In what has become a nearly annual tradition, WordPress has released yet another update that broke thousands of plugins across the Internet. As usual, they claim this is in the best interest of security. Thus the breaking change was done with ZERO notification to developers. It was also forced onto most sites as a “security patch release” which will update any site that does not forcibly stop automatic updates.
Communication From WordPress Core Is Horrid
While I don’t have an issue with breaking changes for true security issues, what IS a problem is pushing out a change with almost ZERO testing to millions of websites with ZERO communication. They gave absolutely no warning to thousands of sites that this “update version” was coming and that it would knowingly break things. They did not communicate to site owners so they could block updates. They did not communicate to plugin or theme developers so they could come up with new releases.
Instead they don’t say a thing and let “the marketplace” deal with the aftermath. Plugin authors are left fending off thousands of pissed off customers — forcing what will collectively be thousands of man-hours of code patches done “under the gun” in a rush to placate the masses.
Breaking Things Is OK For Security – Except When It Is Not
What REALLY gets under my skin on this whole ordeal is WordPress talking out of both sides of their mouth.
WordPress STILL SUPPORTS PHP 5.2.4 which comes with an entire BOAT LOAD of major security holes. Yet if you want your themes and plugins to support 100% of the “WordPress community” you must allow for PHP 5.2.4 or PHP 5.3 or PHP 5.4 or 5.5 — all of which are outside of the “security releases only” support from PHP.
In other words WordPress is actively encouraging hosting companies AND site owners to leave huge gaping security holes in the underlying platform on which WordPress runs.
False Sense of Security
WordPress is going around installing deadbolt locks on people’s doors in the middle of the night without their permission while ignoring the fact that tens-of-thousands of those homes have wide-open doggie doors, no locks on the windows, and are leaving the deadbolt key under the mat with a post-it note on the door that says “key under mat”.
Dear WordPress Core / Matt Mullenweg — if you are serious about security you’d drop core support of PHP 5.2.4 and nearly every other PHP 5.X release.