WordPress.org

Ready to get started?Download WordPress

Forums

New Automated Installation (13 posts)

  1. quocble
    Member
    Posted 8 years ago #

    Hi,

    I got this great new automated installation and it's free. It will do the uploading and database import for you. You still have to create your database first. It will also probe your hosting account if you have the required features like MySQL & PHP. So that's nice if you don't what your hosting account has.

    http://www.onestepinstall.com/WordPress/

    Works best in Firefox. It's beta right now. Please let me know it works for you if you do try it.

    --
    Quoc Le

  2. Michael Bishop

    Posted 8 years ago #

    I don't see if this is a free or pay service. Regardless, it generally is the policy of the forums to not recommend to users to give their hosting account user name and password out, which is required for this script.

    WP is a very easy script to install, if your host doesn't offer an auto install.

    Personally, I recommend against such a service, and point to the multitude of volunteers here in the forums that will walk through in snags in the process.

  3. quocble
    Member
    Posted 8 years ago #

    WP is a very easy to install. But it still requires unziping and uploading, uploading wp-config.php , and some database configuration. That's why a lot of people here still need help.

    miklb. I do agree with you that there a sort of privacy issues. If you are very concious about that, I suggest you change your password after you do the installation.

    It is free by the way.

    --
    Quoc Le

  4. Michael Bishop

    Posted 8 years ago #

    Quoc,

    We get numerous posts weekly about sites being hacked here in the forums, so yes, we have to be conscious of privacy and security issues.

    Free is good.

    And the rest of the install, then my suggestion to someone who thinks they want to use WP, but doesn't want to manually install is to find a host that has cpanel, and fantastico, and use that.

    But that's my personal stance.

  5. spencerp
    Member
    Posted 8 years ago #

    Even though the offer sounds nice and such, I'd still have to fully agree with miklb. I'd hate to see a total "newb" use that "service" (if that's what you'd call it) and run into all kinds of various issues, problems or even possible hacking attempts..only to end up here for support.

    Then how are "we" (volunteers) as a support group, supposed to provide support to them? "We" didn't offer the "service" in the first place.. =/

    However, of course.. general WordPress related issues and what not, we'd be here for...but it still kind of falls back on that "service" that was provided for them to get it installed with, in the first place.. I dunno though... I just don't feel comfortable with it at all.. just my 2 cents..

    spencerp

    Might be a whole different "ball game" if this was offered to people, by well known and trusted users of the WordPress support forum though.. ;) [Cough] Reminds me, wonder how that one is working out now, haven't really recieved any updates on it..

  6. quocble
    Member
    Posted 8 years ago #

    Passwords are not kept in the database but only for the duration if the installation. But, it's a tradeoff for the installer to be able to install on your webhosting account. This installer is meant to work for any webhosting account not just cpanel, plesk..etc.

    The program only works within it's scope. That means it only upload & create files/db that is within its "Application Directory".

    I also own a web hosting company called [...]. Over 700 websites have been hosting with us. So, we do take security seriously. If you guys are still curious, I can give free accounts to play around with :)

    --
    Quoc Le

  7. Samuel Wood (Otto)
    Tech Ninja
    Posted 8 years ago #

    It's certainly interesting, but there are clearly security and privacy concerns that should be addressed.

    For example, how would a user verify that the files installed by this service contain no added backdoors? WordPress is open source and easily modified, so it would be trivial to add a hidden backdoor and thus be able to gain access to the account later, regardless of a user changing their account's password. The user could verify that each file was identical to the normal installation from WordPress.org, but if he's going to do that, he might as well just ftp the thing over and set it up himself.

    Hey, this isn't a new idea. I've used automated installers for years. I remember installing an IRC client and scripts and such onto a shell account I had once (back in the day) by simply doing a "telnet some.install.server | sh". It was clever, I'll give it that. But it was just as potentially harmful as this sort of thing is, as the user basically has to turn control over his account to an untrusted third party.

    Until the issue of security is addressed, I really can't see why I'd recommend this sort of service to anybody.

  8. quocble
    Member
    Posted 8 years ago #

    Even good , popular open source software have backdoors. A few months ago, PHPBB2(latest at the time) had a bug where a user can upload a script into tmp and the user is able to remotely execute. It caused me a lot of pain & headaches. It caused server widespread downtime for hundreds of web hosting customers. And the phpbb2 community quickly pointed that out and that was soon fixed in a later release.

