While WordPress 2.8.2 is just two weeks old, WordPress 2.8.3 was released today containing, you guessed it, another security patch.
Two weeks ago, I defeneded WordPress’ quick update arguing that it involved a new exploit that obviously needed to be closed. However, the holes that 2.8.3 closes should have been closed two weeks ago. In fact, the announcement from WordPress admits as much saying:
Unfortunately, I missed some places when fixing the privilege escalation issues for 2.8.1.
Now I get it, people make mistakes. And yes, WordPress is free to use.
But being free is not a license to suck.
And besides, Automattic, the company behind the WordPress software is a business and believe it or not they do make money as a result of WordPress. The fact that they’ve been required to release 3 updates in less than a month’s due to sloppy coding & testing on their part is simply inexcusable.
Edit: As was correctly pointed out to me by an Automattic employee, Automattic is not technically “behind” WordPress. There are several other generous souls who contribute to the open source platform. However, 3 of the 5 lead developers of WordPress are Automattic employees, including Ryan Boren who published the post admitting he “missed some places” in the 2.8.2 release. Splitting hairs? I think so, but hey at least this post is now accurate.
No I’m not saying WordPress shouldn’t be releasing this new version. And I’m not saying that I expect WordPress to be ahead of every conceivable new hack or vulnerability people discover.
But I am saying next time I’d like a little bit more time spent on security & double checking that ALL the holes are closed.
Maybe instead of developing some of these extra features for 2.9, you can focus on not requiring me to update every single blog I have every two weeks. That’d save me a lot more time than a feature for people who are too lazy to edit their images in a separate program.
Now if you’ll excuse me, I’m off to close several dozen security holes on my server… again.