Info

A trade journal of a still-emerging field, written by Adam Tinworth.

John Gruber mused:

I have to wonder when WordPress users will start switching to some other platform.

There’s a reason it’s not happening. They can’t. There are no good alternatives for a less technical user who wants to self-host. 
There’s a vocal breed of WordPress advocate who pretty much equates blogging with WordPress. The two are synonymous, they argue. They treat my continued use of Movable Type as, at best, an aberration and, at worst, a political statement. It’s neither. I’ve just never had a compelling reason to shift off MT. It works fine for me, and pretty much always has. The irony here is that these folks have helped facilitate this attack. There are people out there who would have been far better blogging on the hosted WordPress.com, Typepad or Squarespace, because they really don’t want to be bothered with the technical stuff, but were encouraged onto self-hosted WordPress because that was “real blogging”. If you’re on recent versions of WordPress, upgrading is now trivial. But still too many people don’t do it, just as they don’t run Windows Update.
A world with only one good self-hosted blogging platform would be a poorer world – and we’re dangerously close to that point. The competition that drives platform innovation would not be as strong, and the black hats have much more tempting targets to attack. For the sake of the development of this medium, we actually need a good, strong competitor to WordPress. Six Apart has, to a large degree, ceded this ground to Automattic. Although MT4 and the in-beta MT5 are both huge steps forwards as large-scale blogging platforms, they’re tools for the technically-skilled at the installation and maintenance level, not the casual user. Habari and Melody aren’t ready for prime time yet. But one of them could rise to be a challenger, if they’re willing to look at the innovations the WordPress team have made in ease of use and maintenance, and attack them head-on. 
And we need someone to do so, and soon. Blogging is a vibrant, fast-moving and dynamic medium. And handing it over entirely to one platform, one view on what a blog should be, will only stifle it – and hand more bloggers over to the spammers. 
  • http://chocolateandvodka.com/ Suw

    I couldn't agree more!

    I am the sort of user who's in the middle ground. I'm competent enough to install and maintain my own blogs, but not expert enough to deal with the kind of hacking that's been going on of late. Plus I'd installed blogs that I'd forgotten about… which is lethal. Any chink in your WordPress armour is a chink too many. These hacks are sophisticated and if you don't know what the WordPress core files look like it's very hard to spot where exactly the compromise is.

    I have to say that I was quite shocked at how vulnerable WordPress was. Whether the latest version is secure I have no idea, but we should not be in a position of being advised to “harden” our installations to make them so!

    Movable Type have an opportunity here, to create a version of MT that is secure, can deal with spam nicely, and can be administered by someone with moderate skills. Sadly, I'm not sure they'll care to take up that challenge and produce a viable WordPress competitor.

    It does make you wonder how much security testing WP have done though.

  • brendadada

    We have no reason to think the latest version is more secure, only that WP has fixed the vulnerability that caused this latest round of hackings. What is worrying is that WP itself and it's commentators and fanboys are saying 'old versions' are prone, when actually they are talking about very recent and not old versions. The version I was using was 2.8, and I'm neither lazy or unaware, but it's not an old version.

    Any new blog has been and will in future be made on WP.com, where fixes will be made centrally, but I agree with you that another system would help prevent the creeping sameyness we're seeing all over the blogosphere.

  • http://www.onemanandhisblog.com Adam Tinworth

    I doubt that Six Apart have much interest in competing head-to-head with WordPress in the self-hosted individual blogger market. What's in it for them? Typepad serves the commercial element of the individual blogger market pretty nicely.

    I have more hope for Melody, which is the fork of the open source version of Movable Type.

  • http://skippy.net/ skippy

    I'm curious what, specifically, you'd advocate Melody or Habari to do to gain traction in this space.

    Full disclosure: I'm part of the Habari team.

    I think Habari takes a pretty decent approach to blogging, and security. The fact of the matter is that security is inversely proportional to convenience. The easier we make things to upgrade, the more opportunity we introduce for exploit. :(

    If you're in the Columbus, OH area this weekend, swing by the first in-person Habari get-together to share your thoughts with the team!
    http://groups.google.com/group/habari-users/bro
    http://wiki.habariproject.org/en/Habari_Party_2009

  • http://www.onemanandhisblog.com Adam Tinworth

    I think that the sheer stroke of brilliance that the WordPress guys
    have managed in the past year or so is creating a self-hosted product
    that you never need to touch an FTP client to manage. You one-click
    install on your host, you upgrade from within the app – and you add
    plugins and themes the same way.

