Brian, seriously? You manage 12 blogs but do not login daily to at least ONE admin area? Or are subscribed to the Wordpress Dev feed or WLTC or BH or…

They have a “New version notification” mail list you can supposedly subscribe to at WordPress.org but I’ve never been able to successfully subscribe to it.

Really they should build in email notification to admins of an upgrade being available within the software itself. This would especially make it easier for people who have many installs of the software (I currently support about 12 different installs of it) to ensure they haven’t forgotten one.

There’s already a plugin that does this, but it needs to be baked into the software.

Nothing wrong with that, is there? Many systems use separate locations for front- and back-end.

A few things:

1) IIRC, WordPress, like Movable Type, already lets you move the admin console to a separate URL.

2) Your comment DOES NOT address my point. What I said is that to implement that they would have to split the administrative function into separate pieces, where most of it remains with the console and part of it becomes a separate system.

It would have to be that way because there are admin functions which are part of the published website, such as adding new users and user authentication/authorization.

3) Most users won’t separate out the URLS like that.

4) Regular users should not have to worry about their admin console security so much that they have to move the admin console to a secret location that is never referenced on the main site.

Why do developers wait for an attack to re-active instead of standing proactive against hackers. Implement the best, upgrade and fix security breaches.

Like you I refuse to store passwords, conduct transactions, reveal personal info on any site that I can’t validate and CA – or see the bright green url in the navigation bar.

Nothing wrong with that, is there? Many systems use separate locations for front- and back-end. Besides, I refuse to store my password for the upgrade feature without SSL encryption.

There is not one single reason one can think of why the admin area should be in a standard folder. Automattic, change this now and also offer those who want to an easy option to install the admin area on (shared) SSL space.

To do that, they will have to cut off every outside-facing admin function related to site functionality like commenter authentication and user registration. You’ll end up with three parts: pure admin, site-facing admin and site-building infrastructure.

All of that because the WordPress team won’t take the time to do an entire major release that is one long, comprehensive code audit of their admin interface.

Nevertheless, in these days some people are given a megaphone online and can not resist the need to be vocal, even though they were the only ones who were to blame. One of these people last weekend was Robert Scoble. His post I don’t feel safe with WordPress, Hackers broke in and took things quickly went viral Robert received support but also bashing. Gruber even went as far to say that Movable Type safer is.

That’s because Movable Type is safer than WordPress. If you don’t believe me, then check out the bottom part of this article on the MT.org website. It’s a reference to the NIST’s record of security vulnerabilities in both MT and WordPress. WordPress is through the roof compared to MT.

According to Reddit, this is the TRAC page for the fix. It’s good that they found that and fixed it, but it leaves you wondering how the hell they missed that in the first place.

Yes, we can argue about the platform being secure or not and I am the first to admit that I complained about all the 2.8 releases having managed all the Splashpress blogs and it would be lovely if WP had a dedicated security specialist on board, but even those do NOT close every problem before releases. Ask Microsoft. I have been updating platforms and making night shifts ever since *nuke and can only say that WP among the easiest platforms ranks to update.

At the end of the day I am entirely happy when security holes are fixed ASAP. Users are acknowledged in many ways of new releases, no excuses NOT to update. NO platform is entirely safe or will ever be.
Otherwise, according to the number of security advisories everyone now should run to Expression Engine as it seems to be the platform with fewest advisories over the last years (Habari’s too young to be considered).

Agreed on features, but they are part of the game when a platform is that huge. Users want fancy stuff.

2.8.0 came out in june we’re now on 2.8.4 because of security updates, thats 4 security updates in 3-4 months.

instead of focusing on security WP comes up with ajaxy dashboard widgets, and flashy rss clouds me I’d rather have less ajax and tighter security.

XSS scripting and malformed URL’s are nothing new, I can tell you that for certain because I was fixing them myself when I was lead dev 5 years ago, so this isn’t anything new.

I am not the only one who says, I’ll give up the ajax, and rss cloud stuff, take the time and secure the damn thing and stop making me update every 30 days, I don’t have time to waste doing updates every 30 days across multiple blogs.