WordPress Changes – Behind the Scenes

1. Behind the Scenes

The recent changes are not just about the appearance on mobile phones. There is further enterprise involved and perhaps the real reason for being so stubborn and rash in it’s implementation.

The following applies to any WP hosted blog and any using Jetpack.

A system known as Rest-Api is being installed. The system plants a Rest-Api cookie bundle on your computer. The new user-interface does not work without it.

The Rest-Api system provides:-

• Easier Application Programming

• Publicly available access to your posts/comments/likes. There is nothing new there, except that some further information is provided (e.g. the ID’s of visitors).

• If you give permission, remote access to your blog/image-library for the purposes of allowing a service (e.g. a printing company) to download content.

• If you give permission, remote access by a developer. Access may include your statistics, the ability to create/edit/delete posts and whatever else you provide permission for.

2. Public/Limited Access to Our Blogs

You might try clicking on some of these (I’ve kept it to the 4 most recent). Each of these will open in a new Tab. You can change the Blog name and you don’t have to be logged in to your account in order to use them. However, Private and Password Protected are not shown unless you are logged in and add “&status=any”. Note: Pretty=1 makes it readable.

Revealing my 4 most recent posts, or for whichever blog is named.

https://public-api.wordpress.com/rest/v1/sites/freedfromtime.wordpress.com/posts/?number=4&pretty=1

Revealing my 4 most recent comments received, or for whichever blog is named, with information about the commenter.

https://public-api.wordpress.com/rest/v1/sites/freedfromtime.wordpress.com/comments/?number=4&pretty=1

Revealing my 4 most recent Likes recieved, or for whichever blog is named, on a post with information about the Liker. The Post ID for this is “1” (my About page but may not be the same for you). Otherwise you will need a Post ID which can be obtained from the first link.

https://public-api.wordpress.com/rest/v1/sites/freedfromtime.wordpress.com/posts/1/likes/?number=4&pretty=1

Further content is available, when logged in and/or for a developer who has a Blogger’s permission. (see Section 3).

2.1 What’s the problem.

This does provide further information such as numeric ID’s for Blog, Post, Author and Comment relating to yourself and your visitors and, it seems, slows normal access.  Added to this, the design and function are generally considered as inferior to the previous User Interface.

2.2 A Greater Concern

One might consider this point a breach of security. Usually half the battle for a hacker is knowing one’s Log-in name/User name. With WordPress one’s Display name is often the same as one’s Log-in name/User name. However some have wisely hidden there User name behind a different Display name. The above Links publicly reveal any hidden Log-in/User name.

3. Full Access to Our Blogs

With a bloggers permission, a remote service provider (e.g. printing company) or developer may have a limited or complete access to your site using the Rest-Api system. That access relies upon a new cookie bundle “public-api.wordpress.com” on your browser. None of the new UI (Stats, Editor and Notifications) will work without it. However, unless you are adept at cookie management, I don’t recommend trying this. One can lose the ability to comment/like on other blogs if one cannot fully restore cookies.

The full range of Gets (view) and Puts (create/change), available with a Bloggers permission, can be found by clicking here ⇒. Full access can include Private and Password Protected.

Some Gets (as with the links above) are available to anyone.

A developer console here ⇒ provides extended access when logged in to one’s account or for a person who has the blogger’s permission. When using the developer console; to see the full return, click on the bottom left arrow of the brief return.

3.1 The Possible Problems

3.1.1 Security

Access is acquired using OAuth2 authentication. That method has been entirely disavowed by the lead author, who has removed his name from all specifications. His main concerns seem to be that, whilst OAuth1 was a protocol, OAuth2 is a framework that includes many musts and must-nots and requires an unusually high level of expertise to make secure. To read his post click here ⇒. An extract below:-

“To be clear, OAuth 2.0 at the hand of a developer with deep understanding of web security will likely result is a secure implementation. However, at the hands of most developers – as has been the experience from the past two years – 2.0 is likely to produce insecure implementations.”

He also wrote “When compared with OAuth 1.0, the 2.0 specification is more complex, less interoperable, less useful, more incomplete, and most importantly, less secure”.

3.1.2 Business Worth

Being able to store images from a mobile phone/tablet, upload them to WordPress and then download them to a service provider might be of use to some. However, serious photographers and/or those creating company literature (e.g. pamphlets, brochures etc) are more likely to upload higher resolution images directly to a printing company.

Most of us, if approached by a developer who wants access to our site, would likely respond with disinterest.

E-commerce companies might want to make use of a developers services to compete. But, if they’ve got any sense they will use in-house services provided by people who have a deeper knowledge of their company’s business and dedicated to it.

3.1.3 Business Loss

I believe that the new User Interface has been so badly implemented as to deter users in the new enterprise.

Existing customers have suffered considerable and pointless nuisance.

It has been shown that it takes less effort to keep existing customers than acquire new ones.

WP Reader Changes ⇐

WP Changes – Accessing the old system ⇐