Slashdot Mirror

← Back to Stories (view on slashdot.org)

WordPress 4.4 Arrives

Posted by timothy on from the straight-outta-texas dept.

An anonymous reader with news of the newest release of open source WordPress, which adds a slew of new features to the blog management tool that will "make your site more connected and responsive." You can download the new release now from WordPress.org/Download (7.3MB). WordPress is a content management system (CMS) that powers 25 percent of the Web. The latest version is dubbed "Clifford" in honor of jazz trumpeter Clifford Brown.

39 comments

  1. Why is that the goal of a new release? by Anonymous Coward · · Score: 5, Insightful

    Why is the goal of a new release to make a site "more connected and responsive?" Neither of those are the real issue with Wordpress. I'd like to see an emphasis on security and making it much harder to compromise an install of Wordpress. This tells me that the Wordpress devs might not be taking the issue seriously enough. How about at least not exposing internal paths, having separate administrator accounts that aren't logged into like normal users, and otherwise hardening the system? That should be the goal of new releases, otherwise 25% of the internet is full of massive security holes.

    1. Re:Why is that the goal of a new release? by Anonymous Coward · · Score: 2, Funny

      You'll take your crapified, phone centric UI changes and you'll LIKE THEM!

    2. Re:Why is that the goal of a new release? by KGIII · · Score: 2

      Heh... I saw "more connected and responsive" and my first thought was, "connected and responsive to whom?"

      --
      "So long and thanks for all the fish."
    3. Re:Why is that the goal of a new release? by Anonymous Coward · · Score: 0

      I'd like to see an emphasis on security and making it much harder to compromise an install of Wordpress. This tells me that the Wordpress devs might not be taking the issue seriously enough... That should be the goal of new releases, otherwise 25% of the internet is full of massive security holes.

      I've seen the Wordpress core codebase, and sadly, no matter how diligent the devs are, that code is never going to be fully secure.

      The basic problem here is that WP exposes lots of its poor practice through it's APIs, and thus the gazillions of WP plugins and templates (which are what really power 25% of the web, and are also where all the money is actually made) have all been forced to rely on those poor practices. Fixing the root problems in WP would, by necessity, mean causing breaking changes that would make it incompatible with all those plugins. Since the plugins are the only reason anyone really uses WP, making a version that was incompatible with them all would be effective suicide for WP.

      They can't cause major BC breaks, and so they can't fix their root problems.

      It's not really WP's fault. It was written a long time ago, when the PHP language and community was blissfully ignorant of concepts like clean code, unit testing, SOLID or even OO. But it was never intended to be a CMS plaform that would power a quarter of the web; it was a simple blogging engine with a plugin API. The web latched onto it because it was easy to use, not because it was well written. If you want a well-written PHP CMS, get yourself a copy of Joomla instead. But people won't do that because it doesn't have anything like as many plugins available. *sigh*

      Well, I guess the best we can hope for is that the new WP version doesn't have too many new security holes. Let's wait and see, shall we?

    4. Re:Why is that the goal of a new release? by RabidReindeer · · Score: 5, Funny

      Ah, a member of the Gnome 3 team speaks out!

    5. Re:Why is that the goal of a new release? by Anonymous Coward · · Score: 0

      I was with you until you mentioned Joomla. How many exploits have been found in Joomla?

    6. Re:Why is that the goal of a new release? by U2xhc2hkb3QgU3Vja3M · · Score: 1

      Why Joomla, exactly? Why not Drupal or something else?

    7. Re:Why is that the goal of a new release? by BenFranske · · Score: 1

      Drupal is so old school, I hear the cool kids are using http://modx.com/ now.

    8. Re:Why is that the goal of a new release? by Anonymous Coward · · Score: 0

      Actually, yes, they are issues. Responsive images in WordPress have always required kludges that hook into the core. Responsive oEmbeds are worse: you had to hook into embed_oembed_html and use regular expressions to modify the iframe markup (or use javascript to modify them after page load, also less than ideal). These kludges are inherently fragile and almost always cause problems with third party plugins. Now it is part of the core and just works.

