The Week in Analysis

Danny Palmer / www.zdnet.com

Everyone is Burned Out. That's Becoming a Security Nightmare

— Based on research by 1Password, Danny Palmer notes how two years of crisis thanks to the COVID-19 pandemic "and the challenges around remote working are taking their toll." Apathy is up, and people are making more mistakes in programming procedures which may be leading to weaker security. The 1Password report notes that "burned-out security leaders, charged with protecting businesses, are doing a far worse job of following security guidelines." 😫 magnifying-glass
POST STATUS ANALYSIS

Burnout affects mental and physical health. Depression and apathy can affect your attitude in how you write code and run tests, which can be a potential security and quality issue.

Why not give yourself and your remote team some recharge time going into year three of the pandemic?

β€” David

Joost de Valk / joost.blog

CMS Market Share Analysis (December 2021)

Joost de Valk has released another edition of his analysis of the CMS market share numbers from W3techs. We always enjoy how Joost breaks up the data and includes readable graphs. The tl;dr is: WordPress growth is still happening β€” but slowing. Shopify is still going gangbusters. For Drupal and Joomla it's the opposite:
"Shopify continues to show amazing growth, in some months in the last 6 months it even managed to match the growth of WordPress in absolute numbers. Similarly, Wix has stepped up the pace and is growing rapidly."
Sadly, the trend for open source as a whole isn't good. Joost writes, "As an open source enthusiast, it pains me to see that all the SaaS tools are winning, and open source in general is losing everywhere." This isn't the full story, however. W3tech bases its reports on Alexa, which holds rankings for at least the top 10 million websites. Amazon announced this week that it is shutting down this web ranking service on May 1st, 2022. BleeepingComputer notes that "according to data from Semrush... Alexa.com's organic traffic has been on a constant decline." πŸ“‰ It's unclear where else the ranking data can come from after May. Joost is asking this as well:
"There's a huge chance here for a service like Similarweb or Comscore to make a list like that publicly available and score free links and PR from tons of sites across the web, every day."
magnifying-glass
POST STATUS ANALYSIS

Market share numbers from W3techs aren’t a perfect metric, but it’s one to pay attention to because there’s nothing better available. But there’s a danger β€” being fixated on market share alone shouldn’t be the sole indicator of the health of WordPress, its economy, or its community. WordPress will stop growing at some point, and I expect a lot of β€œWP is doomed” commentary from some people then, regardless of how high its market share peaks.

Alexa’s shutdown will leave a vacuum that will be filled. Will it be filled by better metrics and data, or something less reliable?

In the grander scheme of things, I see WordPress taking a path similar to the iPhone‘s. In its early days, the iPhone market share was explosive and saw massive revenues for Apple. Then growth largely stopped. But its userbase and revenue are doing just fine.

My Takeaway: While good analysis of the CMS market is vital and needs more attention, the WordPress community needs to avoid fixation on a single measure of success.

β€” David

Ax Sharma / www.bleepingcomputer.com

To Breach or Not to Breach?

— In October 2020, Italian security researcher Carlo Di Dato reached out to BleepingComputer after discovering it's possible to capture massive amounts of Gravatar user data through a hidden API route. BleepingComputer confirmed this and noted some user profiles have more public data than the others, such as BitCoin wallet addresses, phone numbers, location data, and other Personal Identity Information. Apparently the possibility of abusing Gravatar to harvest data from millions of users went unnoticed or underreported in WordPress circles. (Gravatar is the default option for WordPress avatars.) The story gained sudden traction this week from a recent HaveIBeenPwned disclosure which revealed:
β€œ167 million names, usernames and encrypted email addresses used to reference users’ avatars were scraped and distributed within the hacking community. 14 million of the MD5 hashes were cracked and distributed alongside the source hash, thus disclosing the original email address and accompanying data. ”
Gravatar has addressed the issue, stating they "immediately patched the ability to harvest the public profile data en masse" after Di Dato's discovery in 2020, but insisted "Gravatar was not hacked."     magnifying-glass
POST STATUS ANALYSIS

Harvesting massive amounts of public data was not described as a “security breach” in the 2020 BleepingComputer post. It was compared to scraping public pages on Facebook for criminal purposes. @Talluwulalalahhh compared this to a massive copying of a public phone book.

I’m with Brian Richards on this β€” it’s not a hack because the data that was harvested was always public and Gravatar users knew that, but it feels like a security breach. Why? Mass capture and exposure of personal data is like mass doxxing. So I don’t blame anyone who has a sour taste in their mouth. It’s another reminder to think twice about the personal information you publish and where you publish it.

β€” David

This is definitely a data breach. Whether you consider it a security breach depends on how you regard a “hidden” but publicly accessible API route and use of a “cryptographically broken” hash function. Are these “security mechanisms?” Were they intended to prevent massive data captures as unauthorized uses of the service? But either way you answer that, Gravatar had inadequate or no security mechanisms in place to prevent the data harvesting through this attack vector prior to their patch.

Gravatar user expectations are an important issue too. The service is not set up as a directory, and most people don’t know about scrapers. They do know about phone books β€” those widely distributed mass data dumps nobody is surprised to discover in the wild. (The fact that they are still printed and profitable is surprising.) Unless a service like Gravatar is exploited, it isn’t providing anyone with a large list of its users. Nobody expects it will, so they make the assumption they will have a limited degree of publicity and privacy. It’s a bad assumption.

