WordPress Changes – Poll – Kept in the Dark ?

Others in this series are Start – Herded ? Kept in the Dark ? Valued Customer ?  and more to come. Workarounds are here.  My standby blog is http://freedfromtime.blogspot.co.uk/

Purpose

It is now evident that WP management will not pay attention to customers disquiet and have opted for obstinate.  It also evident that they have kept some motives hidden (see below).

The only option left is to seek a change of management by alerting investors via the tech-media.  The forums and this opportunity to vote is a means of doing so.

---

 1.  Behind the Scenes

The recent changes are not just about the appearance on mobile phones. There is further enterprise involved and perhaps the real reason for being so stubborn and rash in it’s implementation.

The following applies to any WP hosted blog and any using Jetpack.

A system known as Rest-Api is being installed. The system plants a Rest-Api cookie bundle on your computer.  The new user-interface does not work without it. 

The the Rest-Api system provides three facilities.

• Publicly available access to your posts/comments/likes. There is nothing new there, except that some further information is provided (e.g. the ID’s of visitors).

• If you give permission, remote access to your blog/image-library for the purposes of allowing a service (e.g. a printing company) to download content.

• If you give permission, remote access by a developer. Access may include your statistics, the ability to create/edit/delete posts and whatever else you provide permission for.

Further information is available  in sections  2 and 3.  Otherwise jump to sections 4-6 .

---

 2.  Public/Limited Access

You might try clicking on some of these (I’ve kept it to the 4 most recent)_:-

Revealing my 4 most recent posts, or anybodies.

https://public-api.wordpress.com/rest/v1/sites/freedfromtime.wordpress.com/posts/?number=4&pretty=1

Revealing my 4 most recent comments, or anybodies, with information about the commenter.

https://public-api.wordpress.com/rest/v1/sites/freedfromtime.wordpress.com/comments/?number=4&pretty=1

Revealing my 4 most recent Likes, or anybodies,  on a post with information about the Liker. The Post ID for this is “1” (my About page but may not be the same for you). Otherwise you will need a Post ID which can be obtained from the first link.

https://public-api.wordpress.com/rest/v1/sites/freedfromtime.wordpress.com/posts/1/likes/?number=4&pretty=1

Each of these will open in a new Tab. You can change the Blog name and you don’t have to be logged in to your account in order to use them.  However, Private and Password Protected are not shown unless you are logged in and add “&status=any”.  Note: Pretty=1 makes it readable.

Further content is available, when logged in and/or for a developer who has a Blogger’s permission. (see Section 3).

2.1  Whats the problem.

This does provide further information such as numeric ID’s for Blog, Post, Author and Comment relating to yourself and your visitors.

2.2  A Greater Concern

One might consider this point a breach of security. Usually half the battle for a hacker is knowing one’s Log-in name/User name. With WordPress one’s Display name is often the same as one’s Log-in name/User name. However some have wisely hidden there User name behind a different Display name. The above Links reveal any hidden Log-in/User name.

To test this I have temporarily changed my Display name. Take another look at the first Link and you can see my Display name (Graham With Hats) and the hidden Log-in/User name (grahaminhats).

It is of course too late for me to hide my User name, as this is already attached to previous posts/comments. But, those who took that extra precaution, from the start of their Blogging, have been let down.

I debated whether to release this information but, considering that the content is now publicly available, it seemed better to make it known to Bloggers.

Given the present situation there seems no point in changing one’s User name (you can’t change it back) or Display name. Therefore, we must rely on strong Passwords. One form of strong Password, for recent times, is a phrase of three or four words that has a personal meaning.

3.  Full Access

With a bloggers permission a remote service provider (e.g. printing company) or developer may have a limited or complete access to your site using the Rest-Api system. That access relies upon a new cookie bundle “public-api.wordpress.com” on your browser. None of the new UI (Stats, Editor and Notifications) will work without it. However, unless you are adept at cookie management, I don’t recommend trying this.  One can lose the ability to comment/like on other blogs if one cannot fully restore cookies.

