WordPress.org

Ready to get started?Download WordPress

Forums

HOWTO: Keep WordPress Secure (8 posts)

  1. rawalex
    Member
    Posted 4 years ago #

    This isn't for the users, this is for the developers:

    Move to version 3.0.

    Stop making security patches and upgrades at the same time. Security patches should be only security patches, as end users we should be able to get off the "upgrade elevator" at any stop. 2.8.5 should be only security fixes, no new features or changes. At each version, there should be a "final" secure version.

    Stop all development at the current level on the version 2.x guts, there are some very basic programming issues that won't go away that are leading to many of the security problems. Stop messing with it, the current code has been monkeyed with too much. Just issue security fixes as needed, and call the entire 2.x.x tree as done and completed.

    Start fresh, Simplify. Rethink the architecture. Straighten up security, force API compliance, and make it all work properly and simply.

    We look forward to version 3.0.1 (because 3.0.0 will have bugs).

  2. figaro
    Member
    Posted 4 years ago #

    At each version, there should be a "final" secure version.

    There is no such thing.

    We look forward to version 3.0.1 (because 3.0.0 will have bugs).

    All versions past, present, and future will have bugs.

    Disclaimer: I'm not a developer...just a logical thinker ;-)

  3. Okay dokey.

    So what would a patch do to the version number? 2.8.4-not-5-because-this-is-a-security-patch-not-a-feature-upgrade?

    And instead of a "final" secure version how about a "Alright boys! The jig is up! This is the secure version! We think!" Like figaro said, no such thing.

    In a perfect world all software would be secure. In the meanwhile, what's going on at the moment does work.

    Now if you have a problem with the version numbering, meaning the major number should only be updated with new features, so 2.5 -> 3.0 instead of 2.6 etc. then that's a different issue.

    All versions past, present, and future will have bugs.

    Shame! Shame! Anarchist!! :)

  4. Samuel B
    moderator
    Posted 4 years ago #

    Start fresh, Simplify. Rethink the architecture. Straighten up security, force API compliance, and make it all work properly and simply.

    ummm. it does - why do you think there are security releases?
    I would never use a software that didn't come out with security releases when needed - even if every day.

  5. rawalex
    Member
    Posted 4 years ago #

    You guys miss the point.

    Every version of wordpress (2.x) has major feature upgrades. Almost every time, those "features" and the coding that went around them are the cause of major headaches.

    So let's say 2.8.x is where we are at right now. I liked 2.7.x, except for a security issue. So rather than force me up to 2.8.x (trading one set of security issues for others yet unknown), why not issue a patch also for 2.7 users so there is a 2.7.x+1 that is ONLY a security patch?

    For many people, a secure and stable version a couple of steps BELOW the current "wow-whee look at all them features" is more than good enough to do what we do. Having to eat the often unwanted upgrades just to get secure seems like a bit of an issue.

    there should be a 2.7. branch that is secured and locked, with any security issues repaied only as that version, without the 2.8 or future upgrades.

    The elevator should let you get off at each floor securely.

  6. figaro
    Member
    Posted 4 years ago #

    The elevator should let you get off at each floor securely.

    Well, here is the elevator you are talking about.

    http://wordpress.org/download/release-archive/

    That's a lot of floors. Can you imagine the difficulty of doing security patches to, say the 2.2 branch? The coding could have changed so much between now and then, that it could be nearly impossible to "secure" it without a major overhaul. You say you want 2.7, but someone else may want 2.6--you know, before all the "nasty" auto-upgrade stuff--so where do you stop?

    I understand headachs that are sometimes involved with upgrades, but expecting developers who give this stuff away for free to keep every major branch they release up-to-date is asking a bit much--in my opinion. Of course, if you have a boat load of money you want to put toward this, I'm sure someone could accommodate ;-)

    For what it's worth--I have absolutely no affiliation with official WordPress stuff...just a user expressing an opinion.

  7. rawalex
    Member
    Posted 4 years ago #

    Figaro, the problem is that when wordpress does both a security update AND a feature update at the same time (which is common when going from, say, 2.7.x to 2.8.0), then the people on 2.7.x are left with no choice. They can run a buggy and unsupported piece of software, or they can upgrade to features they don't need.

    I don't suggest that wordpress staff go back and patch every version since the start of time. But there are milestone versions along the way, such as the revised admin, or the auto update, which are milestones which some (many) users don't seem to want to pass. There are plenty of people running unpatched wordpress installs just to avoid features they don't want.

    So if you go back to each of these major points, and patch those versions appropriately, it can help to secure much of the products out there.

    Quite simply, a security patch and a feature patch should NEVER be released together. If your existing version has a security issue, it should be patched. Then the upgrade version (next version number) released from there.

  8. They can run a buggy and unsupported piece of software, or they can upgrade to features they don't need.

    Not to be harsh, but honestly, no one is holding anyone hostage and forcing anything. It's a choice and if this were a real problem, don't you think that someone would have stepped up with a better mouse trap?

    So if you go back to each of these major points, and patch those versions appropriately, it can help to secure much of the products out there.

    Uh huh. Is it safe to say that what you desire is 2.7.x to be maintained at least for security patches? Sounds like that's the gist of what you want.

    If someone or some group would make that happen, that might be cool. But since there does not seem to be any volunteer developer interest in that here we are.

    Quite simply, a security patch and a feature patch should NEVER be released together. If your existing version has a security issue, it should be patched. Then the upgrade version (next version number) released from there.

    Why not? A patch is a patch. Security patches obviously get released sooner but if there are 4 bug fixes and they are demonstrated to be ready for prime time, why not release it at the same time? Also security issues have been found because a bug was not fixed.

Topic Closed

This topic has been closed to new replies.

About this Topic

Tags

No tags yet.