Envato Market ThemesMarket themes Envato
More than 1,000 issues that have been traded through its trading platform and may be affected by this weakness have been spotted by the Companys. Whilst many of the product have already been patchwork, some topic writers have not yet traded. Given the gravity of this weakness and the easy exploitation, the market place provisionally deactivates topics that have not yet been patched:
First, we will start by deactivating affected topics that have not been upgraded and contact the writers of those topics to get an upgrade as soon as possible. It will take a while as there are many topics that need to be searched by hand. The next problem, even if the patch is applied, is to get the user to upgrade.
A lot of topics don't have an automatic updating system to alert user, and WordPress people don't always get updated when they're available for afraid to destroy something. The Envato Market response is to alert the user to the breach by e-mail: All purchasers of the affected properties will be contacted directly via their Envato Market e-mail addresses as soon as possible to make sure that they are reading and acting on this information.
The Envato Market has issued specific guidance to help customers identify whether they are affected and how to keep them updated. In cases where a potential weakness affects more than 1,000 items, it is not possible to accept the use of quiet patch. The ThemePunch should have announced this to the public at the moment of its appearance, which could have avoided this weak ness being used in the wilderness.
Envato Market will highlight at the end of the article what they are doing to make sure that this does not repeat itself: There will be policies and procedures in place to make sure such topics get to us more quickly and to help writers make sure their purchasers are upgraded and patched as quickly as possible.
We' ll also come back to how we' ll handle upgrades for packages and topics that contain different plug-ins. These vulnerabilities highlight the risk that topic writers can combine plug-ins in their work. If Envato Market were to deter or even prohibit writers from combining plug-ins, it would not have to enumerate more than 1,000 potentially affected topics.
As the overwhelming overwhelming number of the best-selling Envato topics do not comply with best practice in the sector, a ban on the bundling of plug-ins would certainly lead to a lost profits. Envato Market appears to have little incentives to react resolutely to the lessons of this weakness and to adapt to best practice.
Renowned experts in the WordPress fellowship have called on writers of topics to keep plug-ins separated for years. In the past, Envato has reacted only slowly to best practice on issues. The GPL license upgrade last year and the upgraded design filing requirement were a good beginning, but the writers found ways to bypass the requirement.
Following his experimentation on the topic, Justin Tadlock gives an impression of this practice: On the basis of what I've seen in the boards, many writers are just looking for ways to do what they've already done, but simply put it in a plug-in packed with their topic. Essentially, they don't want anyone to "steal their code" or really have a great usability sensation where people come back long after switching to a new topic.
When you pack your plug-in functions into a plug-in that will only be useful with your design, make _doing_it_wrong(). That'?s what I imagine, but I certainly sincerely expect Envato to resist. Tadlock has continued to develop independent plug-ins that writers can help create their own product based on this expertise.
It gives the author the opportunity to concentrate on the topic itself and offers the user a better dataportability via plug-ins. Using a plug-in feature standards is good for the user and does less work for topic writers. You can still create more themes instead of spending your valuable resources fixing your themes for a slidehole.
Unless Envato Market opposes themed writers who package plug-ins, it will still face the same vulnerabilities that are making news this weekend.