On WP Security

Wincent Colaiuta has no problem throwing flames at WordPress, but doesn’t see fit to enable comments. (Apparently disabled to make Movable Type more secure.) His table-layout blog isn’t too notable but it got linked from Daring Fireball so a lot of people saw his article trying to draw the line between a routine point release and encouraging people to never use WordPress on the public internet. Here are a few points for thought in response:

  • The SQL problem in 2.2 requires both registration to be enabled (off by default) and the blog to be upgraded to 2.2. It is a serious problem but I’ve heard of fewer than 5 exploits from the flaw. Even if you assume there are 100 blogs for every one we heard about, that’s still an incredibly small percentage of the millions of WordPresses out there, especially considering, as Wincent points out, the problem has been in the public for a while now.
  • Getting people to upgrade web software is hard. We work as best we can with hosting companies, but a consideration is that it’s best to roll several security fixes into one release. It’s not responsible to do a release if we know of another problem, so sometimes there is a lag between an initial report and a final release, not to mention the testing required of a product used as much as WP.
  • Wincent digs up the server crack that modified the files of 2.1.1 for a few days. Ignoring the fact that it was a server issue and had nothing to do with WordPress the software, we actually had NO reported exploits of the problem. (Though I’m sure there are at least a handful out there with problems, it wasn’t enough to hit our radar.) Despite that we took a hit and publicized the issue as much as we could to get the word out.
  • Also about 2.1.1, the problem was found through someone proactively auditing the codebase.
  • Finally Wincent says of WP “[a]nd if you insist on installing it, then you need to watch the trac like a hawk.” You would think complete transparency of the problems (it was on our bug tracker and mailing list) would be a good thing, especially considering the software Wincent uses doesn’t have a bug tracker, and the only way to submit a bug is through a contact form.

We can and do review new code for problems, and pick the vast majority up before any releases. I think the real issue though is not that WP has bugs which are sometimes security related, which all software not written by djb does, but that the mechanisms for updating complex web software are a pain. Right now the best experiences are probably with folks like Media Temple or Dreamhost that have pretty foolproof one-click upgrades and are quick with updates.

Making notification better and upgrading more painless for people not lucky enough to be on a host like that are problems with some very clever minds on them, and I’m confident that we’ll have good progress toward each in the next major release of WP.

Finally, I suppose we could act more like our proprietary competitors and try to downplay or hide security issues instead of trumpeting them loudly in our blog, but I think the benefit of having people well-informed outweighs the PR lumps we take for doing the right thing. I truly believe talking about these things in the open is the best way to address them.

In some ways it’s a good problem to have. When a product is popular, not only does it have more eyes from security professionals on it, but any problems garner a level of attention which is not quite warranted by the frequency of the general event, like Angelina Jolie having a baby. There are certainly things intrinsic to coding that can make software more or less secure, but all things being equal the software with the most eyes on it, which usually means Open Source, will be the most robust in the long term.

110 thoughts on “On WP Security

  1. For what it’s worth, I agree with Wincent. I don’t think Movable Type is better, but such a large vulnerability should have been caught before a release was tagged.

  2. I’m a Spanish user of wordpress 2.2.1. I think you are doing a great, great work with WordPress.

    I use WordPress for 3 reasons:

    1.-Transparency: I can see the code and i can see the bugs
    2.-Great community: we have a lot of plugins
    3.-It is very easy to use

    You said a great truth: When a product is popular all the eyes are putting in it. Why? Because WordPress is an incredible piece of code.

    Congratulations!

    Best regards

  3. what ever they throw at wordpress i’m still a WP guy. of course there are flaws, but are they sure that blogspot, type pad and movable type doesn’t have such?

  4. Wincent Colaiuta, can make his own blog management software if he hates WordPress so much. His recommendation is to use Movable Type or BLOGGER, his he crazy. I started on Blogger and although I would recommend it to anyone wanting to start a free blog, I would also suggest they get off of blogger as soon as possible. Don’t even get me started on Movable Type. Here are Movable Type’s known issues. Supposedly they are fixed, however the top one on the list:

    * MT4 Beta does not currently work under Windows Vista

    Are you kidding me, and Wincent wants to recommend Movable Type?

    I recommend WordPress to anyone that wants the best blogging software. The WordPress team has my support.

  5. I was waiting and wondering whether WordPress would have a (semi) official response to this. I thought Wincent’s comments were a little excessive (I use WordPress for my blog and have no plans of stopping). But being a bit naive in general about security, it did make me wonder, “can WordPress do something to increase my security?”

