By John Gruber
Build faster, more secure apps at scale. Try us for free.
Readers keep asking me why I’m “against” WordPress. I’m not against WordPress. But I think it’s important, for anyone who cares about their web sites, to understand just what you’re getting into when you decide to host your own WordPress site. If you don’t vigilantly keep your installation updated to the very latest version, you stand a good chance of being exploited. This isn’t just a warning that the doors on your house have weak locks; this is coming home and finding your home burgled and your valuables missing.
Is WordPress poorly-designed, security-wise? Is it just a matter of WordPress being phenomenally popular? Or is it both? I don’t know. The same argument continues to rage, 15 years after it started, regarding Microsoft Windows. WordPress has much to offer, starting with its large, generous, active developer community. But I can’t recall any widespread security attacks against Movable Type or Expression Engine, or against hosted services such as Squarespace, Posterous, Tumblr, or, yes, even WordPress.com (a hosted service, rather than software you host yourself).
I can’t abide the sort of blame-the-victim responses to these WordPress attacks along the lines of “Well, what do you expect to happen if you don’t keep your installation up to date?” I don’t religiously keep my installation of Movable Type up to date, and I know many other MT users don’t either, and yet our sites don’t get hacked. I’m not arguing that Movable Type is perfect. Clearly, it is not. No software is. I’m just saying the situation with WordPress is different, and clearly more dangerous, than it is on other platforms. (Nor am I attempting to persuade anyone to switch from WordPress to Movable Type.)
The good news is that WordPress has greatly simplified the upgrade process over the last year. That’s not much consolation to those running older versions who have been hit by this attack, but hopefully it means that so many casual WordPress users won’t fall behind in the future.
I fully acknowledge that there is much to be gained by running your own copy of WordPress. But clearly there is a price: constant vigilance.