Comments on: WordPress Security http://www.iammattthomas.com/feeder/?FeederAction=clicked&feed=Articles+%28RSS2%29&seed=http%3A%2F%2Fiammattthomas.com%2Fjournal%2Fwordpress-security&seed_title=WordPress%26%23160%3BSecurity An enigma, wrapped in a paradox, inside a jelly donut. Tue, 02 Dec 2008 14:01:49 +0000 http://wordpress.org/?v=2.7-almost-rc-9983 hourly 1 By: Matt Thomas http://www.iammattthomas.com/feeder/?FeederAction=clicked&feed=Articles+%28RSS2%29&seed=http%3A%2F%2Fiammattthomas.com%2Fjournal%2Fwordpress-security&seed_title=WordPress%26%23160%3BSecurity/comment-page-1#comment-2801 Matt Thomas Mon, 25 Jun 2007 04:36:21 +0000 http://iammattthomas.com/journal/wordpress-security#comment-2801 Fair enough -- I've changed that to <em>direct</em> personal involvement. :) Fair enough—I’ve changed that to direct personal involvement. :)

]]> By: Lloyd Budd http://www.iammattthomas.com/feeder/?FeederAction=clicked&feed=Articles+%28RSS2%29&seed=http%3A%2F%2Fiammattthomas.com%2Fjournal%2Fwordpress-security&seed_title=WordPress%26%23160%3BSecurity/comment-page-1#comment-2800 Lloyd Budd Mon, 25 Jun 2007 04:27:28 +0000 http://iammattthomas.com/journal/wordpress-security#comment-2800 "I have no personal involvement in WordPress", do you really not understand how your work benefits WordPress? ;-) “I have no personal involvement in WordPress”, do you really not understand how your work benefits WordPress? ;-)

]]> By: Matt Thomas http://www.iammattthomas.com/feeder/?FeederAction=clicked&feed=Articles+%28RSS2%29&seed=http%3A%2F%2Fiammattthomas.com%2Fjournal%2Fwordpress-security&seed_title=WordPress%26%23160%3BSecurity/comment-page-1#comment-2791 Matt Thomas Sun, 24 Jun 2007 15:24:51 +0000 http://iammattthomas.com/journal/wordpress-security#comment-2791 That's exactly what I was talking about, David. Since you (literally) are the expert, I've linked up your comment in the post -- you explained it much better than I can. That’s exactly what I was talking about, David. Since you (literally) are the expert, I’ve linked up your comment in the post—you explained it much better than I can.

]]> By: David Raynes http://www.iammattthomas.com/feeder/?FeederAction=clicked&feed=Articles+%28RSS2%29&seed=http%3A%2F%2Fiammattthomas.com%2Fjournal%2Fwordpress-security&seed_title=WordPress%26%23160%3BSecurity/comment-page-1#comment-2789 David Raynes Sun, 24 Jun 2007 14:32:19 +0000 http://iammattthomas.com/journal/wordpress-security#comment-2789 Matt, not to be overly nitpicky, but I think "exploited" may the wrong term to use there. There are some pretty serious security connotations to a word like that, and the problems MT has had in the past are pretty much entirely (at least in my experience) *resource* problems. "Exploit" implies that somebody broke into the system and did something malicious (e.g., stole passwords or the like). But the issues with MT that you are referring to are related simply to some jackass spammer attempting to leave 12,000 (or some other arbitrarily large number) comments at a time and MT, when in vanilla CGI mode, can be a hog when that happens. Matt, not to be overly nitpicky, but I think “exploited” may the wrong term to use there. There are some pretty serious security connotations to a word like that, and the problems MT has had in the past are pretty much entirely (at least in my experience) resource problems. “Exploit” implies that somebody broke into the system and did something malicious (e.g., stole passwords or the like). But the issues with MT that you are referring to are related simply to some jackass spammer attempting to leave 12,000 (or some other arbitrarily large number) comments at a time and MT, when in vanilla CGI mode, can be a hog when that happens.

]]> By: billg http://www.iammattthomas.com/feeder/?FeederAction=clicked&feed=Articles+%28RSS2%29&seed=http%3A%2F%2Fiammattthomas.com%2Fjournal%2Fwordpress-security&seed_title=WordPress%26%23160%3BSecurity/comment-page-1#comment-2781 billg Sat, 23 Jun 2007 22:41:23 +0000 http://iammattthomas.com/journal/wordpress-security#comment-2781 Well, he's got a point about comments. If you don't want them then there's very little reason to drag in all the PHP-MySQL scaffolding that's there to support dynamic content. The only thing dynamic about the vast majority of blogs is the stray comment. If you do that, then MT, essentially a static page publishing engine, is an obvious way to go. Not the only way, just an obvious one. I've come to believe that blog comments could best be handled by offloading them, in a scenario much like how Automattic uses Akismet to allow a zillion blogs to offlaod spam checking. Halsocan does that now, but not nearly as well as it could be done. Some folks are already using wordpress.com sites solely for comments on their "real" blog. The next, logical, step is to eliminate the need for the site and just host comments. Well, he’s got a point about comments. If you don’t want them then there’s very little reason to drag in all the PHP-MySQL scaffolding that’s there to support dynamic content. The only thing dynamic about the vast majority of blogs is the stray comment.

If you do that, then MT, essentially a static page publishing engine, is an obvious way to go. Not the only way, just an obvious one.

I’ve come to believe that blog comments could best be handled by offloading them, in a scenario much like how Automattic uses Akismet to allow a zillion blogs to offlaod spam checking. Halsocan does that now, but not nearly as well as it could be done. Some folks are already using wordpress.com sites solely for comments on their “real” blog. The next, logical, step is to eliminate the need for the site and just host comments.

]]>