    I wonder if, given the state of the web, it would make sense for WordPress to prioritize a “security update” feature apart from regular updates. If this feature was built into WordPress, and encouraged users to update “just the security fixes”, it seems like it might have a higher uptake than the “usual upgrade path.”

    Of course I’m kind of naive about php and web upgrades in general, but WordPress might do well to think about how they could “push” security updates to users faster than they are today.

  6. Heh, that Vincent guy is a bit of a moron… And cleverly disabled comments to avoid getting flamed for his stupid post.

    I agree with this article though. Releasing a patch of a major blogging tool such as wordpress every time some bug surfaces would be inappropriate. I do never watch trac for the latest bugs. And I’m not aware of any security flaws. If it’s really important I’ll usually see it in the IRC channel 🙂

    In my opinion Vincent does not tell us ONE valid point not to use wordpress. Pure blasphemy if you ask me 🙂
    I do happily recommend wordpress to anyone willing to start a blog, or website.

  7. For a more serious comment (Matt you can delete that first one 😉 )

    I agree that ALL software is going to have bugs/vulns!! WordPress handles it better and faster than any other out there.

    It has trac which on which you can keep track of recently submitted bugs, which is helpful to watch if you like to know the LASTEST about the bugs, but I know that for end users, they will get the info about it ASAP. (which is usually very fast)

    I also know that most people know about the vulnerability and how to exploit it, but they won’t and don’t. This shows hope for our society ;).

  8. Most of my WP upgrades have gone excellent, with the exception of this last one. I suspect that’s more to do with my host company changing the DB collation than with WordPress however. It was one-click through Fantastico.
    The only other upgrade I had problems with was when I did a manual one.
    Thanks for all the great work, and keep the code coming.

  9. I’m not sure why the acerbic tone towards Six Apart; the flaw was brought up on ProNet and Anil pretty quickly jumped on it:

    “There may be people in the community who want to start a pointless us vs. them flame war. We (6A) don’t want that, and I’ll do anything I can to stop it. We make our distinctions on the goal (getting more people blogging) and the community (a positive one) and our desire to be ethical in how we do things.

    There are a number of reasons. One, religious wars stupid and a waste of time. But if that’s not enough, these petty snipes are misleading and play into misperceptions of what blogging is about and how it’s evolving. Blogging is scary enough to normal people without them also encountering infighting.”

    I couldn’t agree more. Security flaws are bad in WordPress and they’re bad in Movable Type. Let’s face the consequences of any mistakes we make responsibly (on both sides) and keep the main thing the main thing.

  10. Jesse, I said two things related to MT, both of which I stand by.

    1. His suggestion that turning off comments is required to secure MT. I think MT is plenty secure with comments on, otherwise it wouldn’t be a default feature. I was complimenting MT, criticizing his the tin-foil-hat approach.

    2. I think it’s silly that MT has a non-accessible bug tracker, and the only way to submit something to it is through a contact form. That’s something that will have to change when they go Open Source.

  11. “If you do want to install weblog software, I recommend Movable Type. It is possible to set up a very secure install if you don’t need things like comments”

    Um, er, yes, well 🙂

    V. funny… of course, there’s never been a security issue with proprietary software, oh no.

    I get the feeling he’s confused between .com and .org too, given the blogger ref.

  12. I wonder how you can even call it a true “blog” if you have to turn off comments and destroy interactivity to make it functional. I’d be offended by his ignorance if not for the hilarity and irony of it all. “WordPress sucks! MT rocks! It’s much more secure than WordPress and all I had to do was turn off a bunch of the main features!” Uh, yeah. Right. I’d take feature-rich with a few warts over what he proposes any day of the week.

  13. I can say, I’ve had a rather comfy & easy WP blogging year, no issues that weren’t resolved easily..and nothing like how Wincent describes it.

    I’m just one of many, many WP users who are also quite happy with WP.

  14. With all these millions of blogs, there’s always going to be a few people that take an unpopular position to get a little attention.

    Next we’ll hear about how houses shouldn’t have doors because of the inherent security risk

  15. Well said Matt! WordPress and we, the users, enjoy the open source goodness. We really like that the issues are not hidden, in fact it gives us more confidence in the WordPress team and the development.

  16. I can’t believe Wincent actually touts Movable Type as an alternative to WordPress. I’ve tried MT before, and it pales in comparison to WP. It was, in my opinion, clunky and ugly, and nowhere near as extensible as WP. I don’t know why so many people insist on tearing down WordPress for having the same problems every other piece of software has.

