windowspress

aw, Scoble got hacked after abandoning wordpress.com for not letting him be quite Special enough to have plugins. One cannot blame Matt for experiencing some schadenfreude, though blaming the host rather than Scoble sounds disappointingly like he’s scared of losing any chance of him and his dollars coming home to VIP-land. I bet he wouldn’t be criticising Rackspace if it were on the wordpress.org affiliate page.

Seriously, though, why is anyone who gives a shit about not having their blog hacked still using wordpress? Do they actually enjoy having to upgrade every couple of weeks? I never thought I’d say this, but there are more important things than pretty themes when you’re choosing a blogtool. I think we can now officially declare that WP is the Windows of blogging. It’s easy, it’s convenient, but the tradeoff is YOU GET WORMS.

19 Comments »

  1. My understanding was Scoble’s VIP account was a freebie one.

    My favorite quote so far is from Robert and “I didn’t realize that WordPress had major holes in it.” Scoble is supposed to be a “tech blogger” and doesn’t realize this? Kind of amazed that someone of his stature doesn’t realize that all software runs the risk of having security problems.

    Flipping through the comments on the “hacked” blog post shows a lot of folks calling him out on this. I wonder if it’ll do any good,

    One thing that comes to mind, besides that maybe the upper level of tech bloggers aren’t all they’re cracked up to be, is the WordPress New Version notice kind of got missed by most folks I guess.

    • I think it’s probably near-impossible to get the word out about upgrades to the average user. They are so used to tuning out ads and such that most of the things they see in their dashboards are just white noise. Nor is there any real distinction made in announcement posts or version numbers between ‘this fixes a possible XSS vulnerability that some guy reported but has not been proven to affect anyone in the wild’ and ‘crucial upgrade to prevent your server being compromised and data being lost’. It’s the crying wolf thing, again.

      If there were one information channel that restricted itself to broadcasting things that were genuinely important people might listen to it. I’d have a blog at wordpress.org/security that rated holes and upgrades according to urgency, offered patches for the benefit of advanced users not on one-click installs and responded rapidly to any reports of exploits. And a member of staff with primary responsibility for security issues, so people don’t have to hang around a couple of days waiting for Matt to make official statements. If everyone on Twitter is broadcasting WP vulnerabilities, that’s great for getting the word out but it’s undeniably shitty for their brand. They need to start looking like they care more.

  2. Jay said

    Hey, I’ve been reading your blog for a long time — I’ve been happily using WordPress for years, and I enjoy hearing dissenting opinions about it (because there is so much unmitigated praise being casually tossed around).

    That said, what blog platform do you recommend? MovableType? Drupal?

    • I don’t have much experience with MT, but I’m not a big fan; it just feels, I don’t know, a bit antiquated. I don’t have much experience with Drupal either, but comparing it with WP is apples and oranges; Drupal is a full-powered CMS, significantly more complex than WP, and probably overkill if all you want to do is blog.

      My personal journal (locked, hardly ever updated, eight and a half years of archives) uses Habari, but it has yet to reach a 1.0 version (and is unlikely to do so any time soon) so isn’t really stable enough for me to recommend. The next iteration of my design site will probably be on textpattern. I’m not in love with it, but it’s a handy kind of halfway house between WP and Drupal; more of a CMS than WP, more of a blog than Drupal.

      To be honest, these days I feel self-hosting is more trouble than it’s worth unless you’re the kind of geek who actively enjoys installing stuff. If you care about community and finding like-minded bloggers go to livejournal or one of the lj clone sites, if you want to customise your template go to blogspot, if you don’t mind paying over the odds to avoid upgrade hassles head for typepad or squarespace, if you just want to write and don’t care how your site looks stick with wordpress.com. I’m a big believer in using the best tools for the job.

    • We move our almost 900 WordPress clients over to Serendipity a few years back when we realized that Matt’s halo isn’t as white as folks seem to think it is. Took a couple weeks of work to get the setup nearly the same but chopped our support questions nearly in half.

  3. hari said

    I’ve created my own blogging platform. It’s nice, simple and doesn’t really over-power the server with needless features or bloat.

    If you have reasonable knowledge of PHP and SQL, it’s quite possible to write your own blog platform without the fluff of WordPress. Of course, mine is more complex as it contains a full-fledged admin panel with comment-management as well.

    It powers my blog currently. Take a look. I might release it as open source some day. I use SQLite instead of MySQL and I’ve not regretted that decision. SQLite simplifies the code a lot, since you don’t have to connect to a separate SQL server for retrieving data.

  4. admin said

    nope definitely not the windows two are very different and it can’t be used as analogy, first thing for me is that wordpress is open source, there isn’t anything compared to wordpress, and i love this theme P@ but it needs some editing like the gravatars should appear after the comment, like friendfeed and hierarchy isn’t good looking,

    • The majority of the alternatives I mentioned in my comment above are fully or partially open-source too. Being open-source is not special or unique; if WordPress were the only open source blogtool around, that would suggest that open source was a rubbish development strategy which nobody else wanted to adopt, which obviously isn’t the case.

      As for your issues with P2, tell it to Automattic. I don’t have the CSS upgrade on this blog and the only reason I’m using this theme is that it conceals the spammy global tag links on posts.

      • admin said

        hey, made those remarks casually with nothing specific, and as for P2, it can be modified by anyone since P2 for wordpress installs is also available, made those comments in general and where won’t you get worms? strange

  5. filosofo said

    I think we can now officially declare that WP is the Windows of blogging. It’s easy, it’s convenient, but the tradeoff is YOU GET WORMS.

