
I don’t feel safe with Wordpress, hackers broke in and took things - mjfern
http://scobleizer.com/2009/09/05/i-dont-feel-safe-with-wordpress-hackers-broke-in-and-took-things/
======
jakarta
So let's get this straight:

He's complaining about Wordpress and their vulnerabilities when he:

1\. hadn't upgraded wordpress in months 2\. hadn't performed any backups of
his posts

It's hard to be sympathetic to him or TechCrunch. If they're going to use
custom features like third-party plugins and specially designed pages, they
should have developers on staff to actively work to make sure that their
customizations will work after an upgrade. By not doing that they're begging
to be attacked.

~~~
antonovka
Seeing as WordPress requires security updates with genuinely astounding
regularity, I'm hesitant to blame the user. WordPress' excessive vulnerability
count clearly demonstrates an endemic issue in the software itself.

See also:

[http://www.securityfocus.com/cgi-
bin/index.cgi?o=0&l=30&...](http://www.securityfocus.com/cgi-
bin/index.cgi?o=0&l=30&c=12&op=display_list&vendor=WordPress&version=&title=&CVE=)

~~~
pavs
or... another way to look at it. Wordpress releases security updates at
astounding frequency without waiting to lump all those security updates in to
one large update like most other large software tends to do.

Yes, I admit frequent updates can be a nuisance, but when they are literally
spoon feeding you the update process (less than 10 seconds and one click in
most cases), its stupidity - really.

See also: [http://www.securityfocus.com/cgi-
bin/index.cgi?o=0&l=30&...](http://www.securityfocus.com/cgi-
bin/index.cgi?o=0&l=30&c=12&op=display_list&vendor=Drupal&version=&title=&CVE=)

Drupal CMS less popular - more vulnerability.

~~~
moe
_without waiting to lump all those security updates in to one large update_

Why do there have to be frequent security updates in first place?

If they didn't manage to tighten up their very limited attack surface in 6
years then I'd say it's a lost cause.

~~~
pavs
For a widely popular software like wordpress, security will be a cat and mouse
game - until it reaches a level of maturity like other open source projects
(ie, linux).

For me the problem is not that they release frequent updates - I would have a
problem if they didn't release frequent updates to known severe
vulnerabilities. If you look at their release logs you will see that most of
their security updates has 24-48 hours of turnaround from the time of the
vulnerability detection.

The recent vulnerability that this blog and most others (ie, smashing
magazine) got affected has been fixed 2 releases before the current release.
People who are affected didn't update for the last 3 release and someone
developed a script out there that automatically scans for that vuln. and takes
advantage of it.

~~~
moe
_security will be a cat and mouse game_

From a security standpoint Wordpress is a trivial application because it's
almost entirely read-only, except for the comments. Making a plugin-
architecture bullet proof is a different story, but as I understand it most of
these issues affect the very core, i.e. a vanilla wordpress install.

There is no excuse for their sorry state of affairs.

------
pavs
Anyone who has been using wordpress for couple of years, and actually bothers
to read the release notes of each version, will tell you that a vast majority
of those increment updates are security fixes. Since around 2.7 upgrades are
as easy as clicking a button - both for plugins and wordpress core updates.

Instead of playing the "poor me" game, say it the way it is; you failed at
keeping your wordpress install up to date and secure and you failed at having
a backup.

Smashing magazine got compromised last week and came out straight and admitted
their failure on keeping it safe by not upgrading.

This scoobie guy sounds a lot like arrington - no wonder they are best
friends.

~~~
mechanical_fish
_Since around 2.7 upgrades are as easy as clicking a button - both for plugins
and wordpress core updates._

Which is, in itself, a fruitful source of potential security holes: To
accomplish this feature, Wordpress has to have permission to overwrite its own
executables.

~~~
russss
Not to mention the only way they support this is via FTP - and I'm not that
keen on enabling an FTP server purely for Wordpress's needs, thank.

------
Maro
My old wordpress installation was hacked some time ago, so (following the lead
of cperciva) I wrote a minimal blogging script which doesn't require PHP/Mysql
and just generates HTML. The admin interface is vi.

~~~
photomatt
You should check out Bloxsom.

------
joechung
Scoble's got a new blog on Posterous: <http://scobleizer.posterous.com/>

~~~
ElbertF
I bet his uses the same password on Posterous as on Wordpress.

------
jhancock
I've been very happy with dreamhost. Their control panel handles wordpress
backups and upgrades seamlessly. I just backed up and upgraded three wp sites,
it took less than 5 minutes.

------
oscardelben
I wonder if wordpress has unit tests at least