Whether you’re in a phone directory or not, you do expect to get called by telemarketers. You know you have to take other steps on your own to protect your privacy. That public expectation needs to shift to include any online personal data disclosure. But anyone storing their user’s personal data on the web should do more to raise awareness about the risks and take their share of responsibility to reduce those risks.

β€” Dan

Latest Post Status Feature

News for the WordPress Professional

Oliver Sild / www.producthunt.com

Patchstack Opening To Product Hunt

— It was great to see WordPress security service Patchstack on ProductHunt recently! πŸ™‚ A year ago Patchstack acquired ThreatPress, which collected information about WordPress-related security vulnerabilities since 2014 or so. After the acquisition, the vulnerability database was made available to the public. Patchstack's commercial product expands their security monitoring service. Although Patchstack is not new, it's always nice to diversity and growth in the WordPress security space, especially those serving the general public. magnifying-glass

Jack Kitterhing / jak.dev

Not Everything Is WordPress's Fault

Jack Kitterhing, Product Manager at LearnDash, explains why it might not be a good support response if a customer shows you a problem and you say "It's not us, it's WordPress." This is especially bad when you offer a platform plugin, like an LMS or Membership Plugin. Having great documentation helps, but in order to offer good support, "you need to be able to step up and help users with issues outside of your immediate plugin functionality." You aren't building their site for them, but "don’t pass the buck between plugin, theme, hosting." Jack also suggests ways to please customers even before they get to support: "Easier to use plugins are a good thing. Very few people want something to be complex, and complexity for the sake of complexity is never a good thing." πŸ”Œ magnifying-glass

Alex Denning / getellipsis.com

Black Friday in WordPress is Unstoppable: What We Learned in 2021

Alex Denning shared results of Black Friday sales from 300 WordPress businesses. One clear conclusion is that discount levels go up as prices go up: "a product priced $100 was discounted on average 33%, but a product priced $250 was discounted on average 39%." 20% of the sales included a "lifetime" option. Hello bars and countdown timers are being used more, and despite some evidence of "fake deals" in the marketplace, this survey ensured "everyone claiming to have a sale actually had discounts." Meanwhile, several companies are sharing their post-Black Friday results. We're happy to hear that Weglot was able to donate €35,000 from their "donation instead of deals" campaign over the holiday weekend. 🎁 magnifying-glass

Konstantin Kovshenin / konstantin.blog

Surge: A Simple Page Caching Plugin for WordPress

— After some experiments dealing with speed and performance on his blog, Konstantin Kovshenin has released his "simple page caching plugin" for WordPress for testing and feedback. Called Surge, Konstantin's plugin stores cache files on the filesystem which leverages the Linux kernel page cache for in-memory caching and invalidation. It's so simple that it doesn't have a settings or configuration screen: "There is no learning curve, the plugin works just by activating it." Konstantin explains why he had to roll out his own cache plugin: "...a WordPress site can not be considered production-ready without a page caching layer... but unfortunately none of the available options were a great fit... all I wanted was a page caching plugin, not a rocket (no pun intended)." You can also read Roy Tanck's initial impressions of Surge. 🌊 magnifying-glass
  • More:

Brian Francoeur / convesio.com

WordPress: Where It’s Headed in 2022

Brian Francoeur shares his opinion on where WordPress might be headed in 2022 but not before mentioning some of its strengths and weaknesses. Brian had doubts, but 2021 was a turning point for him:
"If you were to ask me a couple of years ago, I would have predicted that WordPress would start to lose market share... some of the changes that occurred over the past year were impressive, but the development of a WordPress Performance Team... along with the increased adoption of GatsbyJS (Headless WordPress), and a new editing experience that promises to simplify page-building... I stand corrected."
magnifying-glass

Gary Pendergast / pento.net

WordPress and web3

— It's getting difficult to avoid reading about web3, cryptocurrencies, or NFTs. Gary Pendergast offers his take and explains how they can relate to WordPress. Regardless of your own views, this is a point (taken in its full context) I think most people can agree with:
"Just because a particular piece of software is not the optimal technical solution doesn’t mean it won’t become the most popular. Market forces can be a far stronger factor than technical superiority."
magnifying-glass

Post Status Announcements

29 Days Since Last Acquisition

November 15, 2021 - LiquidWeb Acquires Modern Tribe

πŸ‘‰ We’ve created a page for WordPress acquisitions going back to 2007. We’d also like to gather major investment data. Help us make this table more complete by adding additional deals, data, and links.

Listen To The Latest Post Status Podcast:

Fri 12/10 - Post Status Excerpt (No. 36) β€” Help Needed: WordPress Docs Team

Subscribe via iTunes, Google Podcasts, YouTube, Stitcher, Simplecast, or RSS. 🎧

Sponsor this podcast

Podcast Picks

Post Status Features

Post Status Analysis

Get Hired
Latest Podcast Episode:

September 27, 2021 - Get Hired #5: Get Involved

Who's Hiring in WordPress?

Place a Job Listing [»]

{"cart_token":"","hash":"","cart_data":""}