Category Archives: WordPress

The open source publishing platform I co-founded — development, releases, community, and the ecosystem.

MovableType 4 vs. WordPress 2.2

Review, WordPress, ,

Mashable compared MovableType 4 and WordPress 2.2. I wouldn’t agree with Byrne that “Movable Type 4.0 is light years ahead of its predecessor not to mention any other blogging tool on the market” but they have caught up to a lot of basic features — pages, WYSIWYG, pagination, user registration — that have been lacking in the platform for a while. That, plus the fact that they support WordPress imports and cloned our pages API does show that they’re gunning for some switchers regardless of what they may say in public. (I’m cool with both of those by the way, it was good of them to adopt existing standards instead of invent new ones. In fact it’d be nice if they could export to WXR as well as it’s pretty semantically rich and the current MT export format leaves a lot of important stuff out, like slugs.)

Theme Quality and Downloads

Design, WordPress

There’s been a common argument that sponsored themes are higher quality because they were paid for and removing them from the theme directory will make it suck. While I find this argument insulting to the designers who have put their work out there without sponsorship, and having personally looked at hundreds of them I had a general feeling that most sponsored themes were junk, I didn’t really have any data.

Well I ran a few queries against the theme viewer DB a few minutes ago and found out some interesting stats:

  • We’ve removed 2,107 themes so far, or a bit under 60%. Those themes had 2,243,735 downloads total, or about 1,064 downloads per theme.
  • There are 1,737 themes still in the directory and those had 3,480,244 downloads, or about 2,003 downloads per theme.

(There may be some spam themes still left in the 1,737 number, but I think we’ve gotten most of them. The reports have slowed to a trickle.)

So if you assume downloads are a measure of the public interest in a theme, then non-sponsored themes are about twice as popular as sponsored ones.

Of course you might not accept that assumption, and the data is fuzzy, and there are certainly a handful of sponsored themes that are very high quality, but overall the indications are that they were a net drain on the site. Rather than making one-off exceptions to the no-sponsored-themes policy and being accused of favoritism or of having ulterior motives* I’d rather spend time doing things to reward and encourage the people who are making high-quality themes without embedded advertising.

* Which we get enough of already.

On WP Security

WordPress

Wincent Colaiuta has no problem throwing flames at WordPress, but doesn’t see fit to enable comments. (Apparently disabled to make Movable Type more secure.) His table-layout blog isn’t too notable but it got linked from Daring Fireball so a lot of people saw his article trying to draw the line between a routine point release and encouraging people to never use WordPress on the public internet. Here are a few points for thought in response:

  • The SQL problem in 2.2 requires both registration to be enabled (off by default) and the blog to be upgraded to 2.2. It is a serious problem but I’ve heard of fewer than 5 exploits from the flaw. Even if you assume there are 100 blogs for every one we heard about, that’s still an incredibly small percentage of the millions of WordPresses out there, especially considering, as Wincent points out, the problem has been in the public for a while now.
  • Getting people to upgrade web software is hard. We work as best we can with hosting companies, but a consideration is that it’s best to roll several security fixes into one release. It’s not responsible to do a release if we know of another problem, so sometimes there is a lag between an initial report and a final release, not to mention the testing required of a product used as much as WP.
  • Wincent digs up the server crack that modified the files of 2.1.1 for a few days. Ignoring the fact that it was a server issue and had nothing to do with WordPress the software, we actually had NO reported exploits of the problem. (Though I’m sure there are at least a handful out there with problems, it wasn’t enough to hit our radar.) Despite that we took a hit and publicized the issue as much as we could to get the word out.
  • Also about 2.1.1, the problem was found through someone proactively auditing the codebase.
  • Finally Wincent says of WP “[a]nd if you insist on installing it, then you need to watch the trac like a hawk.” You would think complete transparency of the problems (it was on our bug tracker and mailing list) would be a good thing, especially considering the software Wincent uses doesn’t have a bug tracker, and the only way to submit a bug is through a contact form.

We can and do review new code for problems, and pick the vast majority up before any releases. I think the real issue though is not that WP has bugs which are sometimes security related, which all software not written by djb does, but that the mechanisms for updating complex web software are a pain. Right now the best experiences are probably with folks like Media Temple or Dreamhost that have pretty foolproof one-click upgrades and are quick with updates.

Making notification better and upgrading more painless for people not lucky enough to be on a host like that are problems with some very clever minds on them, and I’m confident that we’ll have good progress toward each in the next major release of WP.

Finally, I suppose we could act more like our proprietary competitors and try to downplay or hide security issues instead of trumpeting them loudly in our blog, but I think the benefit of having people well-informed outweighs the PR lumps we take for doing the right thing. I truly believe talking about these things in the open is the best way to address them.

In some ways it’s a good problem to have. When a product is popular, not only does it have more eyes from security professionals on it, but any problems garner a level of attention which is not quite warranted by the frequency of the general event, like Angelina Jolie having a baby. There are certainly things intrinsic to coding that can make software more or less secure, but all things being equal the software with the most eyes on it, which usually means Open Source, will be the most robust in the long term.

CNN on WP

Press, WordPress

Many of you have written in that CNN’s new Political Ticker blog is on WordPress. We know! They’re part of our VIP program which allowed them to launch quickly and serve millions of pageviews with no problems. The team there has launched dozens of blogs on the system, including ones for Fortune.com and CNN Money and is a real pleasure to work with. To the extent blogs are going to have an impact on the 2008 election they need to be able to reach millions of people in a short period of time without problems, I hope that WordPress.com provides that platform for folks.