    As someone who is, even as he types this, FTPing the latest version of
    MT to my server, I appreciate the sheer ease of this. Now, is that
    convenience worth the security trade-off? I'm not technical enough to
    answer that – but I'd love to see you guys and the Melody community at
    least thinking / talking about it – and if that isn't the right
    solution, be thinking about ways of making it easier for the casual
    user to manage their install.

    (I do like the way Habari is developing generally, by the way. Looks
    really promising).

  • http://ma.tt/ Matt

    Unfortunately the problem you describe (any chink in the armor) isn't specific to WordPress, it's probably just the most common thing you have running. If all of your WPs were up to date and you had an old Gallery installation you'd be in the exact same place again.

    We're trying our best to make upgrading a no-hassle operation, and I'd invite you to compare upgrading to WP to other web scripts, but obviously we still have further to go to make it easier — maybe auto-upgrade like some web hosts already provide.

    “It does make you wonder how much security testing WP have done though.”

    As someone who runs 8 million WordPress blogs comprising one of the top 20 websites on the net, I can tell you a lot. Extremely high-target blogs have been running WordPress for 5+ years with no security issues, it's just a matter of proper administration and, yes, keeping up with updates.

    Let me know if there's any way I can help with your blog problem, perhaps there's a way we could configure WP or get you set up on a host that doesn't burden you with having to worry about these things. Anything our software does that's a distraction to your writing, your content, your community is a failing in my opinion.

  • http://ma.tt/ Matt

    People used to make the same argument about spam against Movable Type, they said that more diversity in the blogosphere software realm would decrease the amount of spam because it would be harder for spammers to target other platforms besides MT.

    It was true, for a little while. WP used to get very little spam.

    Of course now we know that even if you have a contact form it gets spammed out the wazoo, the reason is the benefit to the spammers is worth scripting for many types of software and in fact intelligently probing any form on the web. The exact same thing is going to happen with worms and web security. As soon as enough people apply Club solutions, the benefit to adapting is worth it. These guys are making money and lots of it by hacking blogs, it's no different from any other crime on- or offline.

  • http://www.onemanandhisblog.com Adam Tinworth

    WP used to get very little spam

    And then it became dominant enough that the cost/benefit to the hackers became worth it? :-)

    And I'd argue that there's a significant difference between spam scripts, which are mainly an annoyance, and security breaches which actually allow installs to be hijacked.

  • http://ma.tt/ Matt

    As an illustration of this, Techdirt which uses completely custom software to publish their site got hacked last week:

    http://www.techdirt.com/articles/20090824/01023

    No one else in the world uses their software, and no one else in the world can view their source code. It's the anti-WordPress in that regard, but it doesn't matter.

  • jameshigham

    Back in 2003/2004 Movable Type was pretty much the predominant blogging platform for the self-hosters. And then two things broke its dominance in the market-place: a rather dumb pricing decision by Six Apart (which was rapidly corrected) and the growing wave of spam, which Six Apart was slow to get on top of. After all, there were a lot of MT blogs out there – it was worth the spammers targeting it.

    That's very interesting to read about. I didn't know about that.

  • http://www.onemanandhisblog.com Adam Tinworth

    It feels like blogging pre-history, but yes, the Movable Type folks did end up giving WordPress a huge, unintentional push.

  • http://ma.tt/ Matt

    From a user point of view, yes, but from the spammer point of view, it's just another way to get spammy content on your site. They have to work a lot harder than they used to because things like Akismet are 99.99% at blocking their comment spam attempts.

  • http://chocolateandvodka.com/ Suw

    Matt,

    Upgrade has measurably improved. I used to use the Automatic Upgrade plugin, because it made life so much easier. I used the new built-in upgrader today on a friend's blog, and it worked very well. It would be interesting to know if there are plug-ins or other easily done changes which break it, and how many people have problems with it, because that would be a massive barrier to upgrading for a lot of people. And WP can't now afford to have any barriers to upgrading when the upgrades are so important.

    Which brings me to another point. I had no idea that this upgrade of WP was this important. WP always says upgrades are essential, but this time I feel it was a touch more important than it has been in the past! Perhaps a bit more variation in the messaging around upgrades would have helped emphasise that this one was exceptional — if some upgrades are for functionality rather than security, perhaps the message within WP could say so? Then the upgrades that are for security purposes will stand out and hopefully people will act on them.

    I had chosen not to upgrade because I didn't like the new interface (and I am still not very keen on it, even though I'm getting used to it). I'm not dumb, but I'm also not focused on keeping up to date with every nuance of every WP update, so I had no idea that by leaving my blogs as is that they would be vulnerable.

