It also would be a lot less useful. A lot of content is published through WordPress.
I suspect an effective approach would be encouraging ways to make WP more secure, or publish a secure platform that can easily be transitioned from WP.
Similarly, the xz breach was uncovered by a diligent developer looking at quirky SSH login performance regressions.
But we are getting so much faster, and networks are doing so much weird inscrutable stuff now that it’s a lot harder at baseline. And, of course, the baddies are getting sneakier, too, and we are building systems from more components from more diverse sources.
I worry about the long term picture a lot; does all of infrastructure become a little untrustworthy at baseline?
Isn’t that a scenario that is better?
If you stop trusting potentially insecure systems you start developing hard and solid ones.
I don’t worry about deepfakes or AI malware, I welcome it. It’s stupid that we have insecure systems like unencrypted emails, social security cards, unsigned documents, passwords in PIN codes alone, etc.
More components; recursive dependencies; more remote infrastructure; these are the directions the world is going, and the stuff we need to manage this complexity is not keeping up.
You can only fight it with fewer components, fewer recursive dependencies, and less remote infrastructure.
While at the same time, I believe the purpose of all things is to increase their entropy.
So… I think that is the next filter or natural selection for us. That we make this so complex we crash, or we get better.
This was the argument against WiFi encryption in the old days (who cares about WiFi encryption, the network is assumed evil, so your messages should be encrypted rendering WiFi security moot). Which actually seemed pretty compelling to me. Nowadays, of course, someone will hop on your WiFi and download a bunch of movies without authorization, giving you copyright headaches. But that’s authentication…
It's funny how the copyright lobby as brainwashed us so much that the worse you can think of someone in your wifi can do is download movies. What about, you know, actual crime? Wire fraud, planning terrorist attacks etc from your network? But we think of downloading movies.
But if you want to download movies, an open nearby wifi sounds close and convenient.
I didn’t see anything in the article but I may have missed it.
The most recent update at the top of the page should probably be "Update 7-12-2025 06:00 UTC" instead of the current future date of 08-11-2025. I think the author incremented the wrong digit.
Gravity Forms is a very popular premium WordPress plugin.
I maintain a handful of WordPress sites (wouldn't have been my choice of platform but whatever) and the design and functionality of Gravity Forms is better than most (aside from it being CPU-hungry). It doesn't generally give me trouble and as a developer I've been happy with how Rocket Genius have interacted with me when I've filed trouble tickets.
A pretty substantial number of small and mid-tier orgs have Gravity Forms installed. I don't know the numbers — the wordpress.org popularity stats mainly reflect installation of free plugins not premium — but there should be a lot of sites handling a lot of traffic.
EDIT: That's the number of sites which could have been affected. Fortunately only a small number of sites actually got the compromised package because it didn't enter the main automatic distribution chain.
> The Gravity API service that handles licensing, automatic updates, and the installation of add-ons initiated from within the Gravity Forms plugin was never compromised. All package updates managed through that service are unaffected.
Phew.
From what I can see, Composer install methods use the same Gravity Forms API to fetch the install package as the auto-update feature within the plugin. Their WP-CLI plugin uses the same mechanism too.
It will be interesting to see if the Gravity Forms developers engage a third party security firm to investigate this incident. So far they have not mentioned it.
[0] https://www.gravityforms.com/blog/security-incident-notice/
Web forms and especially the business logic powering them in the backend can quickly become very complex. Just check out some templates you get out of the box https://www.gravityforms.com/form-templates/
I don’t use Wordpress, but this seems like an actively developed, supported, quality plug-in.
This entitled assumption that nothing should cost money up front is hurting everyone in they long run because it drives developers into monetising using ads and invasive tracking.
For many people with Wordpress sites they’re going to spend way more than that having someone setup the forms for them.
mpol•7mo ago
jimjambw•7mo ago
theglenn88_•7mo ago
stuartjohnson12•7mo ago
astura•7mo ago
Nonce is also British slang for alleged or convicted sex offenders, especially ones involving children.
4ndrewl•7mo ago
mijoharas•6mo ago
At least that way it stops me from making childish jokes.
MarkusQ•6mo ago
darknavi•6mo ago
projektfu•6mo ago
brewtide•6mo ago
I've never been happier to just, check, before clicking a submit button.