Wednesday, February 6th, 2008
To my chagrin, my blog is telling me that it’s time to upgrade again.
It’s an urgent security release because if you allow registration on your WordPress blog, users can edit other users’ drafts. WordPress development also mentions the vulnerability in the WP-Forum plugin that I mentioned recently. This is the first time that I’ve seen WordPress themselves mention a plugin security problem. It must be really serious.
Can we discuss WordPress’ security for a sec?
I know that WP fans say that the reason there are so many security breaches is because WordPress is so popular and widespread, more people try to hack it.
WordPress detractors say that there is no excuse: WP gets hacked too much, has too much spam, and too many security problems.
So which is it? Let’s take a look at what a pretty objective group of people have to say about WordPress security: BlogSecurity.net.
BlogSecurity.net is a great blog that reports on social networking and web blog security. A large percentage of their posts are dedicated to WordPress issues. This could be because WordPress is so popular so they’ve decided to dedicate most of their energies to covering it, or it could be because WordPress has more security issues to report about.
It seems to be the latter, and BlogSecurity.net addressed the general issue of WordPress security recently:
We have seen alot of critical vulnerabilities being discovered in WordPress core and its plugins of late, who’s to blame?…
One of the major problems I see with WordPress is that it provides little (if any) protection against input validation attacks. So where does the problem lie?
One of the main problem lies in the way WordPress sanitises user input….
If WordPress is going to get serious about security, we need to come up with hardcore secure functions, that the WordPress core, and its plugin developers can use. These functions should take the security considerations out of the plugin developers hands and secured from within the WordPress core!…
This is one area, where I think blogging platforms like Drupal do a far better job! (my bold)
So is WordPress insecure by design? The answer seems to be yes!
Ramifications? I don’t know. I’m not jumping ship any time soon because no other blogging or CMS platform offers what WP does: flexibility, ease of use, extensibility, and great community support.
I’m no software developer, but I would say that it’s probably in Automattic’s interest to concentrate all their efforts in tightening up security issues now, and only once that’s done to add any new features they planned on implementing in the next release.
——————————
Here are some other plugin vulnerabilities that were recently discovered, in case you missed them:
WordPress WassUp Plugin “to_date” SQL Injection Vulnerability
WordPress AdServe Plugin “id” SQL Injection
WordPress WP-Footnotes Plugin “admin_panel.php” Cross-Site Scripting
dmsguestbook, st_newsletter, Wordspew, wp-footnotes vulnerabilities
wp-calc & wp adserv plugin vulnerabilities
![[Slashdot]](http://slashdot.org/favicon.ico)
![[Digg]](http://digg.com/favicon.ico)
![[Reddit]](http://reddit.com/favicon.ico)
![[del.icio.us]](http://del.icio.us/favicon.ico)
![[Facebook]](http://www.facebook.com/favicon.ico)
![[Technorati]](http://technorati.com/favicon.ico)
![[Google]](http://www.google.com/favicon.ico)
![[StumbleUpon]](http://www.stumbleupon.com/favicon.ico)
Posted in News & Views | Tags: Automattic, security, upgrades | 4 Comments »
Tuesday, January 22nd, 2008
Michael over at WPCandy brought up the question recently of whether it’s ok to use the word “WordPress” in the domain name of sites about WordPress that are not affiliated with Automattic. I came across this issue about a month ago thanks to Lorelle, who actually mentions this repeatedly in her WordPress Wednesday posts on the Blog Herald. Lorelle states that you need to get permission to use the word WordPress in your blog’s name and domain, so I immediately contacted someone over at Automattic to see what they had to say on the matter. He pointed me to this page: http://wordpress.org/about/domains/.
Of course, if I had known about this policy before I started WordPress Garage, I would never have used the current domain name. But here we are, almost a year later, and the question remains: do I need to change my domain name? And do all blogs that use the word WordPress in their names need to change that too?
I think there are two issues at hand here:
- Trademark dilution
- Consumer evangelism
Trademark Dilution, i.e. “I WordPressed so much today on my WordPress”
Based on my modest understanding of trademarks (I worked a bit in the field), the reason Automattic doesn’t want anyone using WordPress in their domain name is because they (or their lawyers) are concerned about “trademark dilution.” Trademark dilution is when a brand name becomes so tied to the product that it becomes the general name of the product, and even a verb. Some good examples of this are the use of the word “Xerox” instead of “photocopy,” “Kleenex” instead of “tissue,” and “Saran Wrap” instead of “plastic wrap.” While this may seem like great success since the brand name became so widely known that people just call the product by the brand name, it is problematic for companies because it makes it more difficult for them to protect their trademarks against infringements.
So, in the case of WordPress, their trademark would become diluted if people started to call blogs “WordPresses,” or would use the word “WordPress” as a verb, i.e. “I have to take a break from WordPressing while I go on vacation.”
I’m no intellectual property expert, but this seems unlikely to happen. Blogs will be blogs.
Consumer Evangelism, i.e. “I love WordPress so much that I’m actually going to write hordes of posts about it and create themes and plugins - all for free”
Which company is the king of consumer evangelism? I’ll give you a hint: their name rhymes with Snapple. Yes, Steve Jobs and the folks at Apple have succeeded in creating products that people LOVE. Their customers love their products so much that they talk about them, write about them, tell their friends to buy them, etc. They have armies of consumer evangelists all over the globe hugging their iPods, and coveting the iPhone (the iPhone still hasn’t come to many countries).
