a few super-star celebrity brands).

    But, I still don’t understand your argument. You seem to feel that the WordPress core devs are not paying attention to security. But the fact is that the bug being exploited by this worm was fixed TWO releases and over A MONTH ago. Yes, it’s unfortunate that there was a security problem in the first place. But if you’ve programmed a complex web application like WordPress (or any other fairly large web app), then you know that there are all kinds of code interactions that can be very hard to keep track of.

    Sometimes you write some code and you think you’ve covered all the bases and cleaned up all your input. But you forget that your function might be called in some other context with input that you *didn’t* control. Or you’re doing complex things with regular expressions and you just didn’t anticipate some really weird off-balance input coming in which causes it to match in a way that you didn’t intend. And dozens of developers can look over a piece of code and say, “yup, that looks right to me.” But they just didn’t foresee that *one* strange case that causes it to fail. It happens because we’re all human.

    In the last couple of releases, there have been several new escaping functions added to the system which are specifically for the purpose of making it easier for plugin and theme developers to generate safer code. This kind of proactive security development is just one example that shows that they *do* take security seriously. It’s nothing flashy, it’s all under-the-hood, system-guts, boring kind of stuff, so most people don’t notice it — just the watchful developers who need to know about those things.

    I did not “conveniently neglect” to mention any other reasons that people don’t upgrade. I only provided a *few* examples of excuses that *some* people have used that I’ve read with my own eyes. And this was to illustrate the point that for whatever reason, the WordPress community and developers should do what we can to help these people feel “safer” about upgrading than they apparently do at this time.

    And yes, there *has* been some FUD around this issue (in the sense of disinformation). The comments of a certain celebrity tech blogger come to mind. He certainly spread some fear and doubt when he publicly questioned whether he could trust WordPress. But then he admitted that he had not been diligent about upgrading his system, and did not maintain backups.

    I am not unsympathetic to your concerns about updates being incompatible with older plugins and themes as the core evolves. I have stated in the past that I wish that when a new feature release was released, that bugfix and security changes would continue on the previous version branch for at least one more normal release cycle (in other words, maintain a stable 2.8 branch after the release of 2.9, and until the release of 3.0, etc.). This would at least give a few months of overlap time for plugin and theme developers to work out any incompatibility issues in a “supported” fashion, without feeling they had to immediately “pull the trigger” for a new version of their code as soon as a new version of WP came out. And it would give running sites a safe window to manage migrations if they find that they are running a plugin that has problems running in a new version of the core.

    In any case, the point of the discussion I started was that if people are afraid to upgrade, we need to examine the *reasons* for that fear and begin fixing the processes that create that fear. Where there is FUD, educate. Where there are real problems, correct them. Where there is opportunity to improve, allocate resources to do so.
    .-= Dougal Campbell´s last blog ..Most Useless iPhone 3.0 Feature =-.

  • http://www.johnon.com john andrews

    @Dougal I don’t think we disagree on the core issues of security or the upgrade process. Reading your last comment, I agreed with most of it. However, as I noted, the “demeanor” of the dev list (including your post) is quite different. It assumes a psoture that people don’t listen, people are the problem, etc. I addressed that posturing, not the content you re-affirmed above.

    I also acknowledge that a good communicator may have to assume such a posture in order to reach an audience, if that audience is so predispositioned. Maybe kid gloves are needed when dealing with WP devs.. not my call… and I don’t make any assumptions of your intent.

    I did notice you made some good suggestions re: improvng the process. They were not relevant for this discussion, but now they may be, since you clarified you did not intend to be disrespectful of users. I hereby acknowledge them ;-)

    For the record I’ve done some coding myself, and I understand the process pretty well. I do not agree with most of the posters complaining about WP security, where they start to slam the plugin developers for not keeping up or WP for not “certifying” plugins (or plugin developers). However, like water, piss flows downhill. Where WP and its devs openly disregard user concerns, or make claims about WP that are unsupported, WP and the devs need to be addressed. You can’t say “it’s easy, the dev community is huge and awesome and there are 2 billion themes available for free and therefore you should use it and trust it” but also say ‘it’s not us, it the plugin developers.. they should keep up and follow the rules” or my all time favorite, “don’t use plugins you don’t trust or test them yourself”.
    .-= john andrews´s last blog ..Google Owns Your Internets =-.

  • http://dougal.gunters.org/ Dougal Campbell

    @John

    Thanks for clarifying. Part of the problem is the double-edged sword of third-party code. The availability of so many great third-party plugins and themes is one of the key features that makes WordPress such a great platform, for both developers and end-users. But we can’t expect the core devs to take the blame every time some non-core code blows up (maybe every once in a while).