      Besides, if you look beyond the marketing speak, there are a lot of improvements that make it easier to run big sites. Things like taxonomy metadata (finally!) and the WP_Network object, which makes it much easier to run multisite installations (or multilingual installations using the most popular method for achieving this).

      I make my living by running a couple of large WordPress sites, and this release makes me as happy as a pig in shit.

    9. Re:Why is that the goal of a new release? by Anonymous Coward · · Score: 0

      The basic problem here is that WP exposes lots of its poor practice through it's APIs, and thus the gazillions of WP plugins and templates (which are what really power 25% of the web, and are also where all the money is actually made) have all been forced to rely on those poor practices. Fixing the root problems in WP would, by necessity, mean causing breaking changes that would make it incompatible with all those plugins. Since the plugins are the only reason anyone really uses WP, making a version that was incompatible with them all would be effective suicide for WP.

      Just like PHP.

    10. Re:Why is that the goal of a new release? by Qbertino · · Score: 1

      I'd like to see an emphasis on security and making it much harder to compromise an install of Wordpress.

      WordPress powers one fourth of the entire web. Something around 100 million websites. A number hardly imaginable. I don't know about you but I'd be hard-pressed to find a system that is so widespread and offers that level of security. It may be a patchy mess, but so are many other successful projects. WP security is just fine, if you ask me.

      --
      We suffer more in our imagination than in reality. - Seneca
  2. SEO Spam by Anonymous Coward · · Score: 0

    Reading WordPress news on VentureBeat is like reading NASA news on TMZ. How many WP experts does that news agency have? No thanks, I'll just check out Torque instead.

  3. Remote admin features by Billly+Gates · · Score: 4, Funny

    I love the remote administration features of wordpress. Infact the owners have no idea I am even remoting in with the sql commands

    --
    http://saveie6.com/
  4. 25 percent of WHICH Web by Anonymous Coward · · Score: 0

    The lolcats Web, or the useful Web?

  5. Just-in-time exploits by twdorris · · Score: 1

    This was timed well with the FBI's announcement that they routinely use zero-day exploits.

    1. Re:Just-in-time exploits by Anonymous Coward · · Score: 0

      Why bother with 0-days ... it's WordPress we're talking about. The odds of finding an unpatched/documented are high enough.

    2. Re:Just-in-time exploits by Anonymous Coward · · Score: 1

      I work for a shared hosting company. Updated WordPress sites aren't the problem - the crappy home-made plugins, disabled automatic updates, and premium themes without update notifications are.

    3. Re:Just-in-time exploits by Anonymous Coward · · Score: 0

      And sites without wordfence.

    4. Re:Just-in-time exploits by Kernel+Krumpit · · Score: 1

      I like the WordFence comment - in spite of the almost constant baby-sitting WF requires..

      --
      May the lies we live by make us strong, healthy, happy and wise - Kurt Vonnegut.
    5. Re:Just-in-time exploits by rklrkl · · Score: 1

      ...and sites with Wordfence :-) The latest Wordfence release outrageously renames a core WP file (/readme.html) by default which breaks the official WP API used to verify checksums of core WP files (tools such as WP-CLI use this). I posted up to the Wordfence forum about this and got a useless reply and my thread marked as "resolved" despite nothing being done about the breakage!

      I've now had to go around all WP sites with Wordfence installed, manually turning off this renaming of /readme.html (which was turned off by default in older Wordfence releases and very sneakily silently turned on in the latest release).

  6. Upgrade hell by sgrover · · Score: 1, Insightful

    Between keeping the core WP system up to date, and keeping all the plugins up to date, the maintenance needs for a WP system discounts it for most of my customers. If you fail to keep the updates in place - almost daily, then your site quickly becomes owned and requires even more maintenance to fix. There are times and places for WP, but if all "fixes" and content updates are going to the consultants and tech team anyway, then why not just use static HTML?

