Comment by cstuder

Comment by cstuder 2 days ago

13 replies

View on Hacker News

> A feature known as the Download Monitor plug-in created a webpage with the clear URL which provided a link to the live version, which bypassed the need for authentication. This rendered the protections on the ‘future’ function of WordPress redundant as it bypassed the required authentication needed to gain access to the pre-uploaded document.

WordPress is a nice piece of software, but the plugin situation is getting worse and worse. (Too many pending updates, premium features and constant upselling, selling of plugins to new sketchy owners...)

withinboredom 2 days ago

The main issue is that there isn't any governance to the plugin store. Once you have a plugin in there, you have free reign to do whatever you want with it. Getting it in there is a PITA though. For example, a library author and I created a plugin, but they wouldn't let me submit it because I wasn't the other author, and they wouldn't let him submit it because he wasn't me. True story.

Reply View 4 replies
  • kassner 2 days ago

    TBF there is some scrutiny on existing plugins, the team is just extremely understaffed (it’s ran by volunteers after all). I got involved in a plugin that ended up getting de-listed for some minor ToS violations after several years of being “fine”, they re-reviewed the plugin with the same rigor as a new submission.

    Reply View 2 replies
    • chuckadams 2 days ago

      Kudos to these volunteers, but as long as one single company continues to insist on owning all the resources of the plugin and theme directories, I don't think they deserve to continue profiting from volunteer labor.

      Reply View 1 reply
      • kassner 2 days ago

        Agreed. My experience was pre-Matt drama, and even then the boundary between wp.org and Automattic was quite unclear.

        Reply View 0 replies
  • RobotToaster 2 days ago

    There's also the fact that Matt Mullenweg (the guy who owns automattic) has made hostile takeovers of plugin pages before

    Reply View 0 replies
chippiewill 2 days ago

> WordPress is a nice piece of software, but the plugin situation is getting worse and worse

The plugin situation is a mess largely because Wordpress isn't a nice piece of software.

It's popular, and functionally it's great, but the codebase is really showing its age. Wordpress has never properly rearchitected because it would break plugins on a scale that would endanger its dominance.

Reply View 3 replies
  • pessimizer 2 days ago

    > the codebase is really showing its age.

    It's not age, it started very, very bad. If they'd fixed the horrible schema and the code a decade and a half ago, plugins would have been a lot easier to write (and a lot safer.)

    Reply View 1 reply
    • chippiewill a day ago

      Well, agreed, I just didn't want to completely shit on it.

      Reply View 0 replies
  • ollybee 2 days ago

    There's a whole industry of people selling solutions to WordPress's failings, all of whom have strong incentives for it not be properly improved.

    Reply View 0 replies
whycome 2 days ago

My favorite current plugin woe is where it completely changes what it does but keeps the same name and it's all a part of its 'update'

Reply View 0 replies
kstrauser 2 days ago

To an outsider, its entire plugin ecosystem is so odd. Like the conversation about “nulled” plugins, where someone removes license-checking code from GPL-licensed plugins and then redistributes them, and whether that’s moral, or even legal, which of course it is, because that’s the entire point of the GPL.

Reply View 0 replies
devnull3 2 days ago

> which provided a link to the live version

Even if that is the case, the backend must validate.

Reply View 0 replies