Feature suggestion : periodical email notification/reminder of security updates (21 posts)

  1. Sabinou
    Posted 4 years ago #


    To help WordPress improve, I'd like to make a suggestion...

    Simply, that every self-hosted wordpress takes the initiative, by himself, to send the admin a notification email when there is a new version available, and some of the updates are security-related, and periodically re-send that email if no action follows.
    To prevent blogs left behind because the admin forgets to update or never logs in as admin.

    This way we wouldn't spam the mailboxes, and we'd keep the wordpress internet ecosystem a bit healthier.

    You may also occasionally add notifications about global events requiring immediate admin action, like when the timthumb.php exploit was discovered.

    Don't you guys think this would be a crucial feature for wordpress ?

    OTHERWISE, only blogs actively maintained by admins not afraid of trusting your auto-update buttons will always be up to date, and it would be bad for everyone, the webmasters, the web hosts, and the wordpress "ecosystem".

    Well, that was for my suggestion ! :)

    Good day everyone,

  2. esmi
    Forum Moderator
    Posted 4 years ago #

    It's a nice idea but there's already so much flak from users about upgrade notices within the Admin are that I don't see auto emails going down very well. But what about adding something into install.php that could sign new users up to the WP Announce mailing list (with an option to say "No" obviously)?

  3. Sabinou
    Posted 4 years ago #

    Well, as for me, I'm seeing it from a different perspective, exclusively focused on security, and on the global impact it has on the internet.

    I don't see the current mailing lists as something fitting the present need.

    Webmasters are more than welcome NOT to want to be informed about Sonny replacing Gershwin, not to be interested in all the woooooh, waaaaah, hoooooo, and all the new features. Heck, it's their right to prefer old stuff as long as it works and it's maintained.

    However, if there are suddenly bots on the internet capable of taking control of blogs without the webmasters realizing it, then the webmasters MUST be informed. We're not providing them a friendly service, we're issuing them a super-important warning, and missing that information would be a grave error for them.

    A bad example, since this is not wordpress : the timthumb security hole. Succuri, in a blog post solely based on raw google search results, calculated over 1 million domains responded "under control !"
    In case grave security weaknesses are to affect wordpress, wouldn't it be bad to deliver the information to everyone ?
    If that means sending zero email per year, super ! If that means sending five emails per year, so be it !
    I don't even think this should be a choice, I think refusing such emails shouldn't be even possible.

    Counter-argument :
    Technically it's the responsibility of the webmasters to keep their websites updated when it comes to security. WordPress is already providing a hell of a good website structure, its purpose is not to do all the work for the voiceless and thankless webmasters.
    Refutation :
    Wordpress is now SO widespread that we're now in a microsoft-like situation, in which not providing super-duper-bloody-unmissable security notifications, means that wordpress is putting the internet ecosystem at risk. And it would be bad for both wordpress and the internet.

    Here's for my opinion :)

  4. esmi
    Forum Moderator
    Posted 4 years ago #

    I don't see the current mailing lists as something fitting the present need.

    Why? Upgrades are sometimes announced via that mailing list.

    Additionally, the timthumb issue is a bad example. That was a theme issue and not one that was present on WPORG themes.

  5. Sabinou
    Posted 4 years ago #

    Yep, I know the timthumb situation was a bad example, but it's the only one I found of an actual security hole, actively exploited, and requiring the immediate action of massively oblivious webmasters, haha, sorry.

    My argument against the announcements mailing lists is that it wouldn't just come to tell us about a security issue, it would also tell us about unrelated stuff, or stuff that we wouldn't necessarily consider as important.

    We'd risk to skip this email thinking "yet another update, but I don't care about these, my wordpress version works fine, thank you, and the last time I did an update it broke my plugins, so I won't update until next year at least".

    Maybe it's because I'm fed up with mailing lists and too much emails of all sorts, but if I had to choose, I'd want to be personally informed only when this is DEFINITELY important.
    And I'd want to know that if I'm personally contacted, then I can know in advance that this IS important stuff.

    For the less important updates, I can trust my wordpress dashboard, if I'm the kind of person who is interested in interface updates, that means I'm also the kind of person visiting my website admin frequently..

    Do you see what I mean ?
    I fear that, using the mailing lists options, we'd "dilute" the attention of the webmasters, and more of them would miss the really important information when it's out.

  6. esmi
    Forum Moderator
    Posted 4 years ago #

    I know the timthumb situation was a bad example

    But it does raise an interesting point. wordpress.org has to define a strict line as to what security issues it might take responsibility for when it comes down to alerting users. And in a situation like that, it can only take responsibility for core security issues - not things that are added by 3rd party developers.