    I'm trying to build a community where people can come an install whatever they want without download, unzipping, untar, config, chmod.. upload..etc. Think of hotscripts but install button next to each. It takes a community to point out what can be improved, and a community to validate installations that are safe. Like you said, somebody has to install first and compare against the original codes. That version of WordPress is 2.0.2. All files are the same except the wp-config.inc

    --
    QL

  9. Mark (podz)
    Support Maven
    Posted 8 years ago #

    quocble - send me the keys to your house and car. I'd like to clean them up for you. It'll help build friendships and increase the planet's karma.

    No?

    Oh.....

    Can't see why not....

  10. Samuel Wood (Otto)
    Tech Ninja
    Posted 8 years ago #

    "It takes a community to point out what can be improved, and a community to validate installations that are safe."

    That's just my point. I can create an account and validate that it's safe, right now. But I don't control the installation service, and can't validate that it's safe later. And then, hey, who am I, anyway? Why should anybody trust me?

    There needs to be a method whereby each and every user who uses the service can validate that it installed the correct, unmodified, files. For example, lots of open source software publishes the MD5's for their archive files, so that end users can verify that the files they got are unaltered. That sort of thing.

    And yes, inadvertent holes and bugs that result in backdoors are inevitable. But you're asking people to obtain their software from you, and not giving them any reason or ability to trust you. They can reasonably trust that the makers of the software are not trying to put backdoors in it. But who are you? Why should users trust you?

  11. quocble
    Member
    Posted 8 years ago #

    For local security:
    * passwords are not kept in files/db
    * It is hosted on a dedicated machine.
    No other users can login in.
    * Reposititory Files are kept in secured database,
    not flat files that could easy be changed without
    a way to track them.

    Remote security:
    * downloadable package identical to the one that is used to install including md5 checksum. (Otto42)

    To answer your trust question:
    When I did this, I had those thoughts in mind. There is going to be a GROUP/BOARD who will validate any installations that becomes available on the website.

    I see this as no difference with repository sites for yum and apt-get. There are many of them around by the way.

    You trust your webhost right? You trust them not to go through your personal stuff on your site and your emails. I am a webhost too. My company runs more than 700 sites.

    I could of just added WordPress to the installers available my control panel but I wanted to do something that will benefit for everyone no matter who they're hosted with. This new installer is standarized, you can make own project through a web interface - and customize it the way you want it. So we can build a much bigger list of software you can easily install from, not just 5-10 ussually available from webhosts.

    Otto42, would that be acceptable? Or what else do you suggest.?

  12. Samuel Wood (Otto)
    Tech Ninja
    Posted 8 years ago #

    Hey, I'm just pointing out possible pitfalls, is all. It's not a matter of what's acceptable or not, really. I'm just saying that the issue of trust is the major issue that I think you need to address. It's a cool idea, I grant you. :)

    You trust your webhost right?

    Hell no! I run my own servers. ;)

  13. Michael Bishop

    Posted 8 years ago #

    Quoc,

    You can tell me all day long that passwords are not saved, you host 700 some odd sites, and that the files are clean and not comprimised.

    What do you have to support your claim. Your word on an internet message board?

    I've already pointed out the primary concern. Daily we receive pleas for help from WP users who've been hacked. Their host yells "we don't support 3rd party scripts", so we, as a community of volunteers, rally and try to get their site back up, no matter what the root cause is.

    Add to that then they tell us they installed using your service. Now what does their host say? How do we then not know that your service didn't create a back door, even inadvertently. It then becomes one more hurdle in getting the site back up.
    So despite your attempts at sounding sincere, I don't think you are going to convince anyone here who volunteers their time in putting out fires on other people's web sites, that your service is a good choice in installing WP.
    Personally, I discourage using any automated installation, because invariably, at somepoint along the way,the user is going to want to install a theme, a plugin, make alterations, and if they aren't familiar with FTP, or editing files, then that's one more thing they have to learn before getting what they want.
    If they take the little bit of time at set up to learn those skills, then they are that much closer to being independent in modifying their site.

Topic Closed

This topic has been closed to new replies.

About this Topic