The recent WordPress worm doing the rounds on the internet has really surprised me. Not because WordPress has yet again become vulnerable to attack via some hack or workaround, but because of various user reactions. Reading tweets and blog posts over the weekend I’ve been pretty stunned at what some people have been saying… you have the usual “WordPress Sucks” etc, but some go beyond that, and frankly – it’s a little ridiculous.
WordPress makes me feel unsafe
First off, there’s Robert Scoble. His recent blog post entitled “I Don’t feel safe with WordPress..” is pretty amazing in itself. He identifies a number of common user errors which frankly you cannot blame on any piece of software. They are:
“I didn’t have a backup” – What? You didn’t have a wha…? Come on! Who in their right mind runs a successful online enterprise and does not back up data? I’ve been backing this blog up since day 1 on a daily basis, not because I’m anal, but because it’s common sense.
“…my admin account has been deleted and a new one doesn’t use the name ‘admin’” – Yupp – this one is also top of the crazy stupid list. Again I ask myself how people (and I say people as in a group of people that apparently run scobelizer.com), how people think that having an Administrator account with the username of “admin” or “administrator” is a good idea. You’ve done half the hackers job for them.
Anyway, Robert goes on to say that he no longer “feels safe” anymore using his WordPress blog because he has been taken advantage of (ie hacked) because of these errors. He then goes onto question how we as WordPress users can feel safe again after such a horrible experience? Granted – the day I get hacked I am going to be one pissed off bunny – but I seriously do not understand how WordPress is getting the blame on this one.
WordPress Sucks
Next up we have Arnold Kim (of MacRumors fame) digging up a blog post via tweet this evening from 2 years ago, where he discussed how “WordPress sucks”. What Arnold says in this piece is basically he doesn’t have the inclination to keep up with security updates for open source software, therefore it sucks. Ummm yeah. Sorry my man (and a man I respect for what he’s done elsewhere) but if you want a pain free life – don’t use free open source technologies (edit – or any technology for that matter!)
It’s got nothing to do with lack of responsibility on the developers part.
The Problem
The problem with open source is, its open source. It’s the age old problem, and not tied down to any one product (as Arnold states at the top of his article). PHPBB is another old favourite that also gets spanked by spammers on a regular basis via loopholes, hacks etc etc. But yeah, the problem is that the fact that the code is open source allows hackers (and anyone else for that matter) the luxury to drill down to the very core of the code that all of these successful blogs and forums are running on. Joe Bloggs can download the latest WordPress build in 30 seconds, and if inclined finger through every line of code looking for ways to break it.
Once found, that hack likely makes every WordPress blog vulnerable instantly. This is not the fault of WordPress.
The Options
For me, you have three options if you cannot “deal with the pains” of open source:
- Use open source but pay someone else to maintain it, and allow you the flexibility to work outside of the box.
- Use a closed source service – and be restricted.
- Build it yourself.
You cannot ever get away from the fact that open source is inherently vulnerable to hacks, worms blah blah blah. It is simply impossible. As soon as the code is exposed to all and sundry – people will try to break it. What better prize than to break some code that’s used by hundreds of thousands of blogs? Sounds like a fun project.
I would have hoped that people now days would understand this.
An update to this post to make my feelings VERY clear:
(taken from a recently posted comment…)
What I am trying to say is that the fact that open source is open, security vulnerabilities can be found easier (for better or for worse), so if you as a user are concerned with security you should:
1) Act securely yourself (see my points re Robert Scoble)
2) Accept that open source is open to vulnerabilities just as much as anything else, and inevitably patching will be more frequent and security audited more often.
It is not the fault of open source.
It’s the users of open source I am trying to expose in this article, not open source itself.
