Now Reading
For The Case of WordPress, Against Self-Indulgent Promoters Who Were Hacked

For The Case of WordPress, Against Self-Indulgent Promoters Who Were Hacked

Last weekend was filled with controversy and the reason for this was a worm hitting many self-hosted WordPress blogs. We warned and urged everyone to upgrade, although the most recent version of WordPress, 2.8.4, was released almost 3 weeks earlier. WordPress 2.8.4 was the second security update for the 2.8 branch in less than 2 weeks. This update was released only 2 days after the vulnerability was discovered, proving how hard the WordPress community has worked to improve and secure the platform.

Ever since WordPress 2.3, which was released almost exactly 2 years ago, every WordPress blogger receives an update notification whenever a new version available is. The majority of new releases are bug fixes and security updates.
Personally, whenever I see that yellow new release notification I can not hit update now fast enough. If it weren’t for the security aspect then it is for the ugliness of the notification.

Nevertheless, in these days some people are given a megaphone online and can not resist the need to be vocal, even though they were the only ones who were to blame. One of these people last weekend was Robert Scoble. His post I don’t feel safe with WordPress, Hackers broke in and took things quickly went viral Robert received support but also bashing. Gruber even went as far to say that Movable Type safer is.

Regardless whether MT is more secure, it is clearly safer.

I have criticized WordPress in the past and will continue my search for alternative platforms, but this time I have to defend the WP community and Automattic. WordPress has done everything right.
We certainly can argue lots about whether WordPress a safe engine is or not, but statements like Michael Gray‘s tweet some days ago are what we tend to call BS:

if wordpress was serious 9am tomorrow morning stable secure code would become priority #1 … not features to amuse programmers

I will repeat myself: WordPress/Automattic has done everything right. WordPress is highly optimized to make update hell easier for the blogger:

See Also
is blogging dead wordpress

  1. Notifications about new releases
    Not once, usually you can see at least 3 different notifications: at the top of the admin back-end all-over wp-admin, on the wp-admin/index.php page you will probably see at least 3 feed entries mentioning an update (Dev blog, WLTC and Andy or Ryan). Upgrade notifications have been implemented since September 2007 (WordPress 2.3);
  2. One click upgrade
    WordPress comes with an upgrade feature for both the core platform and plug-ins since December 2008 (WP2.7). To please pedants, I will admit that it’s a two-click update. ;)
  3. Security releases come quickly when they are needed.
    The above mentioned 2.8.4 relases is the proof of this

But both WordPress and the upgrade feature aren’t failsafe. The argument that plug-ins aren’t compatible and could break an upgrade should not prevent users from upgrading:

Been asked what I thought about Scoble/WP: NEVER put an addon over the SECURITY of your CONTENT. Put your content 2nd, you’ll get hacked. [via @tyme]

There are several things which could be improved to makes upgrades (feel) safer and even easier for users though:

  1. Automated database backup
    Instead of displaying a notification that users should update the database, this feature should have become a core feature ever since the automated upgrader was launched. Instead we recommend WP DB Manager (WP DB Manager tubetorial video) or use a cron job if you do not want to rely on a plugin. Optionally the backup procedure should also offer to backup the WP files;
  2. Deactivate the plugins
    The second recommendation from the WordPress Codex page on upgrading is to deactivate your plugins. Maybe this should be build in and after upgrade the user should be offered to reactivate them. Better would even be if there were a compatibility check built-in;
  3. Force plugin hooks to check if the plugin is activated after upgrade
    I am no coder but would assume it would even be possible to require a hook or API to make plugins check for the use of if (function_exists()). This would ultimately prevent that themes would break if the upgrade deactivates plugins.
  4. Plug-ins with customization options should adopt a ‘child themes alike’ structure
    Many plugins come with the option to change the CSS or have different options. Several write these in the database, other overwrite the original CSS file on the server. Other plugins still require hacking of the core plugin files. In the latter case the changes will be overwritten whenever the plugin is updated. Plugins should adopt a similar structure to child themes, allowing the user to revert to the original plugin structure whenever customization went wrong, all while keeping the changes after updates.
  5. Separate Admin back-end from front-end
  6. There is not one single reason one can think of why the admin area should be in a standard folder. Automattic, change this now and also offer those who want to an easy option to install the admin area on (shared) SSL space.

To Robert Scoble I only have to say that it’s time he finds a hoster with daily/weekly/monthly automated backups. :)

View Comments (10)
  • really WP is doing everything right?

    2.8.0 came out in june we’re now on 2.8.4 because of security updates, thats 4 security updates in 3-4 months.

    instead of focusing on security WP comes up with ajaxy dashboard widgets, and flashy rss clouds me I’d rather have less ajax and tighter security.

