Hello everyone,
I have to be honest: I am really disappointed about your communication policy in regards to recent security issues of your plugin. I am running a couple of websites for my customers which are using wpForo as a discussion plugin. To keep up-to-date about important updates, I subscribed to your Announcements forum via RSS. Now I saw - more or less by accident - that since version 1.4.9 three or four security-updates were released without informing your users in your Announcements area.
I have two serious questions:
- Why - weeks after releasing those security-updates - you still have not officially informed your users about those critical security updates?
- How do you plan to improve your communication processes so that those kind of incidents will not happen again?
Nobody likes to admit that their products have serious security issues from time to time but its of paramount importance that you - as the developers - are open about this issues and inform your users as soon as possible about them. An old version of your plugin was installed on the servers of my customers for weeks now because of that lack of information which is absolutely a no-go! Especially when you keep in mind that - as far as I saw in other posts here - those security-issues were so critical that your plugin got temporarily removed from the official WordPress plugin repository!
I expect that you inform your users about available security updates as well as you inform your users about normal feature updates as soon as they are available. Otherwise people may think twice about if they want to use a product of a developer who want to hide security issues.
Hi Bragos,
Thank you for your feedback. We do apologize for any inconvenience this may caused and appreciate your understanding. This is something that happens with all WordPress plugins almost every day.
All WordPress plugins are being scanned by WordPress security tools and they may temporarily disable plugins, once they found some issue. Almost all plugins are reported for some security reason and are being fixed every day. This is not a unique case or a critical situation, this is a regular process of WordPress plugin development. There is no any plugin that you can install and be 100% sure that there won't be any issue in future. We do our best to keep this as minimal as possible. wpForo exists about two years and this is the first security issue reported. I'd say this is a statistic of most secure plugins.
Our team quickly fixed the security issue and released 1.4.11 version. It took a few hours. There was a data filtering issue as it's explained in change-log and in the according forum topic opened on that day. Also there was a sticky topic in WordPress.org wpForo plugin support section.
The timeline:
- 29/05/2018 11:30 PM: Issue discovered by DediData and WordPress.
- 29/05/2018 11:30 PM: Sent details via email.
- 30/05/2018 12:31 AM: We replied stating we will release a patched version very soon.
- 30/05/2018 8:49 PM: Fixed version is released.
The security issue fixing release was only one, the 1.4.11 (the .10 was a development version without public release). The Next .12 and .13 versions were just additional security changes, there were no any critical security issues after 1.4.11. So there were not four security releases, there was one security fixing release and two improvement releases.
You just need to read the plugin change-log and update it regularly. wpForo Community is not used by all wpForo users, so the main way for such cases is updating plugin when you got a update notification.
wpForo "News and Announcement" section in forum doesn't cover all wpForo users, there are a few subscribers and this changes nothing in user informing task. The main notification place is your website Dashboard > Plugins admin page and the wpForo change-log on wordpress.org.
We don't have wpForo News subscription and newsletters. We'll add it in near future and let people subscribe to all news and updates. This is the main improvement we're planning in future.
Hello @robert
Thanks for your reply. I dont complain that the plugin got removed or that it had a security issue - and I am glad that you fixed those bugs so fast.
But again: I just expect that I get the relevant information about it in the announcement-sections in the official support-forum. WordPress is just hosting your plugin but is not responsible about the development. Thats the reason why I dont really care about the changelogs and information there.
You are the official developer of this plugin and this is your website so I expect that I get all relevant information here by you and not somewhere at a third-party-website or somewhere hidden in another topic. When there is a issue with your plugin you are responsible and not WordPress.org. So you have to provide all necessary information in an easy-to-find way to your users. Thats why I subscribed to your forum because I expect to get all relevant update-information directly from the developers website.
Just another example: A lot of games get distributed via Steam. When a new security-update for a game is released I expect that I can easily find all relevant information about this on the website of the game-developer. Steam is not responsible at all, it just distributes the product.
Security is a very sensitive topic. You post new announcements for new versions of wpForo, so please also post an announcement for new security-updates in the future. Everyone who thinks that my concern is an exaggeration should not run a website and/or process any sensitive user-data.
I thought people learned that security and a professional information-policy is important those days ...
Security is a very sensitive topic. You post new announcements for new versions of wpForo, so please also post an announcement for new security-updates in the future. Everyone who thinks that my concern is an exaggeration should not run a website and/or process any sensitive user-data.
I thought people learned that security and a professional information-policy is important those days ...
Well there are many professionals that read and participate here, from what i know. Me included.
You posted a title "Recent security issues: Horrible communication policy" and i consider "Horrible" to be exaggerated, yes.
I have no idea what extactly was the issue with wpForo and Wordpress.org. But i do know that even if a plugin has an issue, it will be probably be captured by other security layers, like a Wordpress plugin or my hosting security rules. I use The Shield and it captures everyday all kind of strange patterns people are trying against my 3 WP sites.
wpForo put no risk to any business. It is a wrong assumption to be posted here.
All the best with your sites.