[p2p-research] Moving to blogging: Wordpress vs. Movable Type vs. other?
Paul D. Fernhout
pdfernhout at kurtz-fernhout.com
Sun Oct 4 18:05:01 CEST 2009
Eugen Leitl wrote:
> On Sun, Oct 04, 2009 at 05:02:18AM -0400, Paul D. Fernhout wrote:
>> Well, Drupal and other things seemed mighty nice, but I decided to try
>> Wordpress for a while (in part because Michel is using it for the
>> p2pfoundation blog).
>
> Both Drupal and Wordpress are poorely written, and are high-maintenance
> security-wise. In case it's not hosted with professionals taking good
> care and feeding of it, and you don't want to spend most of your time
> tracking bugs and patching instead of writing, I would consider something else.
>
Eugen-
Thanks for the comments.
Yes, I can see what you mean. For example, there was apparently a huge
security hole in a few recent versions (except the current) where anyone
could instantly become the blog admin.
And, it looks like a lot of Wordpress plugins don't work with the latest
versions -- so there most be something going wrong in the design that the
assumptions exposed to plugins break so easily. For example, I wanted to add
reCaptcha, but it does not work.
A recent security issues with Wordpress and someone who got burned by it badly:
http://scobleizer.com/2009/09/05/i-dont-feel-safe-with-wordpress-hackers-broke-in-and-took-things/
http://wordpress.org/development/2009/09/keep-wordpress-secure/
"Right now there is a worm making its way around old, unpatched versions of
WordPress. This particular worm, like many before it, is clever: it
registers a user, uses a security bug (fixed earlier in the year) to allow
evaluated code to be executed through the permalink structure, makes itself
an admin, then uses JavaScript to hide itself when you look at users page,
attempts to clean up after itself, then goes quiet so you never notice while
it inserts hidden spam and malware into your old posts."
Nasty stuff.
But here is someone else just blaming it on not keeping up to date:
http://technosailor.com/2009/09/06/wordpress-security-and-how-im-going-to-take-all-your-money/
But, as you say, who wants to focus on applying security patches and not
writing when they set up a blog? How is the *average* user supposed to deal
with this? I know how to do all this and have in the past, and even I don't
want to deal with it much. :-) Still, Wordpress apparently has added a
fairly automatic upgrade process, but, it entails changing permissions on
lots of files first?
http://codex.wordpress.org/Upgrading_WordPress
The maintenance issue is what had appealed to me about Moveable Type, given
my hosting provider maintains it. Although even there, you need to ask to be
upgraded to different versions, so I'm not sure exactly what they do
maintain? In the first URL above, a point is made that the person was using
a host that one might have thought maintained Wordpress (it is not clear).
In general, people seem to suggest Moveable Type focuses more on good security.
Wordpress suggests they do not do security patches on earlier versions, so
you're on a continual update treadmill. But, as I said, it seems like
plugins must break then? In general, as an IT-ish person, I do not like
randomly upgrading software because it may introduce bugs and other
incompatibilities and instabilities; that is why one should test locally
first before upgrading stuff, ideally, though in practice, one generally
can't or does not have the time, or, for security reasons, upgrades are
essentially forced on one.
Still, there is some advice out there on general security improvements:
http://www.noupe.com/how-tos/wordpress-security-tips-and-hacks.html
http://codex.wordpress.org/Hardening_WordPress
I'm just trying Wordpress out, in part to find out this kind of stuff
(hopefully not the hard way).
One comment from the first link, of potential interest to the p2presearch
community:
http://technosailor.com/2009/09/06/wordpress-security-and-how-im-going-to-take-all-your-money/
"""
It amazes me that there are all these expert on technology and social media
but they have such a poor understanding of the tools that are out there.
Sure they can talk about all this conceptual stuff, use their position to
get access, and draw a large following but don’t have the ability to hit a
freaking button to update their blog.
The issues with plugins that are going to break because they don’t work
with newer versions of WordPress is also pretty poor. 9 times out of 10
those old plugins that you were using have competitive plugins that are
newer you just have to do some research.
It is easy to be lazy and point fingers over educating yourself about a
tool you are using and have a better understanding of it while protecting
yourself.
"""
Any other more specific suggestions as to more secure systems?
Zine had appealed to me because it is in Python and inspired by Wordpress:
http://zine.pocoo.org/about/
"Zine is an Open Source personal publishing platform written in Python. It's
written with security and extensibility in mind and inherits many ideas of
WordPress and other existing blogging systems. It's still a very young
project and far from where we want to go but we consider it stable for
everybody with a proper hosting environment. "
While I'm not a big fan of "security through obscurity", one can trade off a
smaller community against being a smaller target. That's another reason I
thought about just doing my own system.
Anyway, there are literally hundreds, if not thousands, of possible choices
for blogging and CMS (beyond writing my own), and at least a dozens or two
of them are established systems in various programming languages with big
communities as a CMS/blog. Python alone has a list of dozens of blogging
packages. So, it's hard to pick one. It involves both understanding the
landscape of possibilities and understanding the landscape of your personal
needs, and then figuring out possible matches (even multiple matches, as in
the p2p foundation case which uses both Wordpress and MediaWiki). And, as
you also mention, one can also go with a purely hosted solution where
someone else worries about these things (assuming they do, and assuming you
can still have your own domain?).
--Paul Fernhout
http://www.pdfernhout.net/
More information about the p2presearch
mailing list