    One upgrade area there there are significant problems which you might be able to help influence are the one-click packages like Fantastico. I just looked on my friend's server earlier, before we upgraded, and the message in Fantastico was “You WP installation is out of date. Upgrade to 2.7…” I'm paraphrasing, but not on version number it wanted me to upgrade to. Anyone who has relied on something like Fantastico to install WP might also be focused on using it to upgrade too, and if those sorts of packages are not up to date, that's a problem. Can you bring pressure to bear on the one-click installers to get their act together on upgrading?

    I also think that the upgrade message within WP should also say something along the lines of “Do you have any other WP installations on this server that need upgrading? Remember: One out-of-date installation can compromise your entire server.” Because that was at least part of my problem. A bit of variation and additional information in that upgrade message would not go amiss.

    I'm pretty sure that my blogs weren't targeted because of their profile – some of them are dead to the world, really. I'm guessing that the spammers just spider the web for old versions of WordPress and hack everything they come across.

    But I think a more fundamental problem is that WordPress has unintentionally done a bit of a bait-and-switch. It's billed as software that you can install and upgrade without too much server admin knowledge, and one-click installers and upgraders reinforce that message. So you have a lot of users who are like me – we're not dumb, we're technically competent within a limited sphere of knowledge, but we don't know enough to fix the kind of hack that these spammers have been using.

    I am lucky – I know Mike Little and he's kind enough to help me out. And I know you, and you've been kind enough to offer help too. But there are lots of WordPress users out there who don't have that sort of support on hand, and they are going to find it very hard to sort out the mess that these hackers leave behind.

    Now this isn't directly WP's fault and, yes, each of us should take responsibility for back-ups and upgrades, but at the same time I think that WP could help matters by thinking about better ways to reach and support users who are essentially one-click users (prior to this sort of disaster!). As a community, I'm sure we could come up with a variety of ways that this could be achieved. One thing I'd definitely like to see would be more information about hacks and how to deal with them — written for non-techy users — in a dedicated space on WP.org as they come to light and are investigated. I searched for info on the hack as soon as I realised what had happened, and couldn't find anything that made sense.

    I'd also like to see some sort of plug-in security verification scheme, so that i can judge whether a plug-in is safe or risky. If there's a plug-in that's a security risk I want to know about it. I don't run many, but the ones I do are quite important to me. If they are dangerous, I need to find a replacement! Ditto for themes.

    Having your blog(s) hacked is a horrible experience. My websites are now not in Google because of this hack, so I have to go and do webmaster shenanigans with Google that I never had to bother with before. But I do hope that it can be a valuable opportunity to learn, for everyone involved.

  • http://ma.tt/ Matt

    Once your blog has been hacked, there is no non-techy solution anymore and it becomes extraordinarily difficult to fix the breach. This is why I completely agree with you that an ounce of prevention is worth a pound of cure.

    While I think that changes around the messaging won't make things any worse, I'm not sure if they'll have a big impact or upgrade adoption. Until you understand how bad a hack is by it happening to you, the remote possibility doesn't outweigh the perceived hassle of upgrading or in your case a distaste for the new version.

    Ultimately I'd love to figure out a way for you to never even have to think of it.

    To your point about plugins, there are no plugins in the repository that are known to be insecure. If a problem is reported the author fixes it and releases an update, or if they don't we'd do it for them and you'd get an update notification in your dashboard.

  • http://twitter.com/michelvoitoux Michel Voitoux

    Thanks for this great post Adam, you are the Yoda of blogging (not referring to age but wisdom of course)

  • http://www.onemanandhisblog.com Adam Tinworth

    I'm also small and green, and I died several films ago. :)

  • ubiquitic

    “There are no good alternatives for a less technical user who wants to self-host.”

    Actually there is: Dotclear. Much simpler to use, less hacky for the power-user but better written and less of a hog than WP. Very popular in francophone-land and powering thousands of blogs (the Gandiblog hosted platform at Gandi is based on it). Never heard of an attack against it.

    Disclosure: I'm a Movable Type veteran and make a decent living out of it. I understand the line between the casual, non-technical blogger and the power-user, but I would not use WP either personally or on a professional basis, precisely because of the regular security issues it has, that other blog/CMS software have not. I tend to agree with the “dominance factor” being an incentive for attackers, but I disagree that this is the only explanation for WP (and its plugins) poor security track record.

  • Pingback: More on the WordPress Hackings | One Man & His Blog()