My WordPress Database Backup plugin appeared on Bugtraq today. The folks who found the directory traversal vulnerability didn't inform me about it. I don't know if they informed the WordPress security folks. A kind reader forwarded to me the announcement.
I don't have a fix at this time. Stay tuned here, or at the WordPress support forums.
UPDATE: Ryan Boren cooked up a fix for the directory traversal vulnerability. Download it here.
As most of my regular readers know, I've stopped developing subscribe2, the email notification plugin I first released a year and a half ago. This plugin was very well received, and it's in use on a lot of WordPress blogs. Of the plugins I wrote, only my database backup plugin is more popular -- and that's mostly due to its inclusion with the core WordPress download.
I started subscribe2 as an update to the "subscribe" plugin by seriocomic. His plugin used a flat text file, and required a fair amount of command-line jiggery-pokery to make work. An email notification mechanism was just the thing my mom wanted for her "topic of the month" blog, but I didn't want to be saddled with managing all the details of said mechanism. So I took seriocomic's plugin as a foundation and modified it to use the WordPress database to store all the subscriber data. Thus subscribe2 was born. No, it wasn't a particularly catchy name.
subscribe2 evolved through a series of feature requests from users. A lot of people had a lot of good ideas, and I was frankly surprised by the amount of attention my little plugin received. Bug reports came in alongside feature requests, and I really learned a lot about WordPress and its plugin API while working on subscribe2. Several folks submitted patches, and a few folks really helped me out by rigorously testing beta releases.
Matt at prescriber.org.uk was one such tester. He was instrumental in ferreting out all kinds of niggling problems that I had overlooked. He, too, cut his PHP and WordPress teeth on subscribe2 and quickly grew from tester to feature designer. He fixed code, submitted a few modest improvements, and expressed a strong interest in seeing subscribe2 live.
I am pleased to announce that subscribe2 is now under new management! Matt has been adding useful new features to my adandoned codebase, and he shows no signs of stopping.
If you're a user of subscribe2, please update your bookmarks and feed readers to point to the new subscribe2 home page. Matt is now officially in charge of development. Send him your feature requests and bug fixes. All support requests really should be sent to the WordPress support forums, so as not to overwhelm Matt with things that other folks can help resolve.
As an aside: useless bug reports -- those reporting "It doesn't work!" with no other details -- contributed greatly to my abandonment of subscribe2. Please don't wear Matt down with the same. Report as much detail as you can when asking about problems. Which version of WordPress are you using? Which version of subscribe2? Who's your hosting provider? Are they using GNU/Linux or Windows? Apache or IIS? Which version of PHP is in use? What steps have you taken to reproduce the problem? What, if anything, works?
Owen, have you seen the new to-do list plugin for WordPress? Maybe that'll be sufficient for your needs. It might fall short on the mobile phone compatibility requirement, though, in the same way WordPress itself will fail on a mobile.
Thanks to WP Station for the heads-up.
I'm disenfranchised with the WordPress development process, but I still think WordPress is a fairly groovy application. It lets me do what I want, and mostly stays out of my way. I say "mostly" because having used it for two years, it's hard for me to differentiate what works very well and what I've learned to just work around.
I'm not currently interested in exporting all of my data, importing it into some other application, and then learning to deal with a whole new set of things that mostly work. As such, I'll be sticking with WordPress for the immediate future. Moreover, looking around at the available options for blogging, none of the alternatives -- or the sites powered by them -- have me saying "Wow, I want that!". They all do the same things, by and large: publish content, accept comments, and manage some links. That's all there is to blogging, right?
Different tools offer more in some areas, and less in others. I've come to realize that my own blogging habits are, as near as I can tell, substantially different from what many blog applications -- particularly WordPress -- expect. This realization got me to thinking about the motivations people have for blogging. I know tons of people have written about this subject before -- I don't claim to have any unique insights. Yes, I'm painting with a broad brush, and yes there will always be exceptions. As I see it, there are basically four groups of bloggers: basic, intermediate, advanced, and SEO fools. This rough list is ordered in decreasing order by number of participants (arguably there are more SEO fools than advanced bloggers, but I don't count SEO fools as regular bloggers, as such).
I've come to realize that I fall more into the basic blogger category than I do the intermediate category, with the notable exception that I do care about the tool I use, and want to run the blog on my own server. Further, I don't give a wet slap about most of the things advanced bloggers get all excited about. I don't have a specific audience in mind: I write what I feel like writing for myself, with the perhaps naive hope that someone somewhere will find it interesting. Since I don't have a specific audience, I don't have a specific interest in pulling in traffic. I don't care about Technorati. I don't care about tags, or linking into del.icio.us, because I don't expect people to navigate my site looking for more posts on the same subject. I'm not trying to make a buck from my blog, so I'm not going to stuff advertising onto my pages, or break up posts into many pages to increase ad views.
The development of blog software, after a while, seems like all the navel gazing for which blogging itself is so often reviled. I don't care about the philosophical differences between pingbacks and trackbacks. I don't care about the technological differences of RSS and Atom. I don't care about XMLRPC posting, or blog-by-email, or fancy movable widgets in my sidebar, or a rich text editing interface, or a spell checker, or a links manager. All of that stuff distracts me from what I want from a blogging package.
Bob asks what I want for skippy.net. For the time being, I want what I have, and possibly a little bit less. I'm not going to switch to Drupal, for example, because I think that's too "heavy" an application. I'm not going to switch to anything else any time soon because I know how to make WordPress do what I want. In the weeks ahead, I'll likely want WordPress to do even less than it does now. And I know I'm not particularly keen on tracking the future versions of WordPress, as they'll only add more cruft I won't use -- spellcheck, enhanced bookmark tools, widgets, etc. I complained last June, and proposed what I thought was a slightly more svelt interface for the one screen on which I spend most of my time. Oh well.
I might take another look at Blosxom (or even ikiwiki, or MicroWiki), since the "less is more" mentality is really starting to take hold of me. And I might look harder at SteamPress, too. Any tool that stays out of my way is worth considering. But for now, I'll stick with the status quo, simply because moving all my data is too much bother. Maybe I'll make a name for myself by writing a WordPress export tool...
Earlier today I unsubscribed from all the WordPress mailing lists. I've terminated my dircproxy sitting in #wordpress. I've just now sent a note to Matt asking him to revoke my forum and trac privileges.
I still think that WordPress is a pretty groovy piece of software; but I don't like the power structure behind that software. I've stated publicly that I don't see a lot of leadership from Matt; and that I disagree not only with many of the decisions, but how they're made. Matt's reply didn't really address many of the issues I raised, which is pretty typical from him; and is no small part of my frustration. Despite his claim that "this
discussion is important to have," there's been no follow-up since his jaunt to SXSW. I can only infer that this means that substantive changes are unlikely to occur.
WordPress hasn't been much fun for me, lately. When things stop being fun, it's time to reconsider your involvement with them. So as of right now, I'm no longer a WordPress hacker. No longer a plugin author. I'm just a lowly user, at the whim of wherever AutocraticAutomattic takes things.
Brewer philosopher.