Dear WordPress

In many ways you are wonderful, but you really need to think about how you release new versions of WordPress. We’ve had, what, two emergency versions in as many weeks, due to security vulnerabilities. But that’s just part of it. WordPress 2.8 was released June 10, 2009. We are now up to 2.8.4 So, that means there have been 4 new versions in two months. That’s ridiculous and sounds more like the Keystone Cops than professional software development.

Instead of frantically pumping new (and obviously poorly tested) versions out the door, you need to do what the pros do. Release one, maybe two versions each year and test them thoroughly first. A solid testing suite might well catch those vulnerabilities and bugs before you ship the new version.

That’s what Drupal does, they have automated testing that patches the code and runs tests against it. That’s what most software vendors do. WordPress needs to do the same.


  1. Where’s the Dear Firefox post? Or the Dear Windows post? Or the Dear Adobe Flash post? Or the Dear VLC post? Or Dear AdBlock Plus?

    They’ve all had more frequent updates than WordPress. If they didn’t put out updates, we’d complain that they never update their software.

    Maybe Drupal or Ruby test the hell out of every version they put out. They also suck, which is why you and everybody else is still using WordPress.

    • Drupal doesn’t suck and has an enthusiastic user base. And yes, they test everything like crazy. Crooks and Liars went to Drupal a while back because, among other things, a stress test showed it could take way more simultaneous users than WordPress without having problems. It wasn’t even close. Drupal scales way better.

      You don’t think 4 minor updates in 2 months is getting Mickey Mouse? Drupal doesn’t do that. Why? because they test better. Nor do Firefox, Adobe, and Windows update that much. Why so defensive about WP?

      • Um…the current Drupal download is 6.13. Let’s see, at one or two versions a year, Drupal 6.0 must have been released somewhere between 1996 and 2003, right?

        Hey, that’s pretty impressive!

        • The first release of Drupal was Jan. 2001. As it turns out, they have incremental releases too, but apparently not as many as WordPress. Being as both are open source, this does mean no one gets paid to release by a certain date.

          Do Apache, Php and MySQL release many updates?

          And again, 4 WordPress updates in two months is too many and indicates they need to do better testing first.

          • You specifically cited Firefox and Drupal as examples of how release should work. Let’s stick to them, shall we? Clearly, WordPress is not in some different universe than Firefox and Drupal, with respect to frequency of releases.

            On the whole, I like the idea of prompt responses to critical problems. Especially when upgrading is as straightforward as it is with WordPress. For the last I-don’t-remember-how-many WordPress upgrades, I’ve clicked the upgrade button, and that’s the end of it.

            Firefox likewise has a painless upgrade procedure, and a fairly frequent upgrade requirement.

            Drupal? I don’t really know. Can you upgrade Drupal with a single click? I’m doubtful, but maybe.

          • Drupal doesn’t have one-click upgrades but from what I’m told, has a systematic approach to putting code into the core, testing extensively, then releasing it. WordPress is much more haphazard in how they do it.

          • I could see more grounds for complaint if upgrades were hard, or if upgrades were introducing new bugs. By and large, though, neither seems to be the case for WordPress. Not that they’ve never introduced a bug, but the 2.8.x series, for example, didn’t.

            2.8.1 went through two betas and an rc. 2.8.2/3/4 were spot fixes for newly discovered security vulnerabilities, and I’m happy that they were promptly available.

            Drupal 6 has had roughly a release a month, I think, mostly triggered by critical security vulnerabilities . It’s obvious that whatever testing they did for 6.0 didn’t catch all the vulnerabilities and bugs.

            At any rate, I’m not really sure what point you’re trying to make. WP shouldn’t release prompt security patches? Or they shouldn’t have security vulnerabilities? A patch a month is cool, but any more than that is unacceptable?

            My view is that there are going to be vulnerabilities, and that they should be fixed asap. The fixes should be as easy to install as possible, so that users are encouraged to keep up to date.

            I’m sure there’s room for improvement, but on balance the WP folks seem to be doing a pretty decent job.

          • Ok, maybe I was a bit hard. But software developers sometimes do push stuff out the door too fast.

      • It’s not in defense of WordPress, it’s that the problem you’re referring to plagues MOST Software. Firefox has had 4 updates in the last 2 months. Windows updates every other week. There have been 9 or 10 updates to VLC this year. Adobe Flash has updated 3 times in 2009. Tweetdeck? Miro?

        Updates happen. You should be used to it by now. These programs are FREE and vastly enrich your life, can you not deal with a small file download every now and again? Especially if it helps or makes it better? Perhaps it’s a generational issue.

        I think Bart Simpon said it best: “They’ve given you thousands of hours of entertainment for free. What could they possibly owe you? If anything, you owe them.”

Comments are closed.