Another day, another WP exploit! This one’s apparently been floating around the net for weeks, and a fix was only released a few hours ago.
I’m lucky. I have enough technical skill to set up WP as an svn working copy, which means that the upgrade, for me, is as simple as issuing this command on the three or four WP blogs I’m responsible for:
svn switch http://svn.automattic.com/wordpress/tags/2.2.1/
And it’s done, instantly. For minor upgrades I don’t even bother disabling plugins.
But the vast majority of people install their WP blogs manually, from the downloadable archive that is the recommended method by the WP team. Those people face a monthly task of laboriously backing up, replacing files all over the place, copying and replacing any customisations like themes, moving their pictures and content from folder to folder .. in other words, a pain in the fucking ass, especially when it happens so often. Therefore – it doesn’t get done.
A good quick check of how on-the-ball security-wise a site is is to do a quick “view source” on their wordpress blog. I do this on pretty much any WP blog I regularly visit. Just checking! I know several popular blogs that haven’t updated for months and months – one of the most popular is still at 2.1.2. And that’s an internet company. If even internet companies can’t, or don’t realise they have to, keep their WP installs up-to-the-fucking-minute-or-else, what chance does the regular joe have?
So – if you’re choosing blog software, here’s my advice: don’t choose wordpress. And if you did make the mistake of choosing it and are now a bit too locked in to easily move, like me – keep it religiously updated. Move to svn distribution. Go to trunk, if necessary (I used to run trunk but stopped when I gained a little more trust in WP .. I’m thinking of going back to it now). But the best option is just to never sign on to this endless security-flaws treadmill in the first place.
June 21st, 2007 at 5:41 pm
My thoughts exactly.
June 23rd, 2007 at 3:09 pm
I find it strange seeing people condemning WordPress for doing exactly what they demand others, such as Microsoft and Company, do. Were it not for the regular security fixes and updates to WordPress it would be dead in the water like so many other software applications which are unable to keep up with the times, or with the threat level.
As to your list of what needs to be done for each and every upgrade or update, really? I have never had the need to move a single picture from one file to another when updating or upgrading – and I have several hundred on my weblog – and switching off plug-ins is a piece of cake, there is an interface there exactly for that task.
So some people don’t upgrade – including an Internet company – is that a WordPress fault? I don’t think so. Everyone can decide for themselves whether they upgrade or not, the information is always readily available, and that often within an hour or so of a problem arising – when it’s a serious one, and that is rare to say the least.
You quote the svn update facility, anfd then recommend that people don’t use WordPress? Biting yourself in the ass, I would say, since the svn update facility is one of those good sides other providers do not have. Perhaps you realise this an, despite your rather random and ill-thought out tirade, you’ll come to see tzhat you use WordPress because it is better than the others, and likely to remain that way for a long time to come. Or would you rather switch to Moveable Type – about to go Open Source just like WordPress – and close down your comments, hide in a hole and only venture out to sniff at the competition as it races into the future, leaving you and Wincent Colaiuta behind?
Pi.
June 23rd, 2007 at 3:47 pm
I’m of a like mind with Pi there. WordPress is not to blame for lazy people who don’t bother to keep things up-to-date. The lazy-ass morons who don’t know a thing about being safe on the Internet are to blame. I update manually every time there’s a new release and somehow I don’t have any problems doing it. Does it take too much time? No, not really. It’s not really a “fucking pain in the ass” either. Maybe because I know enough about how WordPress works to only replace what needs to be replaced. You shouldn’t need to mess with copying your themes since the wp-content folder does not usually need to be updated at all.
Granted, I’m not the average Joe blogger, but the average Joe blogger should be using a platform that doesn’t require any technical knowledge at all, such as Blogger or WordPress.com, not a manual install of WordPress. If you don’t know anything about being safe on the Internet, you shouldn’t be installing things on an SQL database.
Besides, all software has its security holes. At least WordPress jumps on their holes when they become troublesome. That’s the good thing about being open source. Anyone can pitch in to get rid of an exploit. What about the alternatives? Movable Type? It sucks, and (for now) you have to rely completely on Six Apart being open about any security holes. WordPress publicizes their exploits, which results in a relatively quick turnaround for fixes. What, is a couple of weeks too long to wait for a fix? Better than a couple of months as it is with most closed source software.
But really, if you dislike WP so much, ditch it. I’ve read about many people switching from Movable Type to WordPress. If they can do that, you can surely switch from WordPress. Or would that just take up too much of your precious ranting time?
June 23rd, 2007 at 4:59 pm
For my reply to the above missing-the-point comments, simple replace all instances of “WordPress”, chronically insecure software aimed at non-technical users, with “Microsoft Windows”, also chronically insecure software aimed at non-technical users.
No more comments! Sorry, I don’t really run this blog to conduct conversations with strangers.
July 8th, 2007 at 6:08 pm
[...] his own. Rather, Wincent takes his comments – slightly re-written – from someone calling themselves Sho Fukamachi. This isn’t a problem in itself, since he has linked to the original article, although not [...]