  17. I applaud the “be up front” policy that the WP team shares. Security issues and bugs are a reality of software (minus that freak djb, as you point out). I’m ashamed to admit that until tonight I was still running 1.5.3-beta (I don’t even know where I got that from???) on two blogs and 2.0.x on another. Seeing new security issues finally prompted me to switch them all to subversion-style installs I can upgrade in just a few keystrokes and I’m planning to stay on top of it going forward.

    My fear of upgrading was of themes and plugins breaking like mad. I only had two plugins that didn’t work coming from 1.5 and the overall upgrade experience was great. You guys are doing great work and deserve the success. Don’t let the haters h8.

  18. As a web application developer myself, and someone who’s had to release numerous security updates for our products because of the sheer size of the application we develop, you have my complete support & understanding.

    Keep at it. 😉

  19. Eye-opening! I strongly agree. Great article, Matt.

    As a new WordPress user, it’s enough for me that you listen to your users and respond to them as soon as you can. It’s truly excellent customer service (considering that your software is open source).

    WordPress is one of a few that solidifies the passage, “The best things in life are free.”

  20. Great article; however there is one thing that I found to be inaccurate:

    [quote]Right now the best experiences are probably with folks like Media Temple or Dreamhost that have pretty foolproof one-click upgrades and are quick with updates.[/quote]

    I am currently with Media Temple, and while they offer one click installs, this is what they say for upgrades:

    [quote]DO NOT(!) use the one-click installer to upgrade any previously installed One-Click application. It will erase your files and data. To upgrade an individual application, select from one of the links below and follow the instructions:

    * Upgrading WordPress[/quote]

    The link for upgrading wordpress just points to the normal upgrade instructions page here:

    http://codex.wordpress.org/Upgrading_WordPress

  21. The arguement that it took a month from the bug was discovered (in may) to the official fix was released (here in june) is valid.

    Like Microsoft has security-hotfixes and service packs, then it would be nice if critical patches could be released quicker without being part of the whole package, or in this case announced publicly (wordpress.org) that a work-around exists and it should be applied now.

    But besides that then I still think WordPress is an excellent piece of software, and maybe one day it will be possible to apply change-sets to a WordPress installation with the click of a button (At least the security ones, on all the blog-installs that don’t modify the WordPress code themselves).

  22. Snakefoot, I tried to address that with this comment:

    <blockquote>It’s not responsible to do a release if we know of another problem, so sometimes there is a lag between an initial report and a final release, not to mention the testing required of a product used as much as WP.</blockquote>

    There were several issues reported right before we were going to do a release, so we had to get the fixes for those in and start the testing process over again.

  23. Stay the path Matt, you guys are doing a remarkable job at the moment. 🙂

    I’m quite amused by his suggestion to either install Movable Type (WITHOUT comments enabled) or use Blogger instead. Ermmm, thanks Wincent but I’ll stick to WordPress!

  24. While I take all your points, was the jab about his table-based design really necessary? 😉

    (I’m here via Daring Fireball.)

  25. I like WordPress, and would never go back to using something as Movable Type, where you can’t use comments due to securty reasons.

    Keep up the good work with WordPress.

  26. Cheers for the info & your thoughts.
    I’ve got to ask, was mentioning Angleina Jolie’s baby a ploy to make sure more people read this by arriving here from a non-related search engine result?

    (Not criticizing, just wondering…)

  27. Chris, nope. I was trying to think of something that occurs rather regularly but is blown out of proportions because the person involved is famous. The first thing to come to mind was Paris Hilton in jail, but that seemed a little loaded, so I remembered Jolie’s baby because People had sent out all those C&Ds to anyone that posted the pictures they had purchased for millions of dollars.

  28. What a loser. Sounds like he’s got an axe to grind against WP for some reason and he obviously thinks far higher of his reputation and himself than he ought.

  29. Good response, and thank you for posting it.

    I do wish you hadn’t put in that little swipe about your competitors, though. It feels”¦ petty.

    We expect better. 🙂

  30. Pingback: Throwing stones
  31. Finally, I suppose we could act more like our proprietary competitors and try to downplay or hide security issues instead of trumpeting them loudly in our blog, but I think the benefit of having people well-informed outweighs the PR lumps we take for doing the right thing.

    I’m assuming by “proprietary competitors,” you’re referring to Six Apart? MT4 has been GPL’d. Late though they are, they’re at the party.

  32. Dan, I don’t know of any issues where Six Apart has tried to hide security issues, so I wasn’t referring to them, but it’s been a pattern with even well-respected proprietary software vendors, especially those with compiled code where it’s difficult to see changes.

    I think the closest any Open Source project I know gets is Mozilla has private bugs in Bugzilla for vulnerabilities in something like Firefox, but my understanding is that they open up the bug after the release.

