Tue
Apr
08
2008

Why are so many blogs getting hacked?

This is NOT intended as a gloat, but I really wonder why so many bloggers put up with the security hole-ridden software that Wordpress is.

It seems that barely a month goes by without another Wordpress release to patch yet another exploit. The latest problem – and it seems it’s a biggy – is detailed here (via Scotty).

Now, I need to be honest here: I am not a expert in this field. I don’t use WP and and really don’t know much about how it is structured. But I do know that in the 3 years or so that I’ve been involved in blogging, both personally and in setting up blogging software for many others , I’ve never been hacked.
A big reason why is because I use Textpattern and not WP. It appears that Textpattern is inherently more secure because (I understand) it was written that way from the ground up.
Ironically, every so often there are a spate of posts on the TxP forums complaining that TxP doesn’t support trackbacks, even though these are a proven security and spam risk.
In an associated area, I understand that Textpatterns comment system is inherently more secure and spam-resistant than other CMS’s.

Interestingly, Txp even gets criticised in CMS circles as being a ‘dead’ project. Why? Because according to the ‘experts’, there are not frequent enough releases.
While regular TxP users might wish for a few more feature updates, we are all very grateful that the endless parade of security patches (a la WP), are simply not necessary.

Yes, there are not the sheer number of plugins or templates that WP has, but:
a) serious bloggers will tend to design their own templates, and
b) there is a very active Textpattern community writing all sorts of plugins every day. You can often just ask in the forums and a coder will pop up and write something for you.

Again, let me say, I’m no expert in this, but every time another WP security issue comes along, I’m very grateful for the hard work the Textpattern devs have put into making such a stable and secure CMS.

Posted by Neil, 8 April 08
Filed under: ,
§

Comment

  1. Like you, I’m not expert, but Wordpress is a far bigger target than any other CMS (see this, just one survey, for example).

    Simon · Apr 8, 10:13 PM · #

  2. Yeah, I’m sure that’s a significant part of the picture Simon, but it isn’t like o/s’s where you can be stuck using a particular o/s because of investment in apps, office politics, etc.
    Most blogging tools produce a very similar end result and run on the same web servers, so in my mind, there is very little reason to stick with a tool like WP when it has so much trouble being reasonably secure…

    Neil · Apr 9, 07:56 AM · #

  3. (1) I think TxP is not doing as much as WP. It does not have the same number of lines of code for start, and bigger a project is, more problem it might have.

    (2) I do think WP feels more like a patched job. 2.5 is a bit better, but earlier version does echo its tagline — code is like poetry. You hack it until it rhymes.

    (3) A lot of WP users have absolutely no idea how to secure a WP install. “This plugin asks me to chmod 777”, and the next thing you know is a hacked WP site.

    (4) As Simon said, WP is a much bigger target because of its popularity. Hacking sites is all about financial gains these days (injecting spams or virus). Why go for diminished return when you can catch a big fish?

    Scott · Apr 9, 11:09 AM · #

  4. Good points Scott…
    Although a fair proportion of TxP users also have little idea of setting permissions correctly as well!

    And as you and Simon have pointed out, the bigger the target the more likely a strike is…

    Neil · Apr 10, 07:33 PM · #

  5. As always just my two cents…

    • TXP doesn’t need core hacks.
    • Database calls are abstract inside core functions.
    • Template tags build a security layer without the need to fiddle around with PHP hacks.
    • The default installation does not allow to insert raw PHP into article or page templates.
    • Scott is right: “I do think WP feels more like a patched job.” What a sick web 0.1 thinking hidden behind graphic gems.

    OK, I came to TXP because of the sections and I only needed a one-domain CMS. The choice proved to be a perfect one :)

    Simon – Lame argument: “Wordpress is a far bigger target than any other CMS” So what? Are we talking quality or quantity?

    Markus Merz · Apr 11, 05:06 AM · #

  6. Markus,
    Thanks for the insights into TxP’s inherent security ‘features’…

    I think Simon (and Scott’s) points about WP being a big target is because much of the hacking of WP is spam related, and therefore revenue related. In that sense, a less secure app but with a huge user base will be an attractive target…

    Neil · Apr 11, 08:39 AM · #

Commenting is closed for this article.