Two years ago, I posted this discussion :
(that was under a previous account, based on a dead email so I couldn't recover its password once I forgot it)
In short, I was telling that the wordpress (.org, I'm not talking about .com's unencrypted cookie recent headlines) way of dealing with security wasn't fit for a piece of software installed on MILLIONS of web servers and having a MASSIVE global impact.
My point was : wordpress will *not* notify the blog administrators when one of the blog's plugins or themes is removed from the official repository.
And yet, the only reasons for such a plugin or a theme to be removed from the repisitory are :
- prolungated state of neglect, which is the open door to exploitable code
- recognition there is already an exploitable code within the plugin/theme
- intolerable behaviour hard-coded inside the plugin/theme
We've made progress from my thread creation two years ago, still, as I saw wordpress update itself for security releases, just a month ago, huge props for this !
However, the plugins/theme issue remains.
Can you imagine the number of poorly maintained blogs, for which the only reason the admins will run an update is if they receive a clear and strong private message (I suggest : both in header on every page of the blog administration panel, and with an email sent to the admin account's email address) to tell an action is required "right now".
Can you imagine the systemwide negative impact it has in terms of security, the greater number of bots that means ?
Well, that was for my point.
I hope my feedback may not piss off too much the concerned persons, I'm trying to help improve things within the very limited extent of my ability :)