    My argument against the announcements mailing lists is that it wouldn't just come to tell us about a security issue, it would also tell us about unrelated stuff, or stuff that we wouldn't necessarily consider as important.

    Not if it was re-purposed (and even now, it's a very low volume list). Or - heck - let's create another mailing list if it's really needed. But site-specific nag emails - that's a whole different ball game. Just taking one specific example - myself. I run quite a few WP sites for other people, so I would not welcome a dozen copies of the same email every time there's an security issue. I already use other resources (like here, for example) to stay abreast of these.

    But let's say the emails only go out to the primary admin. When I set up sites, I usually switch the primary admin over to the site owner and they sure wouldn't know what to do with these emails. That's what they pay me for.

    Finally, there's still the issue of probable objections to such emails from site owners. I've seen quite a fuss about the the whole "WordPress phone home" thing that allows the Admin area to display update notices, Imagine how many people would react if they also got personal emails?

    I agree that site security is a really important issue and we need to raise people's awareness generally but I remain unconvinced that this is the responsibility of WPORG beyond its current practice of releasing core security updates asap.

  7. Sabinou
    Posted 4 years ago #

    My bad, you're right, there would be dozens of useless emails flying, and they wouldn't reach the proper persons, possibly, I didn't think of it :(

    Then maybe your idea to add an option to subscribe to announcements, or another mailing list, during the installation, would be the best, this would be an addy that could be updated post-installation if the admin wishes it, or that would remain the same otherwise even when the admin passes control to another person like a customer...

    I thought I had a great and, even more, compulsory idea, and now it turns into a mess...
    (And even though, seeing as wordpress.org might be serving around 35 million websites, the "microsoft-type responsibility" is a real problem)

  8. esmi
    Forum Moderator
    Posted 4 years ago #

    this would be an addy that could be updated post-installation if the admin wishes it,

    I'd like to suggest that it's added at installation - with the default preset as opt-in and an option to change it available via the Dashboard and via wp-config.php. That would cast the largest net if you want to target non-technical site owners/users. Web devs would know how to turn it off at install.

  9. Peter Wooster
    Posted 4 years ago #

    I think that a mechanism to notify webmasters of security issues would be great. Barring that a security forum would be a good start. I wouldn't want notices going to my clients.

  10. esmi
    Forum Moderator
    Posted 4 years ago #

    The problem with a security forum is that it would be really difficult to moderate (as in "keep on topic"). You'd have every user who ever thought they'd been hacked posting to it (eg just dealt with someone who thought they'd been hacked - it was just FrontPage extensions switched on).

  11. Peter Wooster
    Posted 4 years ago #

    I agree it would be hard to moderate, but at present those topics are lost in the troubleshooting forum. This way you could find them all in one place.

  12. esmi
    Forum Moderator
    Posted 4 years ago #

    But these are support forums - not announcements boards. If you want to keep up-to-date with WP security issues, you could always subscribe to http://wordpress.org/news/category/security/feed/

  13. Peter Wooster
    Posted 4 years ago #

    Thanks, I'll check that out.

  14. Sabinou
    Posted 4 years ago #

    I allow myself to bump this topic with a neighbouring concern : the plugins.

    I DO know that eventually, the responsability of one's wordpress security relies on the shoulders of the "technical contact", either the admin, or the professional hired by the admin as long as that professional remains under contract.

    We've discussed this before, my attitude might look pushy, my main argument is that there are so many WordPress blogs on the internet that WordPress now gained a "systemic" responsibility, and has to help unaware persons even if they don't give a hell about it and would have prefered to stay with an unhealthy obsolete installation.


    OK, so, my additional concern.

    I wanted to give a friend the list of the plugins I'm using on my biggest blog, so I parsed their list in my admin, to get their wordpress.org/extend/plugins/plugin-name hyperlinks.
    Then I noticed that the links for 2 of my plugins were not working, nothing found.
    Searching a bit, I found one of the plugins (Search Light) was open to SQL injections and had been removed until the admin sees to that, while the other, Shortcoder, created the possibility of an XSS exploit, and had been removed until a fix was applied.

    I felt crushed to have been oblivious to that problem, those two plugins are active on my own blogs.

    To avoid conflict, let's make that variation : I do NOT want to push on wordpress coders the responsability of the plugins maintainers, heck, no.

