-
Website
http://www.onemanandhisblog.com/ -
Original page
http://www.onemanandhisblog.com/archives/2009/09/the_wordpress_attack_competition_and_blo.html -
Subscribe
All Comments -
Community
-
-
Top Commenters
-
Popular Threads
I am the sort of user who's in the middle ground. I'm competent enough to install and maintain my own blogs, but not expert enough to deal with the kind of hacking that's been going on of late. Plus I'd installed blogs that I'd forgotten about... which is lethal. Any chink in your Wordpress armour is a chink too many. These hacks are sophisticated and if you don't know what the Wordpress core files look like it's very hard to spot where exactly the compromise is.
I have to say that I was quite shocked at how vulnerable Wordpress was. Whether the latest version is secure I have no idea, but we should not be in a position of being advised to "harden" our installations to make them so!
Movable Type have an opportunity here, to create a version of MT that is secure, can deal with spam nicely, and can be administered by someone with moderate skills. Sadly, I'm not sure they'll care to take up that challenge and produce a viable Wordpress competitor.
It does make you wonder how much security testing WP have done though.
We're trying our best to make upgrading a no-hassle operation, and I'd invite you to compare upgrading to WP to other web scripts, but obviously we still have further to go to make it easier -- maybe auto-upgrade like some web hosts already provide.
"It does make you wonder how much security testing WP have done though."
As someone who runs 8 million WordPress blogs comprising one of the top 20 websites on the net, I can tell you a lot. Extremely high-target blogs have been running WordPress for 5+ years with no security issues, it's just a matter of proper administration and, yes, keeping up with updates.
Let me know if there's any way I can help with your blog problem, perhaps there's a way we could configure WP or get you set up on a host that doesn't burden you with having to worry about these things. Anything our software does that's a distraction to your writing, your content, your community is a failing in my opinion.
Upgrade has measurably improved. I used to use the Automatic Upgrade plugin, because it made life so much easier. I used the new built-in upgrader today on a friend's blog, and it worked very well. It would be interesting to know if there are plug-ins or other easily done changes which break it, and how many people have problems with it, because that would be a massive barrier to upgrading for a lot of people. And WP can't now afford to have any barriers to upgrading when the upgrades are so important.
Which brings me to another point. I had no idea that this upgrade of WP was this important. WP always says upgrades are essential, but this time I feel it was a touch more important than it has been in the past! Perhaps a bit more variation in the messaging around upgrades would have helped emphasise that this one was exceptional -- if some upgrades are for functionality rather than security, perhaps the message within WP could say so? Then the upgrades that are for security purposes will stand out and hopefully people will act on them.
I had chosen not to upgrade because I didn't like the new interface (and I am still not very keen on it, even though I'm getting used to it). I'm not dumb, but I'm also not focused on keeping up to date with every nuance of every WP update, so I had no idea that by leaving my blogs as is that they would be vulnerable.
One upgrade area there there are significant problems which you might be able to help influence are the one-click packages like Fantastico. I just looked on my friend's server earlier, before we upgraded, and the message in Fantastico was "You WP installation is out of date. Upgrade to 2.7..." I'm paraphrasing, but not on version number it wanted me to upgrade to. Anyone who has relied on something like Fantastico to install WP might also be focused on using it to upgrade too, and if those sorts of packages are not up to date, that's a problem. Can you bring pressure to bear on the one-click installers to get their act together on upgrading?
I also think that the upgrade message within WP should also say something along the lines of "Do you have any other WP installations on this server that need upgrading? Remember: One out-of-date installation can compromise your entire server." Because that was at least part of my problem. A bit of variation and additional information in that upgrade message would not go amiss.
I'm pretty sure that my blogs weren't targeted because of their profile - some of them are dead to the world, really. I'm guessing that the spammers just spider the web for old versions of Wordpress and hack everything they come across.
But I think a more fundamental problem is that Wordpress has unintentionally done a bit of a bait-and-switch. It's billed as software that you can install and upgrade without too much server admin knowledge, and one-click installers and upgraders reinforce that message. So you have a lot of users who are like me - we're not dumb, we're technically competent within a limited sphere of knowledge, but we don't know enough to fix the kind of hack that these spammers have been using.
I am lucky - I know Mike Little and he's kind enough to help me out. And I know you, and you've been kind enough to offer help too. But there are lots of Wordpress users out there who don't have that sort of support on hand, and they are going to find it very hard to sort out the mess that these hackers leave behind.
