I don’t follow the logic here. There seems to be an implication of ulterior motive but I’m not seeing what it is. What aspect of ‘privacy’ offered by a VPN do you think that Reddit / LinkedIn are incentivised to bypass? From a privacy POV, your VPN is doing nothing to them, because your IP address means very little to them from a tracking POV. This is just FUD perpetuated by VPN advertising.

However, the undeniable reality is that accessing the website with a non-residential IP is a very, very strong indicator of sinister behaviour. Anyone that’s been in a position to operate one of these services will tell you that. For every…let’s call them ‘privacy-conscious’ user, there are 10 (or more) nefarious actors that present largely the same way. It’s easy to forget this as a user.

I’m all but certain that if Reddit or LinkedIn could differentiate, they would. But they can’t. That’s kinda the whole point.

Not following what could be sinister about a GET request to a public website.

> From a privacy POV, your VPN is doing nothing to them, because your IP address means very little to them from a tracking POV.

I disagree. (1) Since I have javascript disabled, IP address is generally their next best thing to go on. (2) I don't want to give them IP address to correlate with the other data they have on me, because if they sell that data, now someone else who only has my IP address suddenly can get a bunch of other stuff with it too.

At the very least, they're wasting bandwidth to a (likely) low quality connection.

But anyone making malicious POST requests, like spamming chatGPT comments, first makes GET requests to load the submission and find comments to reply to. If they think you're a low quality user, I don't see why they'd bother just locking down POSTs.

SQL injection?

Get parameters can be abused like any parameter. This could be sql, could be directory traversal attempts, brute force username attempts, you name it.

If your site is vulnerable to SQL injection, you need to fix that, not pretend Cloudflare will save you.

Obviously. But I was responding to "what is sinister about a GET request". To put it a slightly different way, it does not matter so much whether the request is a read or a write. For example DNS amplfication attacks work by asking a DNS server (read) for a much larger record than the request packet requires, and faking the request IP to match the victim. That's not even a connection the victim initiated, but that packet still travels along the network path. In fact, if it crashes a switch or something along the way, that's just as good from the point of view of the attacker, maybe even better as it will have more impact.

I am absolutely not a fan of all these "are you human?" checks at all, doubly so when ad-blockers trigger them. I think there are very legitimate reasons for wanting to access certain sites without being tracked - anything related to health is an example.

Maybe I should have made a more substantive comment, but I don't believe this is as simple a problem as reducing it to request types.

It's equally easy to forget about users from countries with way less freedom of speech and information sharing than in Western rich societies. These anti-abuse measures have made it much more difficult to access information blocked by my internet provider during the last few years. I'm relatively competent and can find ways around it, but my friends and relatives who pursue other career choices simply don't bother anymore.

Telegram channels have been a good alternative, but even that is going downhill thanks to French authorities.

Cloudflare and Google also often treat us like bots (endless captchas, etc) which makes it even more difficult.

IP address is a fingerprint to be shared with third parties, of course it's relevant. It's not ulterior motive, it's explicit, it's not caring about your traffic because you're not good product. They can and do differentiate by requiring a sign-in. They just don't care enough to make it actually work. Because they are adtechs and not interested in you as a user.

> For every…let’s call them ‘privacy-conscious’ user, there are 10 (or more) nefarious actors that present largely the same way.

And each one of these could potentially create thousands of accounts, and do 100x as many requests as a normal user would.

Even if only 1% of the people using your service are fraudsters, a normal user has at most a few accounts, while fraudsters may try to create thousands per day. This means that e.g. 90% of your signups are fraudulent, despite the population of fraudsters being extremely small.

Was anybody stopped to do nefarious actions by these annoyances?

It's like at my current and previous companies. They make a lot of security restrictions. The problem is, if somebody wants to get data out, they can get out anytime (or in). Security department says that it's against "accidental" leaks. I'm still waiting a single instance when they caught an "accidental" leak, and they are just not introducing extra steps, when at the end I achieve the exact same thing. Even when I caused a real potential leak, nobody stopped me to do it. The only reason why they have these security services/apps is to push responsibility to other companies.