  33. People like that will take potshots at WP, and you all out of some desperate hope to gain some traction. The fact that they hide behind an excuse like disabling comments “for security” underscores the fact that they are not only cowards, but that MT is a joke.

  34. WordPress has a lot of functionality and that’s one of the main reasons for using it. Without all these fine possibilities WordPress is offering it would probably be even more secure.
    I agree with you that the WordPress security will even increase because of it’s popularity.

  35. Seems odd that he’d be attacking WP like that … if so he should be after Microsoft, Apple, and every other software company out there.

  36. I’m a big fan of WP, and use it for basically everything (mostly because I’m not an IT professional, web app developer or designer, I’m just a hobbyist, so I’m not interested in learning to configure and use Drupal or Joomla). The first time I installed WP was through Fantastico, and I’ve always regretted it. Not because it didn’t work, but because it was much harder to troubleshoot. After a bad auto-upgrade (my fault), I spent days trying to make my blog usable again, as Fantastico doesn’t try to make its process transparent. I’ve done manual installs and upgrades ever since.

    What I’d love to see in WP is some kind of upgrade process that’s both easy to troubleshoot AND that doesn’t feel like I’m performing open-heart surgery on my blog. I don’t mind upgrading one blog at a time, but being more technically inclined than most of my acquaintances I end up being their webmaster… which means several installations to control and upgrade. But maybe this problem is my own, and I’m an anomaly (and people like me should just stick to their web admin panels… which would work if they were 100% idiot-proof and TRULY one-click).

  37. So what’s the point of a blogging system that’s only secure if you disable comments? :S

    I totally agree with you Matt, on the point about being open about the security of WordPress. It’s a lot nicer to know what’s going on, than it is to know nothing and just assume that everything is as it should be 🙂

    Oh and BTW, what an awesome KB article Wincent has on WordPress: http://wincent.com/knowledge-base/WordPress
    I can see why it was necessary for him to link to his own KB, instead of just linking directly to wordpress.org :P.

  38. I read Colaiuta’s article pertaining to WordPress and i can’t believe he would recommend a less-featured and user unfriendly software such as Movable Type instead of WordPress all because of an exploit that by default, will not affect people and/or their WordPress installation.

  39. I think criticism is always a good thing, but I just can’t get worked up over the mistakes of free, open source projects (WordPress) the way I can get worked up over the flaws of private, for-profit corporations (Technorati).

    Moreover, I haven’t seen any evidence of the WordPress community trying to cover up mistakes or “spin” the truth. So, you’re all good in my book. I’ll continue using WP till I outgrow it or till I decide to stop blogging.

  40. As a Media Temple customer I just wanted to make a quick note and say that they don’t provide one click upgrades. They only have one-click installations and specifically mention that from there on everybody’s responsible for maintaining that installation.

  41. For what it’s worth, upgrading WordPress, even for just a pount point release, is a big PITA.

    It’s harder to upgrade than it is to install. This is not unique to WordPress, but to most server-based software. Debian has a nice upgrade cycle, but many WordPress users are on servers without the full administrative privileges required for Debian style functionality. What is probalby needed is some sort of Subversion-like versioning. While Subversion, at least for installation, would probably require administrative privs to install, perhaps similar functionality could be enabled by simply editing the .htaccess file (though this probably opens up a bunch of security holes.

    This is what I would like:
    1)When it is time to upgrade, I seeing a nice red button on my Dashboard.
    2)Pressing it backups my files and database, which I then download as one big zip or tarball, via the browser
    3)Then a script
    a)turns off the plugins
    b)checks versions of all files and updates where necessary, prompting me if there might be some doubt. The prompting offers advice on commonly experienced problems. This is necessary for user-made changes, particularly in the /content/ folder
    4)That’s it!

    These four steps are a lot easier than the thirteen steps listed in the help pages. It would need a lot of programming and probably some new thinking on some problems. But that’s my two-cents worth.

    I still love WordPress.

  42. Thanks for the info Matt. I’ve always loved the open ability to see what is happening with WordPress development.

    If you do want to install weblog software, I recommend Movable Type. It is possible to set up a very secure install…

    He sounds really reliable advocating a piece of software he thinks you don’t need to install, and then explaining how to bypass major built in flaws by cutting yourself off from readers.

    Did the WP team steal his first born or something?

  43. Even though I don’t use it, Fantastico, which appears on many linux shared control panels is very slow to push upgrades. As of this am, they’re still providing the last version of wp.

    The instant upgrade plugin has been very helpful to me. I don’t run cutting edge, but I try to upgrade to latest and greatest less than 12 hours from release.

    WP is still, far and above, the best. Thank You!!

