Categories
WordPress

Scriblio for Libraries

Scriblio MATC Project Final Report. Scriblio is a system for helping libraries and is built on top of WordPress. The article describes some of the troubles with the close association with WordPress:

Shortly after the Mellon Foundation announced the award to the Scriblio project, the WordPress core developers reversed their longstanding position on tags and announced that the next release would include tag support. This is significant because metadata such as author or subject is functionally equivalent to tags in Scriblio, and much of the Scriblio code was devoted to managing those tags.

It also describes some of the benefits:

[T]he relationship between the open source WordPress community and commercial participants, including Automattic, the commercial entity that operates WordPress.com, has proven itself to deliver real benefits to all. […]

And the Scriblio project has enjoyed opportunities to contribute to the WordPress community as well. […] One recent example is Ticket #5649, where a change proposed by Scriblio was committed to the baseline code within an hour of its submission.

Overall, a good read on building a project on top of WordPress, helping an under-served community, and giving back by strengthening the underlying platform.

Categories
WordPress

On WP Security

Wincent Colaiuta has no problem throwing flames at WordPress, but doesn’t see fit to enable comments. (Apparently disabled to make Movable Type more secure.) His table-layout blog isn’t too notable but it got linked from Daring Fireball so a lot of people saw his article trying to draw the line between a routine point release and encouraging people to never use WordPress on the public internet. Here are a few points for thought in response:

  • The SQL problem in 2.2 requires both registration to be enabled (off by default) and the blog to be upgraded to 2.2. It is a serious problem but I’ve heard of fewer than 5 exploits from the flaw. Even if you assume there are 100 blogs for every one we heard about, that’s still an incredibly small percentage of the millions of WordPresses out there, especially considering, as Wincent points out, the problem has been in the public for a while now.
  • Getting people to upgrade web software is hard. We work as best we can with hosting companies, but a consideration is that it’s best to roll several security fixes into one release. It’s not responsible to do a release if we know of another problem, so sometimes there is a lag between an initial report and a final release, not to mention the testing required of a product used as much as WP.
  • Wincent digs up the server crack that modified the files of 2.1.1 for a few days. Ignoring the fact that it was a server issue and had nothing to do with WordPress the software, we actually had NO reported exploits of the problem. (Though I’m sure there are at least a handful out there with problems, it wasn’t enough to hit our radar.) Despite that we took a hit and publicized the issue as much as we could to get the word out.
  • Also about 2.1.1, the problem was found through someone proactively auditing the codebase.
  • Finally Wincent says of WP “[a]nd if you insist on installing it, then you need to watch the trac like a hawk.” You would think complete transparency of the problems (it was on our bug tracker and mailing list) would be a good thing, especially considering the software Wincent uses doesn’t have a bug tracker, and the only way to submit a bug is through a contact form.

We can and do review new code for problems, and pick the vast majority up before any releases. I think the real issue though is not that WP has bugs which are sometimes security related, which all software not written by djb does, but that the mechanisms for updating complex web software are a pain. Right now the best experiences are probably with folks like Media Temple or Dreamhost that have pretty foolproof one-click upgrades and are quick with updates.

Making notification better and upgrading more painless for people not lucky enough to be on a host like that are problems with some very clever minds on them, and I’m confident that we’ll have good progress toward each in the next major release of WP.

Finally, I suppose we could act more like our proprietary competitors and try to downplay or hide security issues instead of trumpeting them loudly in our blog, but I think the benefit of having people well-informed outweighs the PR lumps we take for doing the right thing. I truly believe talking about these things in the open is the best way to address them.

In some ways it’s a good problem to have. When a product is popular, not only does it have more eyes from security professionals on it, but any problems garner a level of attention which is not quite warranted by the frequency of the general event, like Angelina Jolie having a baby. There are certainly things intrinsic to coding that can make software more or less secure, but all things being equal the software with the most eyes on it, which usually means Open Source, will be the most robust in the long term.

Categories
WordPress

Plugin Authors Get No Love

One interesting thing in the whole adware themes discussion is the people claiming if we require GPL it’ll kill the number and quality of themes out there, that the best themes have ads in them, that they couldn’t make themes if they weren’t getting the SEO gaming money, et cetera and so on.

There are two types of WordPress add-ons, themes and plugins. Are there any similarities?

  1. Plugins are just as hard or harder to write and design as themes.
  2. All plugins in our directory are required to be GPL or compatible.
  3. Plugin authors almost never get links on the front-end of a blog.
  4. I’m not aware of any plugins that bundle advertising with the intention of gaming search engines, like themes are.

Despite all of this, the plugin ecosystem around WordPress is flourishing, especially since we made the plugin directory, and hundreds have been added. It seems any of the doomsday scenarios people are expecting to happen to themes would have happened to plugins years ago. If ad-bundled themes really are better, a suggestion I find insulting to all those who volunteer their time for WordPress, then maybe they should start their own theme directory with only adware themes and they should get a ton of traffic.

