[p2p-research] Moving to blogging: Wordpress vs. Movable Type vs. other?

Paul D. Fernhout pdfernhout at kurtz-fernhout.com
Sun Oct 4 18:05:01 CEST 2009 

Eugen Leitl wrote:
> On Sun, Oct 04, 2009 at 05:02:18AM -0400, Paul D. Fernhout wrote:
>> Well, Drupal and other things seemed mighty nice, but I decided to try 
>> Wordpress for a while (in part because Michel is using it for the 
>> p2pfoundation blog).
> 
> Both Drupal and Wordpress are poorely written, and are high-maintenance
> security-wise. In case it's not hosted with professionals taking good
> care and feeding of it, and you don't want to spend most of your time 
> tracking bugs and patching instead of writing, I would consider something else.
>  

Eugen-

Thanks for the comments.

Yes, I can see what you mean. For example, there was apparently a huge 
security hole in a few recent versions (except the current) where anyone 
could instantly become the blog admin.

And, it looks like a lot of Wordpress plugins don't work with the latest 
versions -- so there most be something going wrong in the design that the 
assumptions exposed to plugins break so easily. For example, I wanted to add 
reCaptcha, but it does not work.

A recent security issues with Wordpress and someone who got burned by it badly:
http://scobleizer.com/2009/09/05/i-dont-feel-safe-with-wordpress-hackers-broke-in-and-took-things/
http://wordpress.org/development/2009/09/keep-wordpress-secure/
"Right now there is a worm making its way around old, unpatched versions of 
WordPress. This particular worm, like many before it, is clever: it 
registers a user, uses a security bug (fixed earlier in the year) to allow 
evaluated code to be executed through the permalink structure, makes itself 
an admin, then uses JavaScript to hide itself when you look at users page, 
attempts to clean up after itself, then goes quiet so you never notice while 
it inserts hidden spam and malware into your old posts."

Nasty stuff.

But here is someone else just blaming it on not keeping up to date:
http://technosailor.com/2009/09/06/wordpress-security-and-how-im-going-to-take-all-your-money/

But, as you say, who wants to focus on applying security patches and not 
writing when they set up a blog? How is the *average* user supposed to deal 
with this? I know how to do all this and have in the past, and even I don't 
want to deal with it much. :-) Still, Wordpress apparently has added a 
fairly automatic upgrade process, but, it entails changing permissions on 
lots of files first?
   http://codex.wordpress.org/Upgrading_WordPress

The maintenance issue is what had appealed to me about Moveable Type, given 
my hosting provider maintains it. Although even there, you need to ask to be 
upgraded to different versions, so I'm not sure exactly what they do 
maintain? In the first URL above, a point is made that the person was using 
a host that one might have thought maintained Wordpress (it is not clear). 
In general, people seem to suggest Moveable Type focuses more on good security.

Wordpress suggests they do not do security patches on earlier versions, so 
you're on a continual update treadmill. But, as I said, it seems like 
plugins must break then? In general, as an IT-ish person, I do not like 
randomly upgrading software because it may introduce bugs and other 
incompatibilities and instabilities; that is why one should test locally 
first before upgrading stuff, ideally, though in practice, one generally 
can't or does not have the time, or, for security reasons, upgrades are 
essentially forced on one.

Still, there is some advice out there on general security improvements:
  http://www.noupe.com/how-tos/wordpress-security-tips-and-hacks.html
  http://codex.wordpress.org/Hardening_WordPress

I'm just trying Wordpress out, in part to find out this kind of stuff 
(hopefully not the hard way).

One comment from the first link, of potential interest to the p2presearch 
community:
http://technosailor.com/2009/09/06/wordpress-security-and-how-im-going-to-take-all-your-money/
"""
It amazes me that there are all these expert on technology and social media 
but they have such a poor understanding of the tools that are out there. 
Sure they can talk about all this conceptual stuff, use their position to 
get access, and draw a large following but don’t have the ability to hit a 
freaking button to update their blog.
   The issues with plugins that are going to break because they don’t work 
with newer versions of WordPress is also pretty poor. 9 times out of 10 
those old plugins that you were using have competitive plugins that are 
newer you just have to do some research.
   It is easy to be lazy and point fingers over educating yourself about a 
tool you are using and have a better understanding of it while protecting 
yourself.
"""

Any other more specific suggestions as to more secure systems?

Zine had appealed to me because it is in Python and inspired by Wordpress:
   http://zine.pocoo.org/about/
"Zine is an Open Source personal publishing platform written in Python. It's 
written with security and extensibility in mind and inherits many ideas of 
WordPress and other existing blogging systems. It's still a very young 
project and far from where we want to go but we consider it stable for 
everybody with a proper hosting environment. "

While I'm not a big fan of "security through obscurity", one can trade off a 
smaller community against being a smaller target. That's another reason I 
thought about just doing my own system.

Anyway, there are literally hundreds, if not thousands, of possible choices 
for blogging and CMS (beyond writing my own), and at least a dozens or two 
of them are established systems in various programming languages with big 
communities as a CMS/blog. Python alone has a list of dozens of blogging 
packages. So, it's hard to pick one. It involves both understanding the 
landscape of possibilities and understanding the landscape of your personal 
needs, and then figuring out possible matches (even multiple matches, as in 
the p2p foundation case which uses both Wordpress and MediaWiki). And, as 
you also mention, one can also go with a purely hosted solution where 
someone else worries about these things (assuming they do, and assuming you 
can still have your own domain?).

--Paul Fernhout
http://www.pdfernhout.net/

More information about the p2presearch mailing list