***Update*** This issue is resolved and iThemes has not crippled the plugin.
-
***Update*** This issue is resolved and iThemes has not crippled the plugin. Rather, InfiniteWP compatability was removed due to security issues. Thank you to the developer for clarifying this.
-Original post below-
With the iThemes acquisition of Better WP Security the plugin is not only starting to severely degrade but iThemes is crippling the functionality of the security plugin. iThemes is now trying to make Better WP Security incompatible with other unrelated non security plugins in which iThemes competes with.Deleting the source code that forces their competitor’s plugin “InfiniteWP” (free multiple WordPress site management plugin) to be incompatible with Better WP-Security in an effort to try to force users to instead use iTheme’s paid “Sync” plugin does a severe disservice to the WordPress community.
Crippling a “security plugin” to force it to not work with a competitor’s unrelated “non-security plugin” is downright shameful. If this is the attitude iThemes has with their products then how can future potential customers trust the integrity of iThemes?
“Trust” should be the number one thing a “Security plugin” should instill within its users and crippling this plugin destroys user trust.
The WordPress community should be severely disturbed by iTheme’s actions…
-
To address the InfiniteWP issue directly:
I have been working with them for a couple of weeks due to a vulnerability found in the way they deliver their data. It uses serialized data pass via a base64 encoded entity to determine if the call is from InfiniteWP. This can be spoofed as the deserialization will in fact run the code without any good safeguards to prevent an XSS vulnerability.
This will be re-introduced the moment they can get me some updated code. I have been working with their team for a couple of weeks on it and progress was simply not fast enough for this release. It will be put back in as soon as possible (hopefully by the release of 4.0 next week).
Both myself and iThemes take working with other developers and organizations quite seriously and will continue to do so in the future. The only fundamental change in partnerships going forward will be as we take all support in-house at iThemes to provide a much better experience to all. For everything else not a single feature will be removed in the free version (and 4.0 already adds a few new ones).
First and foremost, I typically don’t respond to baseless insulting posts like this by anonymous people whose only two replies are to this plugin. Seems like there is an agenda here. And as such, I’d question where and more importantly who this is coming from and urge you in the future if you feel so strongly to do so not under the cloak and comfort of anonymity, but put your name and face out there like we do here.
I’ve personally been in this community for 7-8 years now … and running iThemes for the last 6+ years … our name, our track record stand by themselves, but I’ll use this as an opportunity to say what we’ve been doing and are committed to do with this plugin for the foreseeable future — namely give it a home and the nurture and support it and the community deserves.
I’m going to let Chris Wiegman, the developer of Better WP Security, who we hired full-time in Dec. 2013, to work almost exclusively on this project, address the specific issues you mention with InfiniteWP.
Since we hired Chris though, he has worked non-stop on rebuilding the plugin from the ground up to make it more efficient and to have the time to focus on some issues with this free WordPress.org plugin to make it even better … on our dime.
Prior to joining our team, Chris was laboring over this project like thousands of other plugins in the WP.org repo on nights and weekends while he worked another separate full-time gig. We hired him to be able to focus on the project as well as keep improving and extend it to other new (and, yes, paid features in addition).
When this new version is released, we’ll have already sunk a lot of money (Chris’ time, in addition to a designer, front-end developer and more from our team) into making a totally free and very popular WordPress security BETTER for the WordPress community.
As for InfiniteWP or any other service like it, we DO want to work with them to offer our product … why wouldn’t we want one of our products running on other platforms? That’s more potential users and customers using one of products.
The problem is that there is an issue with InfiniteWP that has not been addressed after back and forth conversations with them and we must, to protect our community, take it out. (Again Chris will address that technical issue in more detail.) So it is actually an issue of trust … with a plugin that is charged with protecting sites, to NOT do this would be an issue of trust.
We’ve always sought to work with other developers to help our mutual customers — since 2008.
I’m happy to help address any rational, non-insulting concerns or questions the WP community has … but I stand firmly in saying … a really good WP security plugin now has a great home, employing its developer full-time, to keep making it better and better FOR the WordPress community.
I am David founder at InfiniteWP. That is definitely not true. We have been good friends with iThemes founder Cory and BetterWP founder Chris both are great people.
The security issue came in with the Integration between InfiniteWP and BetterWP and they are getting fixed as we speak and we will be releasing an update in the next few days.
InfiniteWP as such is secure and powers around 200,000 sites and being downloaded 400,000 times. We take security seriously.
Thanks for all your support and we love iThemes and what they do 🙂
What we have here is communication issue.
Let me first start off by revealing my name since that means so much to you.