Now this isn't directly WP's fault and, yes, each of us should take responsibility for back-ups and upgrades, but at the same time I think that WP could help matters by thinking about better ways to reach and support users who are essentially one-click users (prior to this sort of disaster!). As a community, I'm sure we could come up with a variety of ways that this could be achieved. One thing I'd definitely like to see would be more information about hacks and how to deal with them -- written for non-techy users -- in a dedicated space on WP.org as they come to light and are investigated. I searched for info on the hack as soon as I realised what had happened, and couldn't find anything that made sense.
I'd also like to see some sort of plug-in security verification scheme, so that i can judge whether a plug-in is safe or risky. If there's a plug-in that's a security risk I want to know about it. I don't run many, but the ones I do are quite important to me. If they are dangerous, I need to find a replacement! Ditto for themes.
Having your blog(s) hacked is a horrible experience. My websites are now not in Google because of this hack, so I have to go and do webmaster shenanigans with Google that I never had to bother with before. But I do hope that it can be a valuable opportunity to learn, for everyone involved.
While I think that changes around the messaging won't make things any worse, I'm not sure if they'll have a big impact or upgrade adoption. Until you understand how bad a hack is by it happening to you, the remote possibility doesn't outweigh the perceived hassle of upgrading or in your case a distaste for the new version.
Ultimately I'd love to figure out a way for you to never even have to think of it.
To your point about plugins, there are no plugins in the repository that are known to be insecure. If a problem is reported the author fixes it and releases an update, or if they don't we'd do it for them and you'd get an update notification in your dashboard.
I have more hope for Melody, which is the fork of the open source version of Movable Type.
Any new blog has been and will in future be made on WP.com, where fixes will be made centrally, but I agree with you that another system would help prevent the creeping sameyness we're seeing all over the blogosphere.
It was true, for a little while. WP used to get very little spam.
Of course now we know that even if you have a contact form it gets spammed out the wazoo, the reason is the benefit to the spammers is worth scripting for many types of software and in fact intelligently probing any form on the web. The exact same thing is going to happen with worms and web security. As soon as enough people apply Club solutions, the benefit to adapting is worth it. These guys are making money and lots of it by hacking blogs, it's no different from any other crime on- or offline.
And then it became dominant enough that the cost/benefit to the hackers became worth it? :-)
And I'd argue that there's a significant difference between spam scripts, which are mainly an annoyance, and security breaches which actually allow installs to be hijacked.
http://www.techdirt.com/articles/20090824/01023...
No one else in the world uses their software, and no one else in the world can view their source code. It's the anti-WordPress in that regard, but it doesn't matter.
Full disclosure: I'm part of the Habari team.
I think Habari takes a pretty decent approach to blogging, and security. The fact of the matter is that security is inversely proportional to convenience. The easier we make things to upgrade, the more opportunity we introduce for exploit. :(
If you're in the Columbus, OH area this weekend, swing by the first in-person Habari get-together to share your thoughts with the team!
http://groups.google.com/group/habari-users/bro...
http://wiki.habariproject.org/en/Habari_Party_2009
have managed in the past year or so is creating a self-hosted product
that you never need to touch an FTP client to manage. You one-click
install on your host, you upgrade from within the app - and you add
plugins and themes the same way.
As someone who is, even as he types this, FTPing the latest version of
MT to my server, I appreciate the sheer ease of this. Now, is that
convenience worth the security trade-off? I'm not technical enough to
answer that - but I'd love to see you guys and the Melody community at
least thinking / talking about it - and if that isn't the right
solution, be thinking about ways of making it easier for the casual
user to manage their install.
(I do like the way Habari is developing generally, by the way. Looks
really promising).
That's very interesting to read about. I didn't know about that.
Actually there is: Dotclear. Much simpler to use, less hacky for the power-user but better written and less of a hog than WP. Very popular in francophone-land and powering thousands of blogs (the Gandiblog hosted platform at Gandi is based on it). Never heard of an attack against it.
Disclosure: I'm a Movable Type veteran and make a decent living out of it. I understand the line between the casual, non-technical blogger and the power-user, but I would not use WP either personally or on a professional basis, precisely because of the regular security issues it has, that other blog/CMS software have not. I tend to agree with the "dominance factor" being an incentive for attackers, but I disagree that this is the only explanation for WP (and its plugins) poor security track record.