No. They might trust your professional judgement, and not all professional judgement has roots in academic publications.

Yep. Not that it’s necessarily happening here, but I always…sigh deeply, let’s say, when something that’s described by Americans as “an $x industry problem” is actually ‘an America problem, manifesting in the $x industry’.

That is not at all what’s happened with shortened expiry date requirements so far. Industry has proven that it can largely put these systems in place.

Huh? How do you see that this aspect of the PKI has at all changed with this change?

OpenSSH does it “nicely” for you maybe. I’ll maybe even accept “for most users of an SSH client”. This behaviour implemented in a browser is utterly unacceptable. The average user is orders of magnitude less technically capable.

You are not the only user of the software that you use.

No. Didn’t you hear? There’s zero benefits to working in an office, at all. It’s all lies because of commercial real estate or something. /s

This sounds like some sort of attempt at Ultimate Scope Creep. How did we get from ‘licensing faux-issue’ to ‘a complete rebuild with a very complex architecture just to support the plugin ecosystem’?

WP has needed this for a very long time, this is just the proverbial straw breaking the camels back.

> WP has needed this for a very long time

Said no-one using WP for their website ever.

To a first approximation, about zero people/companies have a problem they need solved which boils down to "I need a replacement for WordPress using a significantly more modern and better architected codebase."

By far the most common problem people are solving by using Wordpress is "I need to be able to fix website errors/typos without calling up a web development agency and waiting 2 weeks and paying $1000, and I need to be able update my homepage or add new pages which then fit into the menus and site navigation easily". Second most common problem they're solving is "I need a website which is easy and affordable to employ or contract experience people to edit and manage it for me".

Not a single WPEngine or wordpress.com customer has ever chosen or rejected them because they asked themselves "Is this run on a mess of legacy early 2000s vintage PHP and badly designed MySQL databases, or does the backend run beautifully architected and formatted Rust/Haskel/Go?"

I don’t want to hear it. I’d posit I’ve been working with WP longer than you.

Ask yourself: why did WP engine come into existence?

> I’d posit I’ve been working with WP longer than you.

Perhaps? Maybe I'm older than I look... I've never specialised in WP, but my earliest WP work was on 2.5 back in 2008-ish after I jumped ship from a gruelling (and failing) startup. I was doing mostly WP sites at an agency during 2010-2013 almost all using cPanel shared hosting. In 2014 I moved to a place using Wordpress on Plesk shared hosting which had several really bad downtimes and performance problems, and searching my email the first WPEngine invoice came when I migrated a bunch of those sites to WPE in 2015. I've been happily using and recommending them ever since. Sure there are lots of people with more year's experience, but I've got a good 15 years or so, and I think that means my opinions are at least based in the real world.

WPEngine came into existence, at least from my point of view, because there was so much _bad_ Wordpress hosting available at the time.

My experience with 7 years of shared cPanel/Plex hosting on random ISPs or some generalised everything-to-everybody domain registry, domain registrar, web hosting company, SEO consultants, internet security snake oil salesmen like GoDaddy or Dreamhost, compared to specialist WP hosting with WPEngine - has been night and day. Where I work now, we happily refer clients looking for $5/month web hosting away to a few sole trader web devs we respect who handle those sorts of customers, and anyone who doesn't bat an eyelid at WPEngine's prices (plus our markup) gets hosted there with all the performance, uptime, and value add benefits they bring to the table.

I'm sure other people have different experiences. IU;m sure there are other dedicated WordPress hosting companies out there these days who are as good or better than WPEngine at least for some use cases. I'm sure there are other companies with as good or nearly as good offerings for less money than WPEngine. For me though, they are absolutely worth the extra cost for all the value add they bring alongside WP core and wordpress.org repos - except for people looking for lowest possible cost and are prepared to accept worse performance and less good hosting tools.

One man's tangent is another man's big picture. It may be the case of course that some people guilty of CoC overreach are shaking in their boots right now because they went further than their corporations wanted them to go.