    A better analogy would be to say that WordPress is the Firefox of blogging: fix security holes quickly after they’re reported (instead of bundling them), and you get blamed for having for having more security issues.

    Scoble has only himself to thank. He says he didn’t upgrade because WordPress upgrades have a “reputation” of breaking 3rd-party plugins, which he says is WordPress’s “problem.” If I blamed the car manufacturer when retreads on my car flew apart on the highway, the public response would be rolled eyes. But make the subject software and put the words in the mouth of a tech celebrity, and everyone nods. I’m sure even someone with an existing animus towards WordPress can recognize how flawed that thinking is.

    • Oh, I never said Scoble wasn’t an idiot. If you don’t back up and you don’t upgrade, it’s your own fault if you get hacked. But, if you’re an A-lister, there will always be a line of sycophants willing to join you in passing the buck. What irritated me about Matt’s response was the way he attempted to deflect the blame from WP by passing it on to the host, rather than putting it back on Scoble where it belonged.

      I still think the ‘use the latest version and you will always be fine’ line is potentially dangerous and misleading, though. You are substantially more likely to be fine than if you are using an old version with known vulnerabilities, but nothing is 100%. All WP releases were the latest ‘secure’ version once. You are more likely to fall victim to script kiddies if you are using the most popular platform, because that’s the one they’re poking at. I know that if I’m using Windows I need to be more vigilant than if I were on a Mac or Linux. WP users need to develop the same awareness that their greater range of themes and plugins comes at a price.

      • filosofo said

        You are substantially more likely to be fine than if you are using an old version with known vulnerabilities, but nothing is 100%. All WP releases were the latest ’secure’ version once. You are more likely to fall victim to script kiddies if you are using the most popular platform, because that’s the one they’re poking at. I know that if I’m using Windows I need to be more vigilant than if I were on a Mac or Linux. WP users need to develop the same awareness that their greater range of themes and plugins comes at a price.

        I agree completely. None of that is quite the same as saying that using WordPress means “YOU GET WORMS.” For whatever reason, so far the security updates have been mostly a few steps ahead of the attacks. I’d like to think that’s because there’s a salient difference between popular, open-source and popular, closed-source applications: the number of white hats inspecting the open source should rise more or less in proportion with the number of black hats.

        As you say nothing is 100%, and probably some day the black hats will catch up, but I haven’t yet seen any reason to think that that probability is any greater for WordPress than similar applications.

    • WordPress is not the Firefox of blogging. Far from it. At least with Firefox, there’s ethics, peer and security reviews and the like. You don’t have any of that with WordPress.

      Gallery has an outside and independent security review. When Matt finally mentioned that WordPress had had one, it was an internal one at the bidding of their VIP clients. (Damn, can’t find the mention.) Over a year ago there was discussion of better security measures within WordPress made by Mark Jaquith, a well respected WordPress developer. None of those suggestions have been made.

      Scoble is supposed to be a “tech guru” with experience in the field. His passing the problem off with a “I didn’t know there was security problems” shows his lack of knowledge about the Internet and software in general. All software has security concerns. To say otherwise is just foolish.

      Doesn’t matter though. Il is a WordPress forum helper. He’s not allowed to have his own opinion. Matt and the rest of Automattic proved that long ago. Has to follow the party line.

      • Found Ryan stating a year ago that wordpress.com had a security audit on VIP request, but nothing Automattic-sponsored for .org. Of course, they may have done more since then, but I can’t help thinking Matt would have mentioned it on the latest dev blog post if they had.

      • It’s sad that I have to copy and paste this out of Notepad just to be able to write and read it.

        And didn’t we all go through this last year? You would have thought people would have learned from the experience.

        Hmm, I don’t think that was it although that makes for interesting reading. That’s the first time I’ve heard anything about “security groups looking for publicity” and students looking for experience. That’s not a true security audit though and notice there’s no mention who actually did the wp.com audits. The quote I remember just said the internal security audits done at the request of a “couple of VIP clients.” (I thought it was the blogsecurity interview but it’s not there either. That’s the “We need a security audit” one. This is bugging me.)

        Also if security was that important, the email address security@wordpress.org would actually be monitored. Seems like nearly every report says that they were contacted but no response was ever made.

        The follow up comment by Angsuman Chakraborty is interesting as well. The only time I saw any mention by the wp.org folks of a plugin with security problems was wp-forums. They pass the blame of all those CVE’s onto the plugins, mention that they’ll help fix them if asked but only once published a notice about a bad plugin (wp-forum) and I don’t recall them actually helping anyone with a security problem. I don’t read the mail lists anymore so I’ll be the first to admit that I may have missed something in there but I highly doubt it. Also note that Angsuman Chakraborty requests reference to the outside audits but there’s no response. You would think someone from Automattic would be jumping up and down to provide that information. Oh wait, that’s right. They don’t actually answer questions posed to them. I forgot company policy.

  6. [...] of WordPress. In this, she provides a much needed service. Lord knows, WordPress has weaknesses. I offer this as a sample of her wisdom and scathing wit: aw, Scoble got hacked after abandoning wordpress.com for not letting him be quite Special enough [...]

  7. I had a thought on the walk home last night. VIP’s can use javascripts as it;s allowed under their program. Something’s strange if Scoble wasn’t allowed the use of them.

  8. drmike said

    Just noticed the security issue that caused the 3.0.2 release was a known issue for 18 months. How’s that for fixing quickly?

RSS feed for comments on this post · TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s