The wordpress experiment is over.

I have decided that the wordpress developers' approach to security releases is not adequate and wordpress installations require too much maintenance to keep up-to-date.

The developers "announce" list has been broken for months and months with no sign that they will be fixing it. The only way to keep up-to-date on developments is to monitor their website your self.

The wordpress team keep details of security flaws secret as a matter of policy, preventing you from mitigating attack by writing e.g. mod_security rules.

The wordpress team have made mistakes with releases and subsequently uploaded fixed versions, with the same version number, without telling anyone. Combined with not publishing sums for their releases, you can never be sure if your X.Y.Z is the latest X.Y.Z.

I would strongly advise anybody considering using the wordpress software to look elsewhere.