It’s been widely reported that sites running the standalone version of WordPress are under “attack” and vulnerabilities are being exploited to insert malicious code into the site. I couldn’t help but notice similarities to Microsoft Windows.
While WordPress may not have the same market share as Windows it does have greater mindshare than any other single publishing platform. (OK, I don’t have the stats to back that up so maybe I’m wrong.) There’s even a major hosting company that specifically promotes WordPress standalone hosting. So like Windows, which comes pre-installed on nearly 90% of PCs sold, the barrier to entry is rather small. Back when I was getting started 3 years ago I picked WordPress because it was easy to set up and get going.
Like Windows, WordPress is used by a lot of people who couldn’t care less about the inner workings of the system (operating or content management) but just like what they can do with it.
Like Windows, WordPress is easy to install since most hosting companies provide a script that will do the installation. Until Microsoft started turning on the firewall and auto updates by default Windows was a virus magnet. Just a year ago doing any sort of WordPress upgrade was a major effort. The ability to upgrade from within WordPress is less than a year old, introduced in December 2008, and it still must be triggered by the administrator.
There’s been a lot of blaming the user for not upgrading as a result of these attacks. I find that a bit disingenuous. On the one hand WordPress is promoted as a solution for people who want an easy website so they can concentrate on what they want to say. Now people who picked WordPress for that reason are being blamed for not spending enough time updating their plumbing. Even though I’m someone who spends a lot lot of time with the plumbing because I like it, I can hardly blame people who haven’t upgraded. People who work on and