New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
Oh there's no doubt and using the "Auto-Update" feature is irresponsible (in my eyes) - don't know if some Author's repo got hijacked you just mainlined malware for the sake of convenience.
Always best to have other people try out the updates first since realistically, very few people have a dev/prod wordpress setup. I had one instance of an auto-update bork a good bit of my site and once was enough for me. Updates are a whole lot easier than roll-backs.
I think that's the selling point for WPEngine, right? "Host with us and you can just focus on what you do"
I think auto-update is fine. It's all relative to how well upstream code for updates is maintained. Dont use shit plugins and themes, use only quality well vetted and developed plugins or develop your own. Unfortunately most WP admin users dont do that. They go on the cheap, free, and dont know exactly how to vet the devs, that can be costing conflicts, downtime, and like you say compromises, due to poor coding practices, dev updates, maintenance. For the most part wordpress.org is very good at scanning for malware though.
Let's see if you can follow this logic
High quality, highly vetted developer's plugin is installed on 1 million sites. Eyes are on it constantly. Suddenly, the upstream ends up compromised by a bad actor (unbeknownst to the author.) Bad actor pushes malware as an update. Your website is on auto-update. Congratulations, you're part of a 1 million strong botnet and all you had to do was...be lazy.
With auto-update off, you can see that there's an update available. If you don't update, you don't get infected. Leave it for a day or two. Go to the changelog, see if there's any KNOWN issues. To verify you aren't getting a duped changelog - copy the plugin name+version number, do a search. If there's a comment on Github that says "DON'T INSTALL PLUGIN $VERSION - MALWARE!" I can be like "Oh hey, I think I'll hold off and wait for that non-malware version" and wait to see what the developers' next move is and how they're planning on preventing it from happening again in the future (otherwise I'm looking for an alternative.)
Good security is inherently less convenient but that's the price you pay to be more secure.
I think WP is free, WP Engine can use it and customize it for their customers. Matt's reasoning is ridiculous. What WP Engine needs to do is avoid confusing that they are WordPress, that they only use WP and should have a link to the WP homepage.
This has been taken too far. Through WP Engine's post about being blackmailed, Matt seems to be going a bit overboard.
Upstream from wordpress.org to their git, sdlc, or whatever system? Sure anything is possible of course. wordpress.org does not scan for vulns and malware. It's the devs responsibility.
That's true. But I'm not going to be doing that for WP hosted customers. It's a lot of work. It's a paid addon WP managed maintenance service for sure.
See if you 'can follow this logic'
You are safer having customers do auto-updating and strongly suggesting using WP Defender and Wordfence plugins alike, than leaving it up to 'who knows who' (most likely no one) to do updates manually as you say then end up with compromised sites but likely due to exploited vulnerabilities rather than what you are saying which is much less common, although it can and does happen in all sorts of public repos like in python pip repos. I have customers that turned to our hosting because they were not doing updates and had been extremely compromised, I cleaned the sites up and set the policies, end of story.
There are more zero days a month/year than any number of these cases you mention would ever arise. Zero days are much more common and exploited on WP than anything.
Best advice for all WP site customers: if you cannot handle doing manual (monthly or quicker updates) and the process behind it, do auto-updates, better than no updates, and use WP Defender and Wordfence well configured (or good similar alternatives).
You will be compromised by script kiddies if you do not do updates. It's just a matter of time.
That'd just be a fundamental difference between you and I. The amount of work shouldn't matter. If you care about your clients, which I hope you do, you should be willing to go to the ends of the earth for your them because without them, you're nothing.
"It's a lot of work [and I don't want to do it]" is how you're going to be portrayed with that statement.
I follow it but you're doing it wrong.
If your site is static and on wordpress -> WP to Static Site -> Done.
If your site isn't static and relies on being dynamic -> Put WP into "Read Only Mode" when not updating content/plugins -> Update after your due dilligence -> Done.