  44. Point and case, If you are running a web applications, you are never secured. Anything public can access, can be broken. Patching up is part of running a site or a server. I think it’s unreasonable for Wincent to poke on an application based on his friend’s negligence.

  45. I meandered over to Wincent’s post via your link and have to say that it’s this kind of immature bashing that pushes me away from the particular blogging platform that they’re recommending in the first place. It’s the same type of Apple’s OSX vs MS Windows mentality that has never fails to disgust me. There’s always someone who thinks the most popular software/OS/blogging platform shouldn’t ever be used and Wincent saying that the responsible thing to do is to recommend that WordPress should be uninstalled is absolutely ludicrous. I’ll just wipe my Windows XP PRO off my computer while I’m at it. Looks like WordPress has acquired it’s very own “Bonch” like the one that has always existed in that old Apple’s OSX vs MS Windows argument.

    Okay…So maybe certain problems should have been found before the original release date however, things are never so fool proof that nothing ever falls through the cracks You make a mistake…you learn not to make that mistake again. But the main problem never lies with the software in question. It lies with people. People are always the problem especially those who purposely invade just for the fun of creating problems or making a few bucks.

    So keep on those security releases and I for one will have no problem with updating. Maybe someday web hosts will all operate under one basic set of standards and WP auto-upgrading will actually be possible…but I won’t hold my breath. In the meantime, folks like Wincent should spend more time improving the software they’re pushing instead of beating up the other guy.

  46. Personally, I love WordPress, and I’m not just saying it. I run it on most if my sites, and I was even willing to spend hours converting one from Joomla to WordPress–and give myself a large headache in the process–because I think it’s a great system.

    I don’t bother listening to the people who complain because they tend to believe themselves the authority on all things scripting.

    The reality is that WordPress works for novices and professionals alike.

    I look at it like this: nothing is perfect, but at least it’s out there trying to improve, as opposed to claiming to be things it’s not.

  47. Thanks for posting this Matt. I’ve been a loyal wordpress user since 2.0.2, and I’m loving the direction WP is going in with 2.2 +.

    The people who make these kinds of statements against software generally really have no clue what they’re talking about – or know about open source development. I have my own open source project and I know how tough it can be sometimes to get people to want to update, etc.

    Don’t worry about people like him though bro. 😉 Just jealous.

    I love the work you all have done with WP – keep it up!

  48. “It is possible to set up a very secure install if you don’t need things like comments”

    Yeah Wincent, who’d need stupid things like comments on a blog?

    Who wants to bet Wincent still uses IE6? 😉

  49. Nice reply – Jolie bit made me laugh 🙂
    Mr. Colaiuta is clearly biased – for example he calls normal language of the release announcement a “spin”. Yeah, right!
    And blog with disabled comments? Uh-oh, I smell a publicity whore…

    I have some small irks with WordPress (browsehappy anyone?) – but security and frequency of updates are not among them. If somebody has a problem with occasional software updates he ought to use hosted blogs service (like WordPress.com)
    And may be WordPress upgrades are not bulletproof, but with thousands of possible OS/webserver/PHP/MySQL combinations WordPress authors are doing an amazing job.

  50. I loved the barely concealed “table-layout blog” at the start of your post.

    It’s a disappointing post. He has ignored many of the issues, like WordPress being so darned popular. He’s also ignored the way you guys handle crises like security issues. You’re generally open, honest and totally trustworthy.

    I’m fairly sure you’re not losing sleep tonight over this….

  51. Sounds like a lot of hot air and not a lot of content to me. It’s unfortunate that their ill researched and poorly written post has had the attention it has, but apart from posting this succinct retort I don’t think there’s much you can do – or much damage they’ll inflict.

    Try not to worry about it.

  52. I agree, thanks for posting this. I agree with WP’s policy of public disclosure of security issues. We don’t have anything to hide!

  53. Matt, you really got that answer right 🙂 Slighly ironic at the beginning and truly mature & informative for the rest. A lot better than bashing competitors, as you’ve said.

    I’ll add that I’ll start worrying the day my software won’t have upgrades.

  54. I started blogging using vi and SSI. The term blog didn’t exist yet. When MT arrived I used it for a few years. Since I work as a systems engineer for hosting companies, I also install blogs for many others. I keep dozens of blogs updated on my personal server. MT was the cats meow in its day, but it’s day ended when blog spam began. Oh, and charging for MT.