    XSS scripting and malformed URL’s are nothing new, I can tell you that for certain because I was fixing them myself when I was lead dev 5 years ago, so this isn’t anything new.

    I am not the only one who says, I’ll give up the ajax, and rss cloud stuff, take the time and secure the damn thing and stop making me update every 30 days, I don’t have time to waste doing updates every 30 days across multiple blogs.

  • Michael, having worked with other platforms, I often wished that bug fixes came as quickly as they came with WP.

    Yes, we can argue about the platform being secure or not and I am the first to admit that I complained about all the 2.8 releases having managed all the Splashpress blogs and it would be lovely if WP had a dedicated security specialist on board, but even those do NOT close every problem before releases. Ask Microsoft. I have been updating platforms and making night shifts ever since *nuke and can only say that WP among the easiest platforms ranks to update.

    At the end of the day I am entirely happy when security holes are fixed ASAP. Users are acknowledged in many ways of new releases, no excuses NOT to update. NO platform is entirely safe or will ever be.
    Otherwise, according to the number of security advisories everyone now should run to Expression Engine as it seems to be the platform with fewest advisories over the last years (Habari’s too young to be considered).

    Agreed on features, but they are part of the game when a platform is that huge. Users want fancy stuff.

  • Nevertheless, in these days some people are given a megaphone online and can not resist the need to be vocal, even though they were the only ones who were to blame. One of these people last weekend was Robert Scoble. His post I don’t feel safe with WordPress, Hackers broke in and took things quickly went viral Robert received support but also bashing. Gruber even went as far to say that Movable Type safer is.

    That’s because Movable Type is safer than WordPress. If you don’t believe me, then check out the bottom part of this article on the MT.org website. It’s a reference to the NIST’s record of security vulnerabilities in both MT and WordPress. WordPress is through the roof compared to MT.

    According to Reddit, this is the TRAC page for the fix. It’s good that they found that and fixed it, but it leaves you wondering how the hell they missed that in the first place.

  • There is not one single reason one can think of why the admin area should be in a standard folder. Automattic, change this now and also offer those who want to an easy option to install the admin area on (shared) SSL space.

    To do that, they will have to cut off every outside-facing admin function related to site functionality like commenter authentication and user registration. You’ll end up with three parts: pure admin, site-facing admin and site-building infrastructure.

    All of that because the WordPress team won’t take the time to do an entire major release that is one long, comprehensive code audit of their admin interface.

  • You’ll end up with three parts: pure admin, site-facing admin and site-building infrastructure.

    Nothing wrong with that, is there? Many systems use separate locations for front- and back-end. Besides, I refuse to store my password for the upgrade feature without SSL encryption.

  • Thank you Franky, well said. There is no excuse in waiting to keep pace with technology and use the highest level of security, ie. extended validation SSL.

    Why do developers wait for an attack to re-active instead of standing proactive against hackers. Implement the best, upgrade and fix security breaches.

    Like you I refuse to store passwords, conduct transactions, reveal personal info on any site that I can’t validate and CA – or see the bright green url in the navigation bar.

  • Nothing wrong with that, is there? Many systems use separate locations for front- and back-end.

    A few things:

    1) IIRC, WordPress, like Movable Type, already lets you move the admin console to a separate URL.

    2) Your comment DOES NOT address my point. What I said is that to implement that they would have to split the administrative function into separate pieces, where most of it remains with the console and part of it becomes a separate system.

    It would have to be that way because there are admin functions which are part of the published website, such as adding new users and user authentication/authorization.

    3) Most users won’t separate out the URLS like that.

    4) Regular users should not have to worry about their admin console security so much that they have to move the admin console to a secret location that is never referenced on the main site.

  • I still think WordPress can do more. Specifically they need to enable folks to get notified easily *outside* of the admin interface. Not everyone logs into the admin interface every day.

    They have a “New version notification” mail list you can supposedly subscribe to at WordPress.org but I’ve never been able to successfully subscribe to it.

    Really they should build in email notification to admins of an upgrade being available within the software itself. This would especially make it easier for people who have many installs of the software (I currently support about 12 different installs of it) to ensure they haven’t forgotten one.

    There’s already a plugin that does this, but it needs to be baked into the software.

  • Mike, I answered to your comment but not in the way you had hoped. I will not be baited in to bashing WP , I made my statement in the entry already: Personally I will continue my search… :)

    Brian, seriously? You manage 12 blogs but do not login daily to at least ONE admin area? Or are subscribed to the WordPress Dev feed or WLTC or BH or…

Scroll To Top