Both have had significant security vulnerabilities (that otherwise wouldn't be present if they were installed to begin with)
I'm old enough to remember wordfence bloating the fuck out of databases and probably being the reason WP Engine rose to fame 😂
Wordpress is a free and open-source CMS software under GPL. The community made it what it is today.
In my opinion this drama is all smoke from some emotional fire sparked by greed.
extactly true. It's the only way (just like how cPanel did to please investors) start charging companies and may be in future there could be Pay Per Install fee for each wordpress instance a user installs!!!
I read on Reddit from a WordPress VIP former user that VIP does not allow access to PhpMyAdmin, neither it allows any access of MySQL database, also no access to FTP, and you can't update plugins/themes with one-click, you've to update it going to the git version and manually update it!!
Sure this shows even VIP from Automattic restricts much much more than WP Engine.
Also, in June 2024, WordPress Foundation is applied for "Managed WordPress" and "Hosted WordPress" trademarks.
All those companies using managed wordpress for selling customized wordpress hosting plans will not be able to use it anymore (or pay royalty to WordPress Foundation) for the same.
How To Lose Friends and Influence Investors by Matt Mullenweg
Foreword by Scrooge McDuck
Really sounds like they're headed in the wrong direction in a hurry. No wonder WPEngine is cleaning up. Path of least resistance = success.
That's just like you opinion, man. My clients appreciate the work and config. It's well secured.
Foreword by Scrooge McDuck
Don't worry until it happens. A lot of assumptions.
What if this just blows away which is the likely outcome, but who's got a crystal ball? I do but doesn't work like that
Matt was on an impromptu stream interview a few hours ago:
Most useful part to me start at about 16m50s
Instead of brushing off my comment, you should take the time to read and research the methods I put forth.
When you install more plugins, the way you're doing it, you're opening additional attack vectors for no good reason. Everything wordfence does, you can do manually. Static sites CAN'T be hacked.
If the only attack vector is attacking your stack (outside off typical OS hardening), you're going to be in much better shape than having to worry about wordpress at all.
On a personal note: Just keep in mind this isn't a PM and there's people who are going to read through this back and forth and judge you (and in turn, your company) based on your interactions. You'll notice the best and highest regarded providers here are all calm, cool, collected dudes who will be the first people to tell you they don't know everything (and certainly don't act that way.)
I tried to subtly warn you a few posts back...
And from what I saw in your sales post, things aren't going much better over there. Here are a couple snippets in case of sudden onset amnesia..
If you do have some sort of epiphany tonight and decide to take all of this to heart, after your research wordpress hardening without use of plugins, market demands and SATA speeds - look up "how to eat humble pie", follow instructions and you might just happen to win some people back you didn't even realize you lost. I hope for your company's sake, you're the sole employee because otherwise you're really screwing over your team.
WebPros gonna buy WP
I have used WP engine and one of my previous companies was WordKeeper. If some one really needs better than them then are definitely good.
I'm going to dog walk you to the last few miles to farm. Let's hit back to "Page 2" where @jar enlightened me without being a dick.
I said something. He pointed out where I was incorrect. I acknowledged I was wrong. Described how I found it. Explained why I said what I said.
Did I come off looking arrogant? I'd let jar answer, not my determination. Was there even an inkling of animosity between him and I because he corrected me?
You can be arrogant without being a dick. Myself, moreso, because I'm not a representative of my company and wouldn't risk my co-workers job, my brand or my reputation over an argument that does nothing more than prolong people's reading times
(Director note: I added GIFS for the peanut gallery because walls of texts are lame.)
I just wanted people who might have been on the fence about you on page 3 are certain how they see you by page 4.
I wish you success like the anti-adblock guy.
P.S. - I timed this post for the slowest LET is (next 6-8 hours) . Probably won't be any other engagement, just views, so it'll stay on top of the forums for maximum exposure. Stay humble.
I've never used wordpress.org or wp-engine.