    1. Re:Upgrade hell by Anonymous Coward · · Score: 0

      Between keeping the core WP system up to date, and keeping all the plugins up to date, the maintenance needs for a WP system discounts it for most of my customers. If you fail to keep the updates in place - almost daily, then your site quickly becomes owned and requires even more maintenance to fix. There are times and places for WP, but if all "fixes" and content updates are going to the consultants and tech team anyway, then why not just use static HTML?

      That's why the Wordpress goons decided to enable automatic updating a while back.

    2. Re:Upgrade hell by gmack · · Score: 3, Interesting

      This is not as hard a problem as you would think. Step one was installing the update notifier plugin and loading a cron job to ping the Wordpress cron script a couple of times a day (not needed on higher traffic sites) so I know when updates need to happen.

      Then I installed the "wp-cli" script and added a script that grabs a backup of the database and web files before running the following commands:
      wp core update
      wp core update-db
      wp theme update --all
      wp plugin update --all

      Then.. wrap that in another script that cycled through all of the sites on my system and Wordpress becomes completely painless as long as no one has done anything crazy like mod the actual Wordpress php files..

    3. Re:Upgrade hell by Anonymous Coward · · Score: 0

      as long as no one has done anything crazy like mod the actual Wordpress php files..

      [sheepishly]I did that once. Made it support MSSQL as the backend. I'm not proud.[/sheepishly]

    4. Re:Upgrade hell by Anonymous Coward · · Score: 1

      the problem with wordpress (and joomla, for that matter, which is also a huge target for hackers) is 99% of its users who read your comment here would go 'huh?' and have absolutely no clue what you said.

    5. Re:Upgrade hell by thegarbz · · Score: 3, Insightful

      the maintenance needs for a WP system discounts it for most of my customers.

      You mean like the whole 7 updates released this year not included bug fixes for legacy systems? The same 7 updates which can be applied automagically with a click of a button and even check the compatibility of plugins as it goes?

      Do your customers also have problems tying their shoelaces and do you get paid by the hour to help them eat their meals?

    6. Re:Upgrade hell by Anonymous Coward · · Score: 0

      What do you propose as an alternative? Drupal? Something like a quarter of all Drupal sites got hacked in Drupalgeddon last year. There have been four important security patches for it in 2015. You are applying those patches, right?

      Custom? I've done that too. You'll have security through obscurity, but it's extremely expensive for your clients.

      Not PHP? Gets more expensive than applying a few patches real, real fast.

      But I guess you know what you're talking about: you have a seven digit UID.

    7. Re:Upgrade hell by Anonymous Coward · · Score: 0

      > Do your customers also have problems tying their shoelaces and do you get paid by the hour to help them eat their meals?

      Had you ever worked in web hosting you might not have been sarcastic when asking that.

    8. Re:Upgrade hell by rklrkl · · Score: 1

      I, too, have an ever-growing script that wraps around WP-CLI, but there's a *lot* of gotchas you've got to deal with:

      * Use "wp core verify-checksums" to make sure no-one's modded core files before you do a WP core update.
      * Check at least the Web site home page is returning a 200 success code before attempting any updates.
      * If the home page fails to return 200 after an update, auto-rollback the Web/DB from the pre-update backup you took.
      * You need the ability to exclude specific plugin updates if they break a particular site (so you can rollback/freeze UAT/live on the last working version while you work on dev to find a workaround for the newest version). This means you need to construct a list of "available" updates from the output of "wp plugin list" and then exclude broken plugins for specific sites i.e. you can't use --all like the parent post did.
      * You should do a second plugin update pass if the first pass updated any plugins - some plugins such as Woocommerce can trigger fresh "available" updates for other plugins.
      * Massively irritatingly, many commercial plugins fail to hook into the standard WP upating system (i.e. "wp plugin list" fail to list new updates as being "available"). I've had to resort to horrendous site scraping to detect and download such updates - paid-for plugins often insist you manually log into their site and manually download/install a plugin zip file, which is madness.

