You are here: Home / Users / Hawke Robinson / Important Plone Hotfix 20150910

Important Plone Hotfix 20150910

by Hawke Robinson published Sep 11, 2015 07:00 AM, last modified Sep 14, 2015 07:23 PM
Important to apply Plone Hotfix 20150910 for registration spam and other security issues.

Plone Security Hotfix - After many years of reporting to the Plone folks in IRC and online that there was a serious problem with registration spam on all my Plone sites (~30), and several months working directly with one of their developers to try to stem the tide through adding on the EmailConfirmationRegistration Product: https://github.com/collective/collective.emailconfirmationregistration/issues/3, they finally found/acknowledged there is a deeper problem, and have released a hotfix today that (hopefully) fixes this years-long problem that affects pretty much every version of Plone.

Many thanks to Nathan Van Gheem & Marits Van Rees for having the patience to help finally track this down.

If you are a Plone Admin, grab the hotfix here today: https://plone.org/news/urgent-action-required-plone-security-vulnerability-hotfix-20150910 I just implemented this, and will be monitoring it closely. I will post updates on http://techtalk.hawkenterprising.com
My Love-Hate Relationship with Plone
I have had only two major frustrations with Plone: the registration spam issues, and the upgrade procress. Other than those two (significant) issues, I have been _very_ happy with Plone. They really seem to have fixed the upgrade issues since about version 4.x of Plone, but the spam registration issue has only become worse and worse.
Due to these two issues, I kept trying to abandon Plone. But every other CMS I tried just didn't compare in the rest of the features, ease of use, and security (other than this one big issue). So I have never been able to replace it with something better. I tried more than 20 different platforms and they just didn't compare favorably. So I just kept limping along with the issue.
I first dabbled with Zope (upon which Plone is built upon) in the 90's while working at Franklin Covey. It was a good-enough platform for systems administrators, but not really ready for public consumption by non-techies.
Then Plone was added on top, and after a few years of running on a few pilot sites, I eventually converted all my websites over toe Zope-Plone around 2004 with Plone 2.x. Plone has made it possible for one person to run so many robust community-based websites very easily, with very few security issues, and a very powerful and friendly CMS.
Though some significant growing pains since the 2.x days, they have been doing a great job.
Since they greatly improved the upgrade issues, my only (ongoing) gripe has been the problem with registration spammers, and hopefully that is finally fixed.

This single issue has all but killed off my community-based sites, so for me it has a real show stopper. It finally became so bad that about 2 years ago I had to disable user registration on the all sites, and that effectively killed off those communities, though I still kept posting what I could manually. Hopefully now, if the problem is fixed, these communities can come back to the vibrant life they once were.

For example, merp.com once (back around 2004) had over 1.8 million unique visitors per month, and 18,000+ registered users (not counting the additional 10,000 bogus registration spam users). Merp.com is nearly dead now. Hopefully this can be turned around now.

If you haven't tried Zope-Plone, and assuming the spam registration problem is fixed, I can once again highly recommend you should at least try it out.

Cheers!

-Hawke Robinson

Filed under: , ,