The full range of Gets (view) and Puts (create/change), available with a Bloggers permission, can be found by clicking here.  Full access can include Private and Password Protected.

Some Gets (as with the links above) are available to anyone.

A developer console here provides extended access when logged in to one’s account or for a person who has the blogger permission.  When using the developer console; to see the full return, click on the bottom left arrow of the brief return.

3.1  The Possible Problems

3.1.1  Security

Access is acquired using OAuth2 authentication. That method has been entirely disavowed by the lead author, who has removed his name from all specifications. His main concerns seem to be that, whilst OAuth1 was a protocol, OAuth2 is a framework that includes many musts and must-nots and requires an unusually high level of expertise to make secure. To read his post click here. An extract below:-

“To be clear, OAuth 2.0 at the hand of a developer with deep understanding of web security will likely result is a secure implementation. However, at the hands of most developers – as has been the experience from the past two years – 2.0 is likely to produce insecure implementations.”

3.1.2  Business Worth

Being able to store images from a mobile phone/tablet, upload them to WordPress and then download them to a service provider might be of use to some. However, serious photographers and/or those creating company literature (e.g. pamphlets, brochures etc) are more likely to upload higher resolution images directly to a printing company.

Most of us, if approached by a developer who wants access to our site, would likely respond with “go forth and multiply- off”.

E-commerce companies might want to make use of a developers services to compete. If they’ve got any sense they will use in-house services provided by people who have a deeper knowledge of their company’s business and dedicated to it.

3.1.3  Business Loss

I believe that the new User Interface has been so badly implemented as to deter users in the new enterprise. For instance the Mobile App fails or crashes on some devices and the New Editor doesn’t even have an “Add Contact Form” function.

Existing customers have suffered considerable and pointless nuisance. It has been shown that it takes less effort to keep existing customers than acquire new ones.

---

 4.  A Remaining Mystery

The Rest-Api system is not exactly a secret. Therefore why not tell bloggers what it’s all about. There have been plenty of questions put on the forums and here, including questions to Matt Mullenweg on About WordPress Changes and What We Can Do.  All we’ve been told is that it is “Improved or Upgraded” and that it will be “Neat or Nifty” . Why not tell us the whole truth. What are we, peasants ?

What’s the mystery, why are we being herded and why remove the original stats page (as we have been told will happen).

The manner with which this has been undertaken seems irrational and unnecessarily forceful. This leads me to think that there is more to discover.

None of this nuisance seems necessary for the implementation of the new functions. Is it necessary for a fuller implementation or to Beta test it on the present customer base or are there others looking on and want to see it “neat” ?  Others like Tiger Global who have invested and also have investments in mobile and e-commerce interests.  Or, is it a “Just Do it” or “Plough on” or just plain daft attitude or a need to meet deadlines or are control issues involved ?

Perhaps, with new system, it is possible to monitor the Stats that we take an interest in.

Insights and conjectures will be welcome as comments, together with anything else you might wish to say

5.  Did You Know  ?

I’ve looked for the below item on the company blog and the the Daily Post.  There does not seem to be any mention of it anywhere on WordPress.

http://www.pcworld.com/article/2158771/wordpress-com-vulnerable-to-account-hijacking.html

It has probably been fixed by changing to https and the introduction of what looks like a security cookie. But, that login cookie still has a three-year expiry date unless you have a .com, in which case it expires at the end of the browser session.

 

6.  Kept in the Dark ?

Do you feel Kept in the Dark ? This is hardly transparent. There is an opportunity to vote by clicking on a Like in the appropriate comment box below. The third comment box has a link to commentary with replies available.

Please spread the word by Linking, Sharing, Reblogging, or however you think best, so that others have the opportunity to view and vote.

Thank you for taking the trouble to visit.

---

* Automattic employees may comment but may not vote. * For surety, I have not used PollDaddy because it is owned by Automattic.

---

⇐ Herded ? ……… Valued Customer ? ⇒