Now, Apple is a pretty big company, so you’d think their lawyers would be freaking out over trademark dilution issues. Well, here are a few examples of blogs and sites that are not affiliated with Apple that write about Apple products and use the word Apple or iPhone in their domain and blog name:
The Apple Blog
Apple iPhone
Apple Fun
Apple Are
Apple iPhone Blog
Apple Matters
I don’t know if Apple encourages this, but as far as I know they aren’t publicizing any policies related to the use of their trademarks in domain and blog names. Maybe they understand that this type of marketing is gold - people who aren’t on the company payroll, and are therefore “objective,” who are willing to dedicate time and money to promoting their products for them. Now THAT is a marketers dream!
Let’s do a quick comparison with the overweight, slightly-balding company to see how they’re managing with consumer evangelists. Here are the Microsoft fan sites that I found:
http://scoble.weblogs.com/ - doesn’t use Microsoft in the domain, but is now dead.
Microsoft’s not exactly about to go under, but I would say that Apple’s position is pretty envious.
Back to WordPress
WordPress has consumer evangelists (me!). Dozens of bloggers are posting about WordPress every day in order to share their knowledge with the WordPress community. And thousands of readers read these blogs every day to quench their thirst for more knowledge about the WordPress platform. In my opinion, this is all part of the Open Source spirit, where people learn from the community, and then want to give back to the community in whatever way they can.
Here are some examples of blogs totally or almost totally dedicated to WordPress (I apologize if I’ve left you out - feel free to leave URLs in the comments):
WPCandy
Hack WordPress
Darren Hoyt
Weblog Tools Collection
Solostream
Lorelle on WordPress
Check out WP Themes Gallery’s list of the top 40 WordPress blogs to get an idea of how many there are out there.
Now let’s take a look at what I would say is a major WordPress competitor: Movable Type. I did a quick search, and while I found a lot of individual posts about using Movable Type, I didn’t find many blogs dedicated to the topic. I actually only found one, and while it is really good, it is written by Six Apart, the company behind Movable Type.
So who’s in better shape: the company with the dozens of bloggers who blog about them daily but use their trademark in their domain and blog name; or the company that doesn’t have anyone blogging about them and also don’t have anyone using their trademark anywhere?
The lawyers say company #2. The figures say company #1.
Conclusion
In my very humble and not-worth-much opinion, WordPress should be careful about taking action that may appear as an attack on their community. Their domain policy is understandable, but it may cause more harm than good. They should remember that a consumer evangelist is worth a lot more than the best marketing or ad campaign.
A good compromise could be for bloggers to add a disclaimer on their site that says that they are not affiliated with WordPress or Automattic. WordPress Training’s About page has a really good example which says the following:
WordPressTraining.com is not affiliated with or sponsored by Automattic, Inc. or the WordPress ® Open Source project.
WordPress ® is a trademark of Automattic, Inc.
And that, my friends, is all I have to say about that.
Posted in News & Views | Tags: Automattic | 20 Comments »
Friday, January 18th, 2008
The folks at Automattic have launched their WordPress Publisher Blog, which will:
“cover features that are often overlooked, we’ll highlight plugins that extend WordPress functionality, and we’ll showcase interesting sites being built with WordPress.”
So far the blog has three posts (one of which is sticky - which plugin are you using Raanan?). It’s hard to tell from three posts, but it seems like this blog aims to achieve what a lot of us WordPress bloggers are already doing.
So, are we going to become redundant, or will the WordPress Publisher Blog just join the club? It seems that this is another move by Automattic to take control of the WordPress user community, similar to their creation of the WordPress plugin directory. With the plugin directory, WordPress became the hub for the plugin community, and now they want news and reports on WordPress to come from them too. Makes sense, and I guess they could catch up pretty quickly since they are WordPress.
Anyways, it will be interesting to see how their blog pans out. If they do a good job, I think there might not be much of a point in continuing to invest time and energy in this kind of blog.
WordPress Publisher Blog
Posted in News & Views | Tags: Automattic | 10 Comments »
Wednesday, October 24th, 2007
It seems that it’s just rumors so far, but Automattic, the company behind our favorite blogging platform, may be up for sale.
This makes sense. They’ve invested money, time and energy in building up a huge user base and community, and WordPress.com is one of the most visited sites on the web. Plus they have actually figured out how to generate some kind of revenue from WordPress.com by selling advanced packages and features - something many of today’s web 2.0 and Internet startups have not managed to do, and yet even they get bought out or invested in.
So from an investment point of view, Automattic could be seen as a pretty solid company. But from a lover-of-WordPress point of view, this rumor makes me nervous. Let’s say they are bought out (and Matt and friends get to live happily ever after, which they deserve); what happens to the open source model? Will the free WordPress platform continue to be developed? Will annoying ads be added to WordPress.com blogs? How about plugins - will they be encouraged or banished into the night?
I guess we’ll have to wait and see. On the one hand, I would be happy for the Automattic guys if they get to enjoy a large exit. On the other, selfish hand, I have to ask: what about me?
Posted in News & Views | Tags: Automattic | 8 Comments »