My name is: None of your business
Are we clear on that?We are talking about security. A business which I have been involved in for many years. You don’t go around publicly touting your name when you are dealing with security. You have no idea what kind of repercussions something as simple as stating your name can have when you are dealing with security. Transparency is good, but think for instance how someone in the CIA operates, you don’t reveal your name for obvious reasons. “You” are dealing with security now. Anonymity is something you deal with in the security field and is one barrier of protection. Deal with it. Point #1.
Point #2: I don’t post things online. Ever. For anything. This account was specifically created to anonymously come out of the shadows and voice a concern of which YOU created by not addressing what you were doing by removing InfiniteWP compatibility and WHY you were doing it. That is called a “Lack of transparency”. By lacking transparency and just removing compatibility without explaining why it was removed is where you went wrong.
First I want to apologize to Chris and iThemes.
Chris, thank you for explaining why compatibility was removed.My trust in Better WP Security was broken based on:
The newest 3.6.4 update lists:
Removed InfiniteWP CompatibilityI compared the source code to previous versions and saw what was deleted and modified.
If the newest update were to list:
“Removed InfiniteWP Compatibility due to a security vulnerability. We are working with the developer to address this issue.”
Then there would be no need for concern and this posting would have NEVER HAPPENED.Simply stating that InfiniteWP Compatibility was removed when you have your competing product iThemes “Sync” without stating why it was removed “of course” will arouse suspicion.
Read that sentence again.
Simply stating that InfiniteWP Compatibility was removed when you have your competing product iThemes “Sync” without stating why it was removed “of course” will arouse suspicion.
If a company were to buy a product, modify it and add in advertising and things like “Latest blog updates and posts” from your company, and then remove a competitor’s product compatibility “without explaining why” do you think users would not be slightly concerned?
Of course people would be concerned. I voiced that concern the day the plugin was updated.
You labeled my post as “baseless” and “insulting”
As for “baseless” my post was “based” on, again:
“If a company were to buy a product, modify it and add in advertising and things like “Latest blog updates and posts” from your company, and then remove a competitor’s product compatibility “without explaining why” do you think users would not be slightly concerned?”
As for “insulting”
I said: With the iThemes acquisition of Better WP Security the plugin is not only starting to severely degrade but iThemes is crippling the functionality of the security plugin.
In regards to degradation and crippling, the new inclusion in the Better WP Security plugin now advertising iThemes with its blog and advertisements to use the iThemes services are seen as annoying at best. Removing the ability for a competitor’s plugin to function is both a degradation of the Better WP Security plugin and also crippling of the Better WP Security plugin. Obviously removing compatibility of InfinityWP because of security issues is not crippling of Better WP Security but is instead enhancing of the security of Better WP Security. Obviously.
Obviously, as well, not communicating this is the problem.
The inclusion of advertising is annoying at best. Fact number one. Deal with it.
Seemingly breaking a competitors plugin compatibility is crippling. Fact number two. Deal with it.
(Obviously it is now clear that it was removed because of a security vulnerability)
Nothing of which I stated was insulting. Only facts were stated and emotions were specifically kept out.I stated this next fact: “Trust” should be the number one thing a “Security plugin” should instill within its users and crippling this (or any) plugin destroys user trust.
The logical conclusion for a security minded product or company degrading its users trust is for the user to feel severely disturbed. This is a logical conclusion based on a fact. It is not an emotion or something that is insulting, it is a logical conclusion.
I stated:
The WordPress community should be severely disturbed by iTheme’s actions…
(Obviously it has now been made clear why compatibility was removed)I said nothing baseless and nothing insulting as I have just shown.
Fact number three: Furthermore, I don’t appreciate someone telling me that what I said was baseless and insulting. Everything I said had a solid base from which to be said and what was said are those two facts which you took as insulting. “I” didn’t make up those two facts. “You” created them. The only person who should be insulted is “myself” for being told that what I said was baseless and insulting.
I love Better WP Security. I think it is one of the best WordPress plugins that exists.
“I” said nothing wrong. I stated facts and I stated a logical conclusion to be drawn from those facts based on the information available at that time. It is hard for people to admit when they mess up. “YOU” messed up by not communicating WHY you did something. Just work on your communication a little. You have a great product and I will support you. I am sorry we even had this dispute. I love Better WP Security which is why I have taken the time to write this. I am passionate about it and I believe in it.
As for an agenda. My “Agenda” was to bring this issue up because you broke “MY” trust. If you broke “MY” trust you probably broke “OTHER PEOPLE’S TRUST” as well. You messed up because you removed the compatibility of a competitor’s plugin and you didn’t tell other people WHY you did so. I don’t even USE InfiniteWP!!!!!!!!!