(And just to respond to the title, I think plugin authors get tons of love, and hopefully we can help them get more with upcoming revisions to the plugin directory.)

Categories
Asides WordPress

NYC Meetup Update

Based on the comments on the last entry I think we’re going to kick off the April 11 meetup at Bryant Park at 6:30, and if needed migrate for drinks at 8 PM when the park closes to someplace like Heartland Brewery on West 43rd. How’s that sound to the New Yorkers in the audience? Update: Scott says “The northwest corner of the park is the most accessible (south of the Starbucks, east of the Verizon shop). Plus that’s where the coffee is.” That’s where we’ll meet. I’ll be in a beige overcoat and green shirt.

Categories
Asides WordPress

McAfee CEO

The new CEO of McAfee is blogging on their WordPress blog, very cool to see another CEO blogging. Hat Tip: Robert Accettura.

Categories
WordPress

71Miles on WP Framework

71Miles is a cool new travel site with a twist PM readers will find interesting — it’s built with WordPress. How? Adam Rugel writes “The nuts and bolts of our site is WordPress, it’s our foundation and content management system. We extended it to manage our content feeds: Google Calendar XML for the events calendar, map, and mobile product and Kayak’s brand new hotel API for the hotel deals. We tricked out the custom fields in WP to do a lot the work for us, and we’ve got the categories set up so that we can scale to roll out dozens of editions (NYC, LA, Chicago…). At any rate we’re loving the platform…” Definitely one of the coolest uses of the WordPress framework I’ve seen in a while.

Categories
WordPress

USPS and Speaker.gov

Jim Amos just wrote in that Campbell-Ewald launched a new WordPress-powered site for the US Postal Service, called Deliver Magazine. Congrats to Jim and Naoko McCracken! Ryan noticed the other day that Nancy Pelosi has a WordPress blog at Speaker.gov called The Gavel. Cool domain name, and good to see WP being used in the political realm, especially since none of the Presidential candidates for 2008 are using WP (yet). If you come across or instigate WordPress being used someplace cool, be sure to write in.

Categories
Asides WordPress

WordPress Song

Devin Reams has done the first WordPress fan song, check out the music video on his site. Too cool for words.

Categories
Asides WordPress

How WordPress Spoils Developers

How WordPress Spoils Developers, I get the impression Brian is bullish on the future of WP. He’s right that we have a lot left to work on though, after 2.1 is out the door I think there’s going to be a ton more core development. Update: I agree far more with the developer-friendly bits than the “no room for anyone else” bits. If the latter arguments were true, WP itself wouldn’t exist and the fact that it’s never too late for something new is a point I emphasize in my talks a lot.

Categories
Asides Events WordPress

Macworld Meetup

Some folks are putting on a WordPress Meetup at Moscone Center around MacWorld next week. I’ll be there, you should too.

Categories
Asides WordPress

WordPress Wii Plugin

WordPress Wii Edition Plugin, so you can browse your blog from the Wii browser. I’ve gotten a Wii and it’s definitely the device of the season, it doesn’t do as much as the PS3 or Xbox, but it’s way more fun.

Categories
Asides WordPress

Biggest Community Wins

Biggest Community Wins. “I picked, in other words, community over open source. And honestly, I have very few regrets about that decision, despite our pending migration.”

Categories
Asides WordPress press

PC World Blog Tips

PC World – New Tools Help Take Your Blog to the Next Level. “Top-flight bloggers are increasingly moving to WordPress, Automattic Productions’ no-cost, open-source blogging software. Unlike the basic blogging tools found in Blogger, Microsoft’s Windows Live Spaces, and Yahoo 360, WordPress offers tons of plug-ins and widgets for customizing your blog.”

Categories
Asides WordPress

Le Monde

The French newspaper Le Monde has moved all their blogs from Typepad to WordPress, if only I could read French.

Categories
Asides WordPress

Business Week Best

People have been telling me that Business Week named WordPress the top of the best blogging tools of 2006, which is pretty sweet. I haven’t picked up the magazine yet, but this link is the closest thing I can find to the list on their site.

Categories
Asides WordPress

LonelyBlog15

A Tribute to Lonelygirl15, new blog from the creators of the original Lonelygirl15. From Tech Republic, “Our entire backend that supports the Web site is free because we use WordPress,” Beckett said. “Five years ago, you would have had to buy UNIX boxes and build a custom content management system.”

Categories
Asides WordPress

bbPress Integration

Simpler integration with WordPress and bbPress, this is getting really cool.

Categories
Asides WordPress

Design Matters

Robert Accettura writes in that Lenovo, makers of the Thinkpad, is now blogging on WP. (And it’s surprisingly good.) Check out this post on their keyboard drainage system.

Categories
Asides WordPress

Happy Pals

Happy Pals is a plugin for WordPress to denote relationships within links.

Categories
Asides WordPress

5 Reasons to Use WordPress as CMS

5 Reasons to Use WordPress as CMS by Blogging Pro.