    I know that changes in core can happen that “break” plugin, it’s happened to me. I’ll give you my example: First of all, note that when I was a core developer myself, I created the “Post Custom Fields” (AKA “post meta”) feature. And the first WordPress plugin I wrote was HeadMeta, which takes advantage of this feature. But even though I wrote both the underlying API code and a plugin based on it, my plugin “broke” one day. Because in my plugin, I bypassed the API and directly accessed data from the $post data structure[1]. *I* didn’t see it break on *my* site, but others did (because I wasn’t triggering the serialization change that happened in core, and they were). Of course, I eventually got enough info from users of my plugin to figure out what was happening, and released an update to my plugin.

    The point is, changes *will* occur in core. It must evolve and improve and grow new features.

    But did the core devs have any responsibility to avoid changes that would break my plugin? No way. First of all, it’s not their code that broke. Second of all, it was my own fault for bypassing the API (that *I* wrote!) and not noticing sooner that changes occurred in those functions and data structures. Third of all, the changes they made were an improvement that currently benefit many developers.

    Is it hard to keep up with the changes that happen in each new version of WordPress? YES! Is the answer that plugin/theme authors should try harder to keep up? YES! And no! I mean, yes, plugin authors *should* try to keep up. But on the other hand, the core team could make it easier.

    With every new release, many new functions, classes, and other helpers are added to core. And occassionally, existing functions change or become deprecated. But (as far as I know), there’s no official quick-reference to those changes. You have to pore over tons and tons of changes in Trac, or look at the source, or keep a close eye on some of the xref tools. What would be great is if each release was accompanied by some developer notes detailing “new”, “changed”, “deprecated”, and “removed” status for functions and classes (and to key global variables).

    This information should probably become available at “beta” (or maybe even “alpha”) testing stage, updated at RC stage, and cemented at release. And it should be documented well in the Codex, referenced on the wp-testers mailing list, and any place else that might make sense (it might even merit an announce-only mailing list of its own). I think this would go a long way towards helping the wide-spread WP development community stay up-to-date, and help avoid “plugin breakage” problems.

    [1] *Technically* the breakage wasn’t really because I bypassed the API, but because they changed what kinds of values the API could return. My code always assumed that it would get a plain string. Change in the API meant that it could possibly return an array. But still, I should have been validating…
    .-= Dougal Campbell´s last blog ..Most Useless iPhone 3.0 Feature =-.

  • http://www.agent-seo.com Jacob Stoops

    I agree. I don’t prefer the over-reliance on plugins, simply because as WordPress gets older many of the plugins that people base their entire design around stop working, which is very very annoying. As @graywolf said, I’d much rather have programmers who are working on combating hacking vulnerabilities and things like malformed URL’s and XSS hacks than stuff like ajaxy admin dashboards. I have so many malformed URLs that get indexed somehow by Google and end up as 404-error pages in the SERPs (which doesn’t help my case for SEO or getting my blog out of obscurity).
    .-= Jacob Stoops´s last blog ..Do Executives Really Understand Social Media? =-.

  • http://earnmoneyonlineguides.blogspot.com/ Takuno Owoda

    That is good news, especially since I’m starting my word press blog soon
    .-= Takuno Owoda´s last blog ..How to Earn Money Online Fast? =-.

  • Pingback: Wordpress SEO: Wordpress Security Why it Matters to SEO

  • Pingback: Wordpress SEO: Wordpress Security Why it Matters to SEO | seo cloak

  • http://www.autoblog2.com john holpes

    now no more tension to blog with wordpress :D
    .-= john holpes´s last blog ..2010 Mitsubishi Outlander Facelift =-.

  • Pingback: Wordpress SEO: Wordpress Security Why it Matters to SEO | Internet Marketing Recommendations for Affiliates

  • http://www.freelancelens.com Pothi

    While I love WordPress, I strongly against the updates that I am forced to make every now and then because of security reasons. Just yesterday, I upgraded WordPress.com Stats plugin. Obviously, it did not work the way it should be (no stats in the dashboard because of a missing code). Today, I received another update mentioning the reason (missing code). This is just an example. Remember that we already received 4 updates (all security related) for the version 2.8. Why can’t they concentrate on something so secure from ground-up?
    .-= Pothi´s last blog ..Minimum Wage coming up in oDesk =-.

  • Pingback: Why Simple Websites Will Always Lead to Better SEO

  • Pingback: WordPress comment-page-1 issue | Marketing Technology Blog

  • Pingback: Why Simple Websites Will Always Lead to Better SEO