WordPress 4.4 Arrives

← Back to Stories (view on slashdot.org)

Posted by timothy on Thursday December 10, 2015 @02:16AM from the straight-outta-texas dept.

An anonymous reader with news of the newest release of open source WordPress, which adds a slew of new features to the blog management tool that will "make your site more connected and responsive." You can download the new release now from WordPress.org/Download (7.3MB). WordPress is a content management system (CMS) that powers 25 percent of the Web. The latest version is dubbed "Clifford" in honor of jazz trumpeter Clifford Brown.

23 of 39 comments (clear)

Min score:

Reason:

Sort:

Why is that the goal of a new release? by Anonymous Coward · 2015-12-10 02:27 · Score: 5, Insightful

Why is the goal of a new release to make a site "more connected and responsive?" Neither of those are the real issue with Wordpress. I'd like to see an emphasis on security and making it much harder to compromise an install of Wordpress. This tells me that the Wordpress devs might not be taking the issue seriously enough. How about at least not exposing internal paths, having separate administrator accounts that aren't logged into like normal users, and otherwise hardening the system? That should be the goal of new releases, otherwise 25% of the internet is full of massive security holes.
1. Re:Why is that the goal of a new release? by Anonymous Coward · 2015-12-10 02:51 · Score: 2, Funny
  
  You'll take your crapified, phone centric UI changes and you'll LIKE THEM!
2. Re:Why is that the goal of a new release? by KGIII · 2015-12-10 03:11 · Score: 2
  
  Heh... I saw "more connected and responsive" and my first thought was, "connected and responsive to whom?"
  
  --
  "So long and thanks for all the fish."
3. Re:Why is that the goal of a new release? by RabidReindeer · 2015-12-10 03:44 · Score: 5, Funny
  
  Ah, a member of the Gnome 3 team speaks out!
4. Re:Why is that the goal of a new release? by U2xhc2hkb3QgU3Vja3M · 2015-12-10 05:09 · Score: 1
  
  Why Joomla, exactly? Why not Drupal or something else?
5. Re:Why is that the goal of a new release? by BenFranske · 2015-12-10 05:44 · Score: 1
  
  Drupal is so old school, I hear the cool kids are using http://modx.com/ now.
6. Re:Why is that the goal of a new release? by Qbertino · 2015-12-10 06:41 · Score: 1
  
  I'd like to see an emphasis on security and making it much harder to compromise an install of Wordpress.
  WordPress powers one fourth of the entire web. Something around 100 million websites. A number hardly imaginable. I don't know about you but I'd be hard-pressed to find a system that is so widespread and offers that level of security. It may be a patchy mess, but so are many other successful projects. WP security is just fine, if you ask me.
  
  --
  We suffer more in our imagination than in reality. - Seneca
Remote admin features by Billly+Gates · 2015-12-10 02:40 · Score: 4, Funny

I love the remote administration features of wordpress. Infact the owners have no idea I am even remoting in with the sql commands

--
http://saveie6.com/
Just-in-time exploits by twdorris · 2015-12-10 03:10 · Score: 1

This was timed well with the FBI's announcement that they routinely use zero-day exploits.
1. Re:Just-in-time exploits by Anonymous Coward · 2015-12-10 04:20 · Score: 1
  
  I work for a shared hosting company. Updated WordPress sites aren't the problem - the crappy home-made plugins, disabled automatic updates, and premium themes without update notifications are.
2. Re:Just-in-time exploits by Kernel+Krumpit · 2015-12-10 04:42 · Score: 1
  
  I like the WordFence comment - in spite of the almost constant baby-sitting WF requires..
  
  --
  May the lies we live by make us strong, healthy, happy and wise - Kurt Vonnegut.
3. Re:Just-in-time exploits by rklrkl · 2015-12-11 22:09 · Score: 1
  
  ...and sites with Wordfence :-) The latest Wordfence release outrageously renames a core WP file (/readme.html) by default which breaks the official WP API used to verify checksums of core WP files (tools such as WP-CLI use this). I posted up to the Wordfence forum about this and got a useless reply and my thread marked as "resolved" despite nothing being done about the breakage!
  I've now had to go around all WP sites with Wordfence installed, manually turning off this renaming of /readme.html (which was turned off by default in older Wordfence releases and very sneakily silently turned on in the latest release).
Upgrade hell by sgrover · 2015-12-10 03:24 · Score: 1, Insightful

Between keeping the core WP system up to date, and keeping all the plugins up to date, the maintenance needs for a WP system discounts it for most of my customers. If you fail to keep the updates in place - almost daily, then your site quickly becomes owned and requires even more maintenance to fix. There are times and places for WP, but if all "fixes" and content updates are going to the consultants and tech team anyway, then why not just use static HTML?
1. Re:Upgrade hell by gmack · 2015-12-10 04:01 · Score: 3, Interesting
  