    But, from the "global responsibility" perspective, with the plugins in mind, I want to make these 2 suggestions :

    - replace the "nothing found LOL" page (the "lol" was only implicit), shown when we load the URL of a removed wordpress plugin, with a specific page.
    That page should at least mention "the plugin has been removed for security reasons, you may beed to investigate the forums, look, click the plugin-name tag automatically-generated-hyperlink".
    Ideally, that page should mention a more precise reason for the deletion, like "potential xss exploit, plugin removed on year-month-day, click here for the automatically-generated-tag-hyperlink-to-the-forums"

    - this way, now that "plugin removed" pages exist, the wordpress administration software should automatically, not only inform us of plugin updates, but also notify us of plugin removals.
    This way, we'd know there's a new update to a working plugin,
    but also there's a security issue with another plugin we use.

    Come on, this is absurd the way things are NOW.
    A plugin we use gets an automated update notification in the admin panel because a security issue has just been fixed : normal !
    A plugin we use gets removed because of a SERIOUS reason, we don't get any notification at all : how can that be called normal.

    This is pushing more work to the WordPress, I feel sorry about it (and I also feel like a dick, once again, suggesting stuff that I can't do myself), but, otherwise I believe there will remain a flaw in the WordPress ecosystem...

  15. esmi
    Forum Moderator
    Posted 4 years ago #

    Fair comment. This might be worth re-directing to plugins at wordpress.org. Or perhaps http://wordpress.org/extend/ideas/

    Not sure how much detail you would get but some indication that there is a serious issue (serious enough to cause the plugin to be pulled from the Repo either temporarily or permanently) would seem to be a reasonable request. And if this could be linked into the "phone home/update system", so much the better.

  16. Ideas is more for core ideas which ... this is and it isn't. It's NOT core because core allows you to have non-WP plugins (as well it should).

    I think Mark's lately been modifying the plugins, yanking out the bad code, and keeping them in repo, but yeah, that would be something I'd email to pluginsATwordpress.org and suggest it.

  17. Sabinou
    Posted 4 years ago #

    Thanks for the input, Esmi and Ipstenu, I submitted it to the suggested email adress.

  18. Sabinou
    Posted 3 years ago #

    I submitted the idea but never got any reply, and apparently it fell to the pits. And 8 months passed in the blink of an eye.

    That's too bad, in this way the WordPress architecture is contributing to making the internet less secure, allowing deprecated plugins, with known security issues allowing malicious code execution, to stay activated on online blogs while the blog owners don't even know there's a problem with the plugins :(

  19. secconsult
    Posted 3 years ago #

    Hello Sabinou,

    I just stumbled over this thread and totally agree with you.
    I had the same idea last year and created a plugin to address that exact problem, which I believe will help a lot of people to keep the sites they are responsible for up-to-date without needing to login to each site and check for updates manually.

    We have a dedicated team looking for publicly disclosed vulnerabilities in dozens of different sources around the web, process and store this information. From within the plugin you can subscribe to a professional feed that will alert you per e-mail about vulnerabilities that affect your website. If you subscribe with the same user on multiple sites, you would only get one e-mail for each vulnerability but stating exactly which of your sites are affected by this vulnerability.

    The plugin (MVIS Security Center) is in the beta phase now, so the subscription is free for 3 months.
    We are also working on improving the e-mail notification settings to include status e-mails about plugins that have updates available in addition to informing users about vulnerabilities in WordPress, the plugins or themes. Please feel free to post features you would like to see in the support forum of the plugin itself and I will make sure that they get included.

    Of course it would also be helpful to not have the plugin page disappear but have an informative page explaining why the plugin is currently disabled. Even further, maybe exposing this through the WordPress update checks to give users information if a plugin was disabled because of security vulnerabilities, similar to if an update is available for a plugin or not.

  20. Sabinou
    Posted 3 years ago #

    Secconsult, if I may give an advice regarding your nice plugin (I have no problems with it being a commercial plugin, I love free software, I like open source software, but I am not a free software fundamentalist), you also ought to monitor if the wordpress repository pages of the installed plugins inside a blog, to check if one of these pages suddenly disappears. If such a page disappears, that means there has been a serious reason to doubt the plugin's reliability...

    As for the rest, it's all about hoping to catch the attention of influential worpdress community members and re-launch the debate :-/

  21. secconsult
    Posted 3 years ago #

    Good point Sabinou, I'll take a look at it and see if this can be detected reliably and how this feature can be incorporated.

    Let's cross our fingers in the meantime that this debate will be relaunched, with a better outcome :)

Topic Closed

This topic has been closed to new replies.

About this Topic