current community

your communities

more stack exchange communities

company blog
Stack Exchange Inbox Reputation and Badges
tour help
Meta Stack Exchange is where users like you discuss bugs, features, and support issues that affect the software powering all 162 Stack Exchange communities.

What is meta?
Here's how it works:
  1. Any Stack Exchange user can ask a question
  2. The community provides support, votes on ideas, and reports bugs
  3. Your voice helps shape the way Stack Exchange operates
up vote 121 down vote favorite
6

If you are not currently using WordPress credentials to sign in, you can safely ignore this post. Otherwise, read on...

Wordpress.com has retired OpenID support for blogs created after January 2, 2016. Blogs created before then should still be usable as OpenID credentials, but even then, the support has been getting more and more brittle over the years. In particular, if you have a custom domain for your wordpress.com blog, you can't use that blog to sign in to Stack Exchange. Why? Not entirely sure, to be honest. There's a redirect somewhere that's busted, and as far as I can tell the issue isn't on our end at this point.

With this in mind, we're removing the WordPress button from the login and signup UI to avoid even implying that WordPress is a viable option for signing in if you haven't already:

enter image description here

If you are currently able to log in using WordPress credentials, they will continue to work for as long as WordPress supports them. To log in with your existing WordPress credentials, enter your blog URL into the freeform OpenID field. I strongly encourage you to consider adding another credential as a backup option as well, or at least make sure you have a valid email set in your profile to enable account recovery.

These changes took effect on Monday, November 21, 2016, and are now live.

share|improve this question
41  
Are people actually using that? Can you share some statistics? – Patrick Hofman Nov 17 at 22:57
21  
@PatrickHofman About 2000 or so network-wide who have nothing but WP creds and at least one Q&A profile. "Using" is a broad term, though. Most people kite the same session for years, so we can't quite skip the announcement just in case, and we get the occasional bug report. – Adam Lear Nov 17 at 22:58
2  
And those are active users? Or just all that happen to have an account? Also, can't you send them a mail or private message? (Or do you do that too?) – Patrick Hofman Nov 17 at 22:59
45  
@PatrickHofman An inbox notification to affected users linking to this post is gonna go out some time tomorrow. – Adam Lear Nov 17 at 23:08
2  
@PatrickHofman "All that happen to have an account". I actually need to modify my query some to pull up people whose most recently used credential is a Wordpress blog. That'll still have some inactive accounts, but will also catch anyone (or noone :)) who added the credential recently and intended for it to be their primary. – Adam Lear Nov 18 at 6:35
1  
Thanks WP, it finally had to go. I hope OpenID gets expired sometime, it's too unsafe. – Έρικ Κωνσταντόπουλος Nov 18 at 12:41
11  
"These changes will go into effect on Monday of next week, November 21." So, half a working day? 28 days' notice would be better, so that people have a chance to see this notice and add new credentials. Or am I missing something? – Lightness Races in Orbit Nov 18 at 13:27
2  
As there’s now one space free … can the Stack Exchange OpenID button come back? – unor Nov 18 at 14:11
9  
questions about wordpress are off-topic for MSE, voting to close ;) – Carrie Kendall Nov 18 at 14:44
2  
@LightnessRacesinOrbit you will still be able to log in with the credentials using the freeform field. – Jacob Raihle Nov 18 at 15:18
1  
@Patrick Hofman: I was, for the longest time. But not anymore, for reasons similar to, but not quite the same, as described here. – BoltClock's a Unicorn Nov 18 at 15:35
7  
@ΈρικΚωνσταντόπουλος Would you mind giving me a pointer to the types of security concerns that exist with OpenID? I'd like to know about that. (If not, I'll take a look for myself later when I have time.) – Jeremy Banks Nov 18 at 16:24
2  
@AdamLear Thanks for the inbox notification for affected users. That was a really nice thing to do. I think that as I have a backup login set up, and as the Wordpress login will continue to work for the immediate future until Wordpress stops supporting it, there is no action I need to take right now, but I appreciate being informed about this change, thank you. – ShreevatsaR Nov 18 at 21:02
2  
well, the only open source ID is gone. Hi Facebook and Google, you're my masters and I belong to you. Whatever I do is free for you to do whatever you want, dear binary god – Devin 2 days ago
2  
@AndrewGrimm If this were a "you won't be able to log in at all" case, I'd agree. However, the currently working WordPress credentials will continue to work. This is more a UI change on our end than a deprecation, so I feel an email is excessive in this case. – Adam Lear 2 days ago
up vote 17 down vote

