Domush

Thank you so much for the response, Chip! You are a treasure trove of great info.

Not all commercial Themes are premium, and not all premium Themes are commercial.

You are too right. I regretted using that wording almost immediately after I wrote it. I, too, find any theme/plugin written by one person tends to be far more chaotic than a team-driven version.

Again, thanks for the clarifications. I hope this thread serves to help others with the same questions.

Can someone point me in the right direction as to which files handle the output of the image listing, so I can go ahead an write a plugin which allows people to display filenames/titles in the listing?

I’m just not sure which backend/template files handle the popup pane. This is such a basic feature, it really needs to be added, and if I have to be the one to do it, so be it.

Any help finding which files to hook/modify?

Chip, thank you for the helpful response regarding wp.org themes and plugins.

This, naturally, raises the question as to how the commercial theme/plugin sites are different. If anything which is made from wordpress must be GPL, what stops people from paying for a theme on a commercial site, then simply uploading to wp.org for free?

That is where my confusion comes in. In reading the GPL FAQ, I can’t see anything which allows people to prevent others from redistributing GPL works (including themes/plugins), for free.

Why don’t we see premium themes/plugins or slightly modified versions of them on wp.org? Is it a wp.org policy thing or is there a GPL loophole I’m not seeing?

I’ve wondered this for years, so some clarity on this would be awesome. Thanks again.

I third this. I can’t believe this is not a default option. What is the point if naming images if we can’t see the names while inserting them?

Please add this basic feature

Exploiting 101:

Step 1: When hacking a site, pull up the HTML source code, look for indications of the server running scripts with vulnerabilities.

Step 2: Search the web for reports of security flaws regarding aforementioned server scripts

Step 3: Hack said site using exploits matching the version the webmaster so helpfully advertised to you

It only takes one vulnerability of one version to be very bad news, as when you advertise version numbers (let alone scripts), you are helping the world select the perfect exploit to use.

Not all exploits are found by white hats and reported. There could be a flaw in any version of any plugin, and so long as they are advertised in html, people are far more at risk.

It is security through obscurity, which is not ideal, but is certainly preferred to advertising “I’ll help you hack me!” in your html source. Even wordpress adds a version # in the html source, which they should absolutely know better.

To all who wish to remove the wordpress version # from your html, seeing as the topic is here, add this to your theme functions.php file:

remove_action(‘wp_head’, ‘wp_generator’);

There may be a similar method to prevent SEO from adding the version # to the html source, but I’m no wordpress developer. I got that code from this security conscious article which warns of exactly what I just mentioned.

Again, Yoast makes a wonderful plugin, but with anything this complex made by one guy, mistakes can happen, and advertising a script and version number does nothing but help hackers hack. The best wbesites out there are the ones you can’t tell what script they run or, better yet, make you think it is a different script running in a different language.

And as long as there is never, ever a security flaw in his script, everything will be rainbows, until there is a flaw..

The author has been informed as to how this is a security hole and has expressed how he doesn’t care.

Some day we’ll all read news as to how someone hacked a host of sites running a specific version of this plugin, and nobody will be guessing how they figured it out.

The plugin is great and feature packed, but the version number, especially, should never be displayed to the world.