      There are quite a few other things that my script does (e.g. scan Apache config for ServerName and DocumentRoots containing wp-config.php for a WP site list, generates Web pages for each server detailing the updates, e-mails the WP admin contact when core/plugins are updated for a site), but too much is specific to my setup to be publicly released I'm afraid.

    9. Re:Upgrade hell by rklrkl · · Score: 1

      WP-CLI is your friend - lets you do all the admin pointy-clicky stuff via the command line instead (cue a cron'ed wrapper script!). Even manually updating WordPress is painless compared to pretty well any other CMS out there. If I mention "Umbraco updates" (yes, I know, it's Windows only) to anyone within earshot, they run away screaming. Umbraco has *no* updating facility at all (manual clicking in admin interface or automated) and it can literally take days to update just one Umbraco site following a horrendous set of complex instructions!

  7. many more holes coming by Anonymous Coward · · Score: 0

    Yupppiii

  8. Security built right in by ThatsNotPudding · · Score: 1

    "This screen door has *two* eye hook locks to keep the bad guys out!!"

  9. Shocked the World by Etherwalk · · Score: 1

    That's why the Wordpress goons decided to enable automatic updating a while back.

    They really shocked the world with the auto-update's default use of FTP and innovative taking of the FTP credentials over unsecured wp-admin connections.

  10. Aren't most WordPress vulnerabilities... by rsilvergun · · Score: 1

    From plugins? Knock on wood and all but I run my blog/help pages offer WordPress and I don't see a lot of patches or the vulnerabilities that go with them. But it's pretty much stock with a simple theme and a spam filter...

    --
    Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
  11. layme by Anonymous Coward · · Score: 0

    Layme

  12. Alternatives? by Anonymous Coward · · Score: 0

    Wordpress and PHP is indeed a catastrophe.

    Does it exist any better alternative - Preferably in Python? (Django and Flask is nice, but are only frameworks)

  13. Absolute URLs in the WP DB drive me nuts by rklrkl · · Score: 1

    One of the major pains in the backside of WordPress is its use of absolute URLs for pages on the site thousands of times in the WP database. PHP is always had $_SERVER variables to dynamically find the top level component of your URL (e.g. http://www.joebloggs.com/ if you need to (does WP ever need to know it anyway?), yet if you dump the SQL DB, you'll see that URLs are pretty well all absolute rather then relative. This is horrible because:

    * HTML generated by WordPress contains absolute URLs all over the place for resources contained within the site, when they clearly should be relative URLs to save bytes if nothing else.
    * Any need to change the URL of a WordPress site causes massive pain because you can't just mysqldump/sed/mysql to change the URL because of serislised data. I have to use a special tool for this, which is highly annoying to have to do so (though the tool is nice to use admittedly). Warning: WP-CLI's "wp search-replace" often missses replacing some URLs, so I don't use that any more.

    In case you think you'll never change a top-level URL of a WordPress site, think again - it's very common indeed:
    * Site goes from national (www.joebloggs.co.uk) to international (www.joebloggs.com) and wants the latter to be the primary address.
    * Site needs to be copied from dev -> UAT -> live (and maybe -> DR) or in the reverse direction and all instances have different URLs.
    * Site is converted from http to https.

  14. Re:Upgrade hell, not by Herve5 · · Score: 1

    Well I for one handle various WP sites and upgrading is absolutely not a hell. I have less than a dozen plugins on each, and just update them before upgrading the core. Never found an issue, for a couple of years on.
    BTW, I went here to check if some new issues would have appeared when switching to 4.4, and I see none.

    --
    Herve S.