Based on the reasons given, it sounds like a reasonable step to remove WordPress as a standard selection option (although with a less than optimal short notice!).

However, having to type in something manually each time will be a pain, so I would suggest that you replace the button with a "My Favorite OpenID Provider" button, which then fills in a user configurable setting.

This will make the issue of What OpenID providers should we feature on the login page? much less of an issue because it would more or less only affect people using OpenID the very first time. This will benefit all non-default selection OpenID users, not just WordPress.

Logic something like the following:

if (login_method == openid && !user_settings.contains(favourite_openid_provider)
{
   answer = ask("Do you want to save " + sanitize(url) + " as your favorite...")
   if (answer == yes)
   {
       user_settings.save(favourite_openid_provider, url)
   }
}
share|improve this answer
11  
Where exactly do you see that “favorite OpenID provider” setting stored? Because this is the login dialog, so you cannot have this stored in the user configuration you get access to after the login. – poke 2 days ago
1  
@poke Cookie? Local storage? – D_4_ni 2 days ago
2  
@D_4_ni So the same location the login session itself is stored..? – poke 2 days ago
3  
@poke Yes, but obviously with a longer lifetime, and not cleared by a logout. I don't think there are better ways to store data about the user not sitting behind the login. – D_4_ni 2 days ago
2  
@poke this can easily, but not altogether reliably, solved with JavaScript's localStorage. – Tiny Giant 2 days ago
    
+1 Certainly something The Powers could consider, actually, independently of the WP login button removal. – yo' yesterday
up vote 5 down vote

The timeline on this is far too tight. As LightnessRacesInOrbit remarked:

Half a working day between an announcement and removal of that option?

The only reasonable argument for a transition period this short would be security problems with the WP.com OpenID. And in that case, I'd argue that if it needs to be closed today, it should've been closed last week.

share|improve this answer
3  
You know you can still log in with it right? Only the button is being removed, you can still manually enter the details. – Cai yesterday
    
@Cai I know and understand it's not a functional change, but seeing it as that just reinforces my doubt about the urgency of removal of that button... – Marcus Müller yesterday
3  
The point is it doesn't work for new users (as in new WP users) and current support is buggy and temperamental through no fault of SE, and leaving that there is bad for UX. If it works for you, great, but it's not something that should be encouraged to anyone not already using it and removing it doesn't functionally affect your ability to log in. – Cai yesterday
    
The point is not that I want to defend the button as-is, I'm just voicing my doubt about the timeline here. Really, I can see that current users of the system possibly won't even had the chance to log in between the decision to disable the button and the actual removal of the same, and hence, they don't even have a chance to read the message to their inbox. – Marcus Müller yesterday
3  
That's a fair point, but I don't think the timeline is the issue—it's essentially a UI change, nothing else. If notification is the problem then either a note somewhere on the login or an email to existing users would be a better solution. – Cai yesterday
1  
The primary goal here is to give folks who are currently logged in a chance to realize that the login page is changing (and, ideally, that WP.com is not at all dedicated to long-term support for this) and take action. There's no value in dragging that out; indeed, it's probably more confusing if folks see this post and also still see the button hanging around. For folks who aren't logged in, don't have inbox emails enabled and don't know how to use raw OpenID login... We have support via the "contact us" link - but now we're talking about probably a double-digit number of users. – Shog9 1 hour ago
up vote -7 down vote

Mmm bad news for me, since i will not be able to log in from work :(

share|improve this answer
15  
You can still log in, for as long as WordPress supports it. Just have to put the full blog URL in the OpenID field. – Adam Lear Nov 18 at 22:09
    