  This is not as hard a problem as you would think. Step one was installing the update notifier plugin and loading a cron job to ping the Wordpress cron script a couple of times a day (not needed on higher traffic sites) so I know when updates need to happen.
  Then I installed the "wp-cli" script and added a script that grabs a backup of the database and web files before running the following commands:
  wp core update
  wp core update-db
  wp theme update --all
  wp plugin update --all
  Then.. wrap that in another script that cycled through all of the sites on my system and Wordpress becomes completely painless as long as no one has done anything crazy like mod the actual Wordpress php files..
2. Re:Upgrade hell by Anonymous Coward · 2015-12-10 04:49 · Score: 1
  
  the problem with wordpress (and joomla, for that matter, which is also a huge target for hackers) is 99% of its users who read your comment here would go 'huh?' and have absolutely no clue what you said.
3. Re:Upgrade hell by thegarbz · 2015-12-10 05:31 · Score: 3, Insightful
  
  the maintenance needs for a WP system discounts it for most of my customers.
  You mean like the whole 7 updates released this year not included bug fixes for legacy systems? The same 7 updates which can be applied automagically with a click of a button and even check the compatibility of plugins as it goes?
  Do your customers also have problems tying their shoelaces and do you get paid by the hour to help them eat their meals?
4. Re:Upgrade hell by rklrkl · 2015-12-11 21:36 · Score: 1
  
  I, too, have an ever-growing script that wraps around WP-CLI, but there's a *lot* of gotchas you've got to deal with:
  * Use "wp core verify-checksums" to make sure no-one's modded core files before you do a WP core update.
  * Check at least the Web site home page is returning a 200 success code before attempting any updates.
  * If the home page fails to return 200 after an update, auto-rollback the Web/DB from the pre-update backup you took.
  * You need the ability to exclude specific plugin updates if they break a particular site (so you can rollback/freeze UAT/live on the last working version while you work on dev to find a workaround for the newest version). This means you need to construct a list of "available" updates from the output of "wp plugin list" and then exclude broken plugins for specific sites i.e. you can't use --all like the parent post did.
  * You should do a second plugin update pass if the first pass updated any plugins - some plugins such as Woocommerce can trigger fresh "available" updates for other plugins.
  * Massively irritatingly, many commercial plugins fail to hook into the standard WP upating system (i.e. "wp plugin list" fail to list new updates as being "available"). I've had to resort to horrendous site scraping to detect and download such updates - paid-for plugins often insist you manually log into their site and manually download/install a plugin zip file, which is madness.
  There are quite a few other things that my script does (e.g. scan Apache config for ServerName and DocumentRoots containing wp-config.php for a WP site list, generates Web pages for each server detailing the updates, e-mails the WP admin contact when core/plugins are updated for a site), but too much is specific to my setup to be publicly released I'm afraid.
5. Re:Upgrade hell by rklrkl · 2015-12-11 21:51 · Score: 1
  
  WP-CLI is your friend - lets you do all the admin pointy-clicky stuff via the command line instead (cue a cron'ed wrapper script!). Even manually updating WordPress is painless compared to pretty well any other CMS out there. If I mention "Umbraco updates" (yes, I know, it's Windows only) to anyone within earshot, they run away screaming. Umbraco has *no* updating facility at all (manual clicking in admin interface or automated) and it can literally take days to update just one Umbraco site following a horrendous set of complex instructions!
Security built right in by ThatsNotPudding · 2015-12-10 06:09 · Score: 1

"This screen door has *two* eye hook locks to keep the bad guys out!!"
Shocked the World by Etherwalk · 2015-12-10 07:07 · Score: 1

That's why the Wordpress goons decided to enable automatic updating a while back.
They really shocked the world with the auto-update's default use of FTP and innovative taking of the FTP credentials over unsecured wp-admin connections.
Aren't most WordPress vulnerabilities... by rsilvergun · 2015-12-10 09:26 · Score: 1

From plugins? Knock on wood and all but I run my blog/help pages offer WordPress and I don't see a lot of patches or the vulnerabilities that go with them. But it's pretty much stock with a simple theme and a spam filter...

--
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
Absolute URLs in the WP DB drive me nuts by rklrkl · 2015-12-11 22:42 · Score: 1

One of the major pains in the backside of WordPress is its use of absolute URLs for pages on the site thousands of times in the WP database. PHP is always had $_SERVER variables to dynamically find the top level component of your URL (e.g. http://www.joebloggs.com/ if you need to (does WP ever need to know it anyway?), yet if you dump the SQL DB, you'll see that URLs are pretty well all absolute rather then relative. This is horrible because:
* HTML generated by WordPress contains absolute URLs all over the place for resources contained within the site, when they clearly should be relative URLs to save bytes if nothing else.
* Any need to change the URL of a WordPress site causes massive pain because you can't just mysqldump/sed/mysql to change the URL because of serislised data. I have to use a special tool for this, which is highly annoying to have to do so (though the tool is nice to use admittedly). Warning: WP-CLI's "wp search-replace" often missses replacing some URLs, so I don't use that any more.
In case you think you'll never change a top-level URL of a WordPress site, think again - it's very common indeed:
* Site goes from national (www.joebloggs.co.uk) to international (www.joebloggs.com) and wants the latter to be the primary address.
* Site needs to be copied from dev -> UAT -> live (and maybe -> DR) or in the reverse direction and all instances have different URLs.
* Site is converted from http to https.
Re:Upgrade hell, not by Herve5 · 2015-12-13 00:04 · Score: 1

Well I for one handle various WP sites and upgrading is absolutely not a hell. I have less than a dozen plugins on each, and just update them before upgrading the core. Never found an issue, for a couple of years on.
BTW, I went here to check if some new issues would have appeared when switching to 4.4, and I see none.

--
Herve S.