Obama Pride logo

I am Matt Thomas.

An enigma, wrapped in a paradox, inside a jelly donut.

WordPress Security

June 22, 2007

On WP Security Matt Mullenweg responds to recent criticism regarding the WordPress team’s approach to security fixes. While I work for Automattic, I have no direct personal involvement in WordPress, the Open Source project. That said, I know the team takes the integrity of WordPress incredibly seriously, and I do believe, after reading Matt’s response, that Colaiuta’s warning (uninstall WordPress or face certain doom!) seems rather hysterical.

As a purely anecdotal aside, I thought it was funny that Colaiuta recommended Movable Type as a secure blogging platform (unless you need outlandish extras like comments). I remember a very trying time not that long ago when my shared server at my otherwise-very-reliable web host, TextDrive, was routinely brought to its knees by exploited Movable Type blogs. (Read David Raynes’ comment on this post for clarification.)

 | Follow any comments here with the RSS feed for this post.

Commentary

  1. Avatar billg June 23, 2007, 5:41 pm

    Well, he’s got a point about comments. If you don’t want them then there’s very little reason to drag in all the PHP-MySQL scaffolding that’s there to support dynamic content. The only thing dynamic about the vast majority of blogs is the stray comment.

    If you do that, then MT, essentially a static page publishing engine, is an obvious way to go. Not the only way, just an obvious one.

    I’ve come to believe that blog comments could best be handled by offloading them, in a scenario much like how Automattic uses Akismet to allow a zillion blogs to offlaod spam checking. Halsocan does that now, but not nearly as well as it could be done. Some folks are already using wordpress.com sites solely for comments on their “real” blog. The next, logical, step is to eliminate the need for the site and just host comments.

  2. Avatar David Raynes June 24, 2007, 9:32 am

    Matt, not to be overly nitpicky, but I think “exploited” may the wrong term to use there. There are some pretty serious security connotations to a word like that, and the problems MT has had in the past are pretty much entirely (at least in my experience) resource problems. “Exploit” implies that somebody broke into the system and did something malicious (e.g., stole passwords or the like). But the issues with MT that you are referring to are related simply to some jackass spammer attempting to leave 12,000 (or some other arbitrarily large number) comments at a time and MT, when in vanilla CGI mode, can be a hog when that happens.

  3. Avatar Matt Thomas June 24, 2007, 10:24 am

    That’s exactly what I was talking about, David. Since you (literally) are the expert, I’ve linked up your comment in the post—you explained it much better than I can.

  4. Avatar Lloyd Budd June 24, 2007, 11:27 pm

    “I have no personal involvement in WordPress”, do you really not understand how your work benefits WordPress? ;-)

  5. Avatar Matt Thomas June 24, 2007, 11:36 pm

    Fair enough—I’ve changed that to direct personal involvement. :)

Have your say
Don’t be a jerk.