    I couldn’t have been more pleased when an alternative came along. I switched to WordPress and have and have been keeping it updated ever since. Hundreds, and hundreds of times, as each new vulnerability is found. I’ve updated WordPress a thousand times (hundreds of blogs * each update) and it’s about as painless as can be. For those that think it’s difficult, here’s my process:

    # portsnap fetch update
    # cd /usr/ports/www/wordpress
    # make && make deinstall && make install clean
    # rsync -av /usr/local/www/data/wordpress/ /path/to/installed/wordpress

    Point a browser at the blog admin page, click a few times, and repeat the rsync step for as many blogs as you have installed on that server/jail/vhost.

    NOTE: install plugins like Spam Karma, Bad Behavior, Tiger Style Administration, etc into the port (or default system) location so you keep the plugin updated in one place and rsync it to each of your installed blogs. Automatically.

    If it weren’t so simple to keep wordpress updated, I’d probably hate it.
    If it weren’t for the Spam Karma plugin, I’d probably hate it (Akismet is not nearly as effective).
    If it weren’t for all the available themes, I’d probably hate it (you think all my friends/clients want their blogs to look exactly like mine? (I’m a systems guy, not a designer)).
    If it weren’t programmed in such a way that I could easily alter it, I’d probably hate it.

    But I don’t hate WP, I really, really like it. And this comes from a long time Perl programmer, who if he were to be biased, should be biased towards a perl program. But if a good programmer recognizes good code in any language, and WP is quite good.

    Do I wish there weren’t any vulnerabilities in WP? Of course. I divorced myself from BIND, sendmail, and Windows back in the 90s due to the cost of keeping them secured on the public internet. Would I switch from WP to another blogging system if I could find one that:

    1. had 75% of WP functionality
    2. had a djb’esque security reputation/promise
    3. had a vibrant user & developer community around it

    Yes. But that alternative doesn’t exist.

    It requires rare and extraordinarily talent to write code that is secure. Especially when a dependency of your code is PHP. But that’s a price to be paid for a practically effortless installation experience on nearly every hosting provider. As PHP projects go, WordPress has an very good track record regarding security.

    It also requires excellent management on the part of the developer(s) to keep the community interested and involved. Next to being easy to install, WordPress’ success speaks for itself as a testimony to how well the project has been managed, and we all know who to blame for that. Atta boy Matt.

    Whether it’s worth responding to folks like Winston, I defer to a clique overused by a fellow I used to serve on a Board of Directors with, “If you roll around in the mud with a pig, you both get muddy. But only the pig enjoys it.”

  55. Hmmm. Frankly I see both sides of this story. I thought that Wincent’s points were actually quite valid, though his conclusion seemed harsh. And as a new user of WordPress, I found them of concern. Your response also had merit. I am far from an expert regarding matters of coding, security, open-source, etc. However, his point about not publicizing potential breach opportunities seemed to make sense. As a new user I would enjoy seeing some of the enhancements you allude to happening sooner rather than later.

  56. Let’s clear up one ridiculous little straw man argument(Wild Bill’s, not Matt’s):

    The page linked lists the known issues for the MT4 beta, not MT as released.

  57. I love the WP Community.. it`s really a web2.0 stuff somehow.. like in the former days a little bit and blaming others for something that isn`t really there.. not my thing..

    i like the way, WP handles it Bugs, Future and Ideas.. so.. i`ll never change… i hope.. and can only say yes to all things, Matt Simerson commented..

  58. Glad you posted this.

    I have, like Wincent, also been concerned about WP security recently. Despite you saying the cracker breaking into your servers and replacing the package was not of much importance, it was a pretty shocking mistake. WP’s recent track record does worry me.

    On the other hand, you do rightly say that

  59. [continued from above, posted comment by accident]

    …you do a good job at publicising the security issues. Hopefully, this won’t happen again.

  60. I got a reply back from WC and both him and Matt have great points about WordPress. WC argues that;

    “But although the number of flaws is alarmingly high my real complaint is with the team’s *handling* of them. I know that all software has bugs and it would be unreasonable to expect that WordPress be bug free. The *real* issue is that their process is rotten as I explained here:

    Fixing their process would be much easier than fixing their buggy software, but they haven’t even done that.”

    I took this straight out of my gmail so i fear the formatting is off, but still, he makes a valid case that the process of eliminating bugs is important. However, i agree with Matt that with millions of users comes a nice little red and white target. When you’re popular, you become the target and with that the pressures of not overlooking bugs in your software. If WP’s process didn’t work, i highly doubt they would be where they are now, version 2.21 with 1 million+ users.

  61. As an employee of a hosting company with a lot of different kinds of blogging software on our systems, I feel compelled to chime in briefly here. In the interest of full disclousure, I should note that I consider Matt a friend, but I can assure you all that would not spare him from my wrath if I thought he were pushing out software irresponsibly, as that would translate directly into undue burden on my support department.