Great then, how long it will be supported? – Martin McFly De Luca Nov 18 at 22:14
7  
I have no idea, sorry. That's not under our control. – Adam Lear Nov 18 at 22:17
18  
Only WordPress can know that. Might be one week, might be 100 years. – Shadow Wizard Nov 18 at 22:17
5  
answering like this doesn't seem right. – Mark Yisri Nov 19 at 13:36
6  
@MarkYisri Why not? Here on meta, providing feedback on the question is one of the things answers are for. – rand al'thor Nov 19 at 15:31
    
@randal'thor okay – Mark Yisri Nov 19 at 16:33
2  
I can't consider the downvotes justified. News like this do have bad consequences for specific people. The fact that we (The Powers) can't change it does not mean it shan't be mentioned. – yo' yesterday
2  
@yo' People on this site and all subsets don't understand the effects of downvoting, when to properly downvote, and when to stop downvoting. I don't think any amount of press will stop that behavior. Repeated downvoting is about as useful as subtle vindictive behavior; nobody learns anything. – Anon234_4521 yesterday
    
Why can't you use another login method? – Jop V. yesterday
    
@JopV. because in office we have some proxy restrictions for social accounts such as facebook or google+, the only one available was wordpress – Martin McFly De Luca yesterday
    
@MartinMcFlyDeLuca Maybe you could use e-mail login? (I don't know where you can set it up though...) – Jop V. yesterday
    
@JopV. I can't remeber why it didn't worked, but i already tried, mmm this is maybe related to the fact i'm registered here via facebook account, but at the time i thought it was strange that i wasn't able to access via email address because i tried with the same email account associated to my facebook account. – Martin McFly De Luca yesterday
    
@MartinMcFlyDeLuca Yeah, same here. It's supposed to work, but for me it doesn't either... – Jop V. 22 hours ago
    
Controversial posts like these are always interesting, because they show how skewed the weighting of votes are. A -7 score means a 120 rep increase. – Amani Kilumanga 10 hours ago
up vote -12 down vote

I can't see what's so hard in keeping the button. Context: I use it.

share|improve this answer
4  
discouraging users to use a deprecated login method is reason enough, isn't it? And it's not like you can't login anymore. – TheFlow0360 yesterday
10  
Because WordPress is slowly discontinuing the feature. It's not something Stack Exchange has control over. – Jop V. yesterday
    
Well for me it's not deprecated. But anyway I was close to leave a comment in my feedback that I don't blame Stackoverflow for Wordpress' coms doing. – hakre yesterday
    
Ah and well, move it to the end of the list, make it a third click whatever. I guess from time to time things deprecate. – hakre yesterday
6  
"For me it's not deprecated" Deprecated !== Disabled – Feathercrown yesterday
    
@Feathercrown: I beg your pardon, removal of the button === button disabled. Just in case you missed it: It's more comfortable if it's one or two clicks away instead of copy and pasting in an URL. maybe auto-form filling makes it less tideous. However so far I press that button and it did work in the past quite well despite deprecation on wp.com's side which I was not aware about until this message on this stackexchange meta. – hakre 18 hours ago
1  
@hakre Stack Exchange don't want to have a button that some day, because of a third party, stops working. The button might be working now, but there will be a time when it won't, because of WordPress. It's a lot easier to disable the button now, than wait for the exact moment (the timing of which they can't predict), when WordPress disables the service. – Amani Kilumanga 13 hours ago
    
@AmaniKilumanga: Well no objection to that, but I just shared my POV. I'm sure I can deal with it technically, just sharing. Because sharing is caring. – hakre 6 hours ago
2  
I apologize for the inconvenience, @hakre - but let's face it, the writing is on the wall here. We've gone through this at least twice now with other (former) OpenID providers, and it's a lot easier to deal with it before the service is unceremoniously dropped than afterwards. – Shog9 1 hour ago
    
@hakre Well then, removal of the button !== deprecated. You're saying it's deprecated, which is a lot different from removed or disabled. – Feathercrown 54 mins ago

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .