Categories
Technology

Back on WordPress.org (again)

It wasn’t too long ago that I moved to WordPress.org after an almost three-year absence, and then quickly moved back to WordPress.com. I had a lot going on and just wasn’t ready to take the plunge. Now, I am ready to take the plunge, and here I am, again.

I could re-hash all of the reason for why I want to be self-hosted on WordPress.org vs. staying on WordPress.com, but you should really just read the original post linked to above. Nothing has really changed except for the plugins used and how I’m hosted.

Rather than being hosted on DreamHost’s standard shared hosting service, I’m now on DreamPress, their managed WordPress hosting service. Think of it as a special server which only hosts WordPress and is therefore designed to serve every aspect of it as quickly and perfectly as possible. That is a severely watered down explanation of it, but I figured you could get all of the juicy details from the link. 🙂

Plugin-wise, I’m starting out with Jetpack for tons of features, Akismet for anti-spam, VaultPress for backups, Google XML Sitemaps for sitemaps, and a few different plugins for security which I won’t be disclosing this time around. 😉

Big thanks to Mike Schroder and Mika Epstein for both occasionally encouraging me to go back to being self-hosted and for essentially creating DreamPress, Zandy Ring for making sure that everything was moved properly, and Kathryn Presner, Caroline Moore, Lance Willett, and Ian Stewart for being totally cool with me occasionally ambushing them with theme questions.

Here’s to many more years self-hosted on WordPress.org, filled with the usual combination of fun, mistakes, and self-education.

Categories
Technology

Disclosing a Security Vulnerability

Some of you are coming here from a site where this blog was apparently featured as an example of how to exploit a security vulnerability. I won’t link to it, because what that individual did was irresponsible, but it gives me the opportunity to hopefully educate some people.

There are many ways to disclose a security vulnerability, but the only right way and the only responsible way is to do it privately. If you publicly disclose a security vulnerability, you have made the world aware of both its existence and how to exploit it, endangering thousands (perhaps millions) of unsuspecting users. You are not the hero when you publicly disclose a security vulnerability, you’re the villain.

Many developers and companies have multiple ways to contact them privately. If you have found a security vulnerability, contact the developer or company privately via their official security report system or any private contact method you can find. If you can’t find one, contact them publicly and ask them to get in touch with you because you have found a security vulnerability. Any good developer or company will reply immediately via a private channel. Once you have privately disclosed the vulnerability, give them a few days to resolve the issue while it’s still known only to you, and feel free to publicly disclose it once the security vulnerability has been removed.

Be responsible by disclosing security vulnerabilities privately, not publicly.