If I sign up with WP-Engine, why do I need anything at wordpress.org?
So for example...
If I fire up Wordpress on some random LET host, I can search for something in the plugin directory, install that plugin, etc. Is wordpress.org now blocking that functionality for WP-Engine? OK.
But why would they need wordpress.org's login system? Wouldn't I login to WP-Engine?
All of these managed WP hosts, WP installers, self-hosted WP instances use WP.org's plugin and theme repositories. WP.org pays for the infra, hosting, etc. WP Engine can mirror this, but that would cost them. It would cost WP engine even more because WP.org uses groups of volunteers that make the plugin and theme review teams. WP Engine can't use volunteers, they have to pay these people for their work.
https://make.wordpress.org/themes/handbook/get-involved/become-a-reviewer/
https://make.wordpress.org/plugins/handbook/get-involved/become-a-reviewer/
NASA does it use WP ?
A new player: https://puppress.org/ 😂
because be it wp-engine or your private vps, once you install wordpress (either by ssh, or softaculous) it needs to ping the wordpress.org repository which contains all updates, including core files updates, third party plugins, themes, bug fixes, and security fixes. Wordpress is not wordpress without connecting to wordpress.org backend. So Auomattic/WordPress.org blocked IPs of WP Engine, so all their clients could not get any plugin/theme/security update. Though a reddit post says WPE now fixed with a work around. Some users used proxy-server to connect it.
LATEST from Matt Mullengweg
https://wordpress.org/news/2024/09/wp-engine-reprieve/
...and they sent legal notice GPL theme and plugins provider https://festingervault.com/
Legal Claim Automattic (WordPress and WooCommerce)
Due to a legal claim from Automattic (WordPress) and WooCommerce regarding trademark usage and GPL compliance, we are forced to hold our offerings to prevent the risk of fines temporarily. Our lawyers have requested the court’s decision to deny Automattics and WooCommerce’s claims that contradict the open-source philosophy. The Court hearing will occur on 2 October 2024, and a verdict is expected soon.
In the meantime, we are negotiating with Automattic and WooCommerce to get back on track as soon as possible. But don’t worry—this is a brief pause, and we’re not going anywhere!
Festinger Vault is still 100% dedicated to providing GPL-compliant, open-source plugins and themes for WordPress, and we’re confident in the legal process. If you need any assistance or have questions, feel free to reach out at [email protected] or join the conversation in our Festinger Vault Community, where we’re always happy to help.
We’re excited to return even more robust and better, with excellent new features and improvements. Thanks for sticking with us—we genuinely appreciate your support. Stay tuned for more updates, and we can’t wait to welcome you back soon!
I don't use WordPress and know very little about how the WordPress ecosystem works, but aren't people allowed to mirror the wordpress.org repository? If they are, it surprises me that there aren't mirrors that one could use. Or am I missing something? (Perhaps people aren't allowed to mirror the wordpress.org repository?)
Matt Mullenweg said in the livestream yesterday that WP Engine can mirror the repositories. See at the 12:00 mark on the video.
Yes. https://github.com/WordPress/WordPress
But there’s more. WP Org hosts the public plugin and theme repositories, and manages the whole update cycle for these as well as the core. While these are generally open source, that does not obligate WP Org to provide managed updates and massive repo servers for all comers. https://plugins.trac.wordpress.org/ (they use Subversion)
All of WP Org’s plugins and themes are also on GitHub, and ecosystem devs can certainly put their plugins and themes on public git servers, but updating WP installations becomes a lot harder for the average WP user that way.
I don’t understand the purpose of Matt’s rant, but big picture, this seems like a trademark dispute between two large WP hosting companies: WP Com and WP Engine. An entity that offers up open source code can still hold a legal trademark. At least in the U.S., trademark owners are legally obligated to defend their trademarks, or otherwise they become diluted and eventually lost. Personally, I think Automattic’s approach is unhealthy for the ecosystem, but here we are!