    WordPress has had security problems. So has MT. So has every other piece of web based software that has any actual size and adoption rate that I’m aware of, and they’ll all have more in the future. From the vantage point we have, where we get to watch tons of these things running, I feel it’s strongly inaccurate to say that WordPress is characteristically more insecure than other web apps out there based on the number of actual exploits that our customers have experienced.

    Some salient points, most of which were mentioned here but which I’ll restate from the vantage point of a hoster include:

    1) The fact that security problems exist is not new. Both of these camps are well aware of it and own up to it.

    2) WordPress specifically seems to be “under fire” for something which is actually a strength. Namely, they develop in the open with an active community. This means that exploits are brought to light, publically, very quickly. They also get fixed quickly. All too often with closed development models, you just see something like “fixed XML-RPC vunerability in blah blah blah…” in the release notes for a new version. Trust me, the fact that you don’t hear about something until it’s fixed doesn’t mean it’s not exploitable.

    3) Getting customers to deploy new code is easy (we’ve already updated our WordPress 1-click to the newest version for example.) Getting them to upgrade is incredibly hard. As one of your readers notes, we do not currently offer an auto-upgrader. This is becuase we are debating internally how best to handle plugins, as it’s well known that plugins don’t always come out working cleanly at the other side of an upgrade, particularly when the plugin authors don’t follow the plugin writing guidelines. So, we have the potential to break people’s blogs, and thus there is a need to really examine that potential and how it’s going to affect our support department.

    4) There is no perfect and automagic way to push out upgrades. If there were, I’m fairly certain Automattic and the WordPress development community would already have implemented it.

    5) Having said all this, WordPress overall has one of the most functional and straightforward upgrade procedures I’ve ever seen. And it’s very well documented. This is one of the things we like most about the softare at our company, there’s been some real thought put into making the upgrade process reasonable.

    6) If we really wanted to get into a discussion of exploitable software that gives us all major headaches, we’d be talking about bulletin board software, not blogging software. (And no, I’m not pointing a finger at bbPress. It’s like Fort Knox compared to some of the other, popular packages out there.)

    I’ll just close by thanking the WordPress team for yet another great release. We’ll look forward to more in the future. 🙂

  62. I have tried MT and blogger before, but I simply find WordPress easier to control and maintain.

    That isn’t to say that you’ll produce a better blog with WordPress or that WordPress is perfect or that WordPress is the answer to all blogging prayers. It doesn’t matter whether you use WordPress or MT or blogger – if you’ve got nothing to say then your blog will suck.

    I do think that the sniping comes from an immature attitude of “us versus them”. There are features of MT that I wish WordPress had – and probably vice versa.

    Security is an area where opensource software should be leading the way – and I regard the exploit which was nearly added to the WordPress code as the big wake-up call that WordPress devs needed to tighten up the code and make it more secure.

    I do find upgrading WordPress a pain, especially as some of my clients require customized code which gets wiped out by upgrades and has to be laboriously replaced. Now if WordPress stored its configuration in the database, that would be a start…

    But on the whole, I would like to thank the developers for making WordPress what it is – in my opinion the best blogging software out there.

  63. I have 4 installs of WordPress that I currently use, and every one of them was upgraded to 2.2.1 less than 24 hours after release. I used gFTP to upload the new files, went to the upgrade page, and was done. (Of course, I don’t run very many plug-ins – my personal blog has more than the others.) I’ve never had an upgrade break any of my blogs.

    There are going to be security holes. My web host (Lunarpages) sends out e-mails on a regular bases when particular egregious holes are discovered. The biggest thing is to stay on top of the releases.

    And, to those who would like a click within the blog to upgrade itself – sounds like a Summer of Code project to me! 😉 Or, dust off your PHP skillz and give it a shot. That’s the beauty of open source…

  64. Thanks for the info, Matt. I, too, believe that full, public disclosure is the best option. Hiding flaws from users doesn’t protect them, it does the opposite.

    I love WP, and appreciate the community (all of it) working to make it better, more flexible with more customization and security.

    Thank you!

  65. No matter what they hurl at you, it won’t stick. MT lost a LOT of users over their licensing gaffe of 2004. They’ll never overcome that and this just looks like disgruntled whinging.

    With Akismet and other spam plugins, even at its WORST, WP was never plagued with the kind of comment and trackback spam that befell MT. And it’s just bloated. Since 2004, they’ve tried every trick of Eve to emulate the way WP behaves, down to dynamic presentation and now Open Source.

    With MT4 poised for release, you can prolly expect more of this kind of mudslinging.

