Geof’s Relentless Kvetching About WordPress

I’ve found BlogSecurity’s WordPress Scanner to be invaluable for me; I’ve recently brought a bunch of installs up to current, but I hadn’t considered the vulnerabilities in XSS attacks on templates. But now that I know that those have holes, too, I can patch them up.

Go give WordPress Scanner a shot: all you’ll need to do to let it run is to put <!-- wpscanner --> somewhere in your template. I’d suggest putting it in the Header, where any page that WordPress Scanner comes across would have access to the statement. That way, all pages can be scanned for vulnerabilities. Just be sure to remove it after the scan is over so some black hat can’t use it against you!

It would be awesome if WordPress would include a post-upgrade scanner into the mix, checking your theme for possible holes. Upgrading WP only fixes the core files—any template you’ve used other than the default isn’t going to get fixed, and it could have a hole.

As Joe Gregorio notes, WordPress was supposed to support Atom 1.0 starting with the 1.6 milestone [which, as I recall, never happened and became 2.0]. Mark Pilgrim is frustrated, too. So am I, but this should be a surprise to exactly no one.

But being one to work within the system … there’s the new Ideas forum, and well, there’s a topic to support Atom 1.0 support in the next release. I’ve already chimed in. Go rate it up. If we all rate it up, perhaps it will become a priority. [It should be, anyway; WP is shipping to a deprecated version of a specification, something really outside the main WP ethos.]

I complained nine months ago about the lack of Atom 1.0 support in WordPress. It’s still a bit stunning to me that, a few releases later, WP still doesn’t have that support. But today, Sam Ruby pointed to Benjamin Smedburg’s plugin that generates Atom 1.0 output for WordPress. Huzzah!

I’ve gotta say that I find ticket 2972 to be wonderfully right-headed:

Currently, the most recent page (in any of the archives — dated, categorized) is page number 0. When clicking on Next Page, the url shows it being paged=1, thus page number 1. Going back even further, the page numbers increase.

However, when new posts are added, all the content in the pages shift with it.

In my opinion, it would be better if the oldest posts would be on page 1. This way, if new posts are added, consequently new pages are added. AND the content of the pages stay the same.

It’s all about future-proofing, and that’s a very, very good thing.

As I’ve been using WP 2.0, the thing I find myself most wishing for is some AJAX love for TrackBack. Yes, many argue that TB is broken, and while I understand why, some of us are still true believers. Anyway, what is with this space-separated nonsense at this point? Seems like this would be a key place to dump an URI, hit a button, and have another form block open for the next one. It would be even cooler if there were a way for WP to check for the validity of the TrackBack URI upon a Save and Continue Editing run.

If you’re looking for prior art on this, I’m specifically thinking of the “Add URL” functionality in Alex King’s Tasks software.

Man, does Manage –> Posts suck or what? You’ve got a search box [which is nice], and a month-by-month listing, and … that’s it. This is disappointing! I was hoping WP2.0 would bring some love to the Manage Posts page, but unfortunately, it didn’t.

How could this be better?

1. Filtering by categories. If you’re like me, you stick posts you imported into their own category, then filter away as you have time. There’s no way to do filter by category with WP out-of-the-box.
2. Filtering by authors. Not all WP installs are single-author Weblogs! Perversely, you can filter by author by going to Users –> Authors & Users and clicking on the post count of any user, but … that’s convoluted.
3. Filtering by most-recently-commented. If someone dredges up an old post and gives you some feedback on it—feedback you have to act on—you have to hope that you have email notification running or are grabbing your comment feed, because that’s the only way you’re going to be able to start digging up the entry.

Got some other ideas about how Manage –> Posts could work better? Leave a comment.

From Phil Ringnalda, I learn that Ben de Groot has been working to see if Atom 1.0 support will come out in WP 2.0. Apparently, WP 2.0 won’t support Atom 1.0, and as Sam Ruby promised he would, the feed validator will now declare Atom 0.3 feeds as invalid.

I think that we deserve an answer as to why WP 2.0 won’t get Atom 1.0 support out-of-the-box—I’m sure that there’s a good reason, but I’d like to know what that reason is.

The new roles and capabilities make a lot of sense, but I’m not sure I like the term “subscriber”. Subscribing comes with a lot of concepts. I probably would have just called it “user”. And yes, this is coming close to the ideal I have in mind for how a user system should work.

I think that most people who’ve used WordPress have a great affinity for the Links Manager—in fact, most of us would rather use it above all else. Me, I’m wishing that the WordPress development team would release it as a standalone piece of GPL’d code for use in non-WordPress sites. For my use, I’d implement it immediately on GFMorris.net to maintain that sidebar, which I do right now by hand. [All that is now is a hand-maintained, unordered list with a bunch of XFN data.]

Why do I advocate this?

1. Marketing. Not everyone is going to want to use WordPress for sites such as my GFMorris.net, but people will like having a good tool for this kind of thing. Since the Links Manager is best-of-breed in my opinion, it would become popular throughout the site design community as the tool to manage links—and while that’s a small niche, look into the toolset of any master chef, and you’ll find lots of great tools that do one thing and do it well. Don’t you think that the WP devs could stand that level of marketing?
2. Improving the Web. Providing good linking tools that make use of good metadata, as the Links Manager does, makes the Web better, because it lowers the barrier to making great links for content producers.

Know what would be cool? Matt points to the Trac tracker on how close WP 1.6 is to being ready for a beta, and I wonder, “Hmmm … why can’t I have a feed of this that gives me overall stats and maybe links to the open bugs?” Might also be cool for future releases for this to be in the Dashboard as a progress bar-type thing.