I felt betrayed because the security plugin I love so dear and much was bought up by some unknown company (to me) and now they are putting their branding all over it and it seemed like you were starting to change it so much that if something wasn’t said NOW then what would WE the WordPress community think? Are we supposed to hope that you will not force other plugins as well to be incompatible? We don’t know! You didn’t make it clear what your intentions were. It looked as if you were starting to look like Apple who will buy up a company and then remove that great application from the Google Play store just to force “we the people” to buy an iPhone if we want to continue using that product. Well maybe we want to have CHOICE. Maybe we don’t want to use an Apple product. The way you handled not telling your customers why you were doing what you were doing made YOU seem just like another future Apple company trying to destroy something which was once great. All of this could have been alleviated if you were to just put:
“Removed InfiniteWP Compatibility due to security vulnerability. We are working with the developer to address this issue.”
I don’t care at all about InfiniteWP. But you better be sure I want the ability to choose to use it in the future if I feel like it. I also want to be able to use a product that maybe you compete with and not have Better WP Security mess it up. I even had to look up InfiniteWP because I didn’t even know what compatibility was even being removed!
The problem was communication! You didn’t communicate what was going on!
Is that clear?
I appreciate Chris going in detail about what was going on. But truly he didn’t even have to go into that kind of detail. All he had to say was:
Hi, we removed InfiniteWP compatibility temporarily because se of a security issue. We are communicating with the developer about it and will restore compatibility as soon as the issue is resolved.I extol you for hiring Chris to work on Better WP Security full time. I am even fine with you advertising your business on it. I am even fine with you having upgradable features. It is great, really. Hell, I will even support you too. I love Better WP Security. I use it on every website I run. It is the very first thing I install every time.
My trust was broken because “we the people” were not told “why” something was happening to something we trust dearly. Our own dollars and our own bank accounts are on the line if we don’t have something like Better WP Security. I voiced my concern. I am truly sorry I have offended you.
I will even re-rate this plugin because I believe in it. It has always deserved a 5 star rating.
Of all the plugins I use on all the different sites I run there will always be just ONE that I will always install and that is Better WP Security.On a different topic, and I know you are still irritated, here are two unrelated suggestions:
1.) If Chris Wiegman is the person who created the plugin then please give him credit in the description on the Better WP Security description in the WordPress plugin repository as the “creator” of the plugin. You say “It’s now being maintained and developed full-time by Chris Wiegman for iThemes.”. Ever since iThemes got involved I was under the impression that the original developer sold out and sold the beloved Better WP Security plugin to the next wanna be “Apple of WordPress” (as in Apple computers buying up other companies and products). I have been feeling a little uneasy since the iTheme involvement and THAT could have easily been eliminated by just crediting him as the creator of the plugin. That is not clear when you say “It’s now being maintained and developed full-time by Chris Wiegman for iThemes.”2.) Better WP Security did not handle the WordPress botnet last year as well as I and others had hoped. The Botnet would still hammer sites with Better WP Security installed and fully maxed out as I am sure you are aware. You should have a look at something like:
http://codecanyon.net/item/wp-secure-hide-the-fact-and-speed-up-your-site/5362078
If you could implement what this plugin does with Better WP Security I would pay you in a heartbeat. I have already paid that developer for his work as well. His plugin however does not work with multisite.Thank you for taking the time to address this issue.
Take care
-Security minded anonymous individualI have updated my original post to say:
***Update*** This issue is resolved and iThemes has not crippled the plugin. Rather, InfiniteWP compatability was removed due to security issues. Thank you to the developer for clarifying this.I have also changed the rating to a 5 star rating.
Thanks David @ InfiniteWP – it was good meeting you in Phoenix for Pressnomics last year and hope we can continue to work together on these things (with all our projects). Really appreciate chiming in and lending support to the issues. We are eager to get the compatibility back.
Thanks for the update Bill aka “Security minded anonymous individual.” I agree — we could always do a better job communicating. The buck stops here on that.
Also – I’ve never been shy about telling people they are welcome to dialog with me privately about issues and promising to try my best to respond in a timely manner and offer transparent answers before it gets to this.
My email is pretty simple to figure out — cory + ithemes.com. For future reference. 🙂
Sure Cory 🙂
The issue has been fixed an update has been released thanks to Chris for being responsive 🙂
- The topic ‘***Update*** This issue is resolved and iThemes has not crippled the plugin.’ is closed to new replies.