    Just don that Teflon raincoat, Matt, and keep trucking!

  66. @ME How on earth are upgrades a PITA? What are you doing? Just ignore the wp-content folder, .htaccess and wp-config.php and upload everything else over itself. Then, you can be lazy and just browse to your site. WP will remind you to upgrade your database at that point, provide a link for you to do so, and viola, all upgraded. Never had one fail yet and I do them for a lot of other folks as well as my own web sites (and honey, I have a LOT of WP web sites!).

  67. I don’t know about anyone else, but I can’t take anything seriously from someone who still uses tables as their primary layout method.

  68. I reviewed a number of blogging/cms tools and based on several opinions and my experience with each I chose WordPress.

    As many have already said, there will -always- be issues.

    If we stopped using a software package permanently every time someone found a flaw, we’d still be using CP/M. Of course, some might prefer that.

    WordPress gets the job done, gets better all the time and is FREE as in BEER.

    Complainers will always whine about something.

  69. I love WordPress, but I have to admit, the frequent upgrades are a little bit of a pain in the neck. A one-click upgrade feature from within the WP control panel (goes out, downloads the latest, runs the upgrade, all done snip-snip) would be GREAT. Would totally alleviate most security concerns, as they could be taken care of right away.

    What if just one line of code, in one file has changed? Maybe incremental upgrades too?

  70. Dalton, why should you even have to push a button? Makes no sense to bother you, at all. Me thinks you should awake to fresh brewed coffee, cinnamon buns and new software…perhaps even a blog entry? Snip, snap! 😉

  71. Eh? What is this Wincent guy made of? The stupid? Why is it that flamers like him love to attack others, but cannot stand them being attacked? Either they disable comments (how brave) or just delete any comments that he might deem negative, towards him or his words.

    I’m a bit of a lurker here in your blog, but I had to comment to say that I love your blog and your wonderful work.

  72. “With MT4 poised for release, you can prolly expect more of this kind of mudslinging.”

    Joni, it’s worth mentioning that we at Six Apart don’t condone this sort of pettiness, we actively discourage it, and we take pains to be supportive to the *entire* blogging community, not just those on Movable Type, LiveJournal, Vox, or TypePad. And I’d encourage everyone else to refrain from mudslinging or unfair assertions, too.

    I doubt too many people are still following the thread, but I hate to think someone judges an entire community by uncharacteristically negative members — that wouldn’t acquit any of us very well in the long run.

  73. It is interesting, the arguments (wincent) seem to omit certain factors regarding how critical the application of wordpress is in any given example. Additionally most of the issues presented are more relevant to software and systems as a whole rather than any specific application.

    i) If your site is critical enough, in a personal or commercial sense, you should be putting time aside to learn to follow best practices, trac, patch code, perform your own zero day protection and etc. This goes for any application, anywhere. Either you make the choice to remain on the previous .1 release, trading functionality for additional testing and security, or you learn to keep yourself as tightly integrated as you can afford to be with the development cycle of the app.

    ii) There are very few web applications that are genuinely hard to upgrade. I know more about lint then I do *nix systems but after an hour or so reading up on the relevant topics (shells, svn, etc), my updates (on 80% of what I run) are now a case of executing a backup script, executing “svn update” in the relevant locations, reloading a few key files / patches and hitting refresh in the browser. I know not all cases are the same but as a general rule, things can always be streamlined.

    iii) Additionally, when did people become so addicted to the novelty of a new version? If you are in a position where unexpected incompatibilities will cripple what you do for a living then don’t upgrade yet. Let the community take the product through their paces and then adopt. This is, to me, one of the main benefits of open source but seems to be highly under utilized as a process. Some people will be quite content putting of buying an ipod until someone else tells them it is good, but will roll out day old upgrades or alpha content onto sites without a second though.

    Re,
    Tomo.

  74. The updates aren’t really that bad if you plan them carefully and stay on top of it. All in all I love wordpress, I’m learning to “massage” it into something totally different and in the mean time it’s taught me A LOT about PHP and coding whereas I’ve always been in the land of sysadmin….

    Case in point… It took us 4 weeks to get an Intranet/blogging site up for our company with Joomla framework. WordPress… 4 hours and counting (total work load)… While it’s still primitive.. out of the box WordPress ruled.. So there are a few exploits here and there..

    I have one word to offer as a caveat, MICROSOFT!

  75. One point that should be noted, Wincent’s post is not the original everyone seems to think it is. It is a re-working of a very similar post which he links to right at the end of the article. The points are pretty much the same, and Wincent probably brings it over much better.

    Pi.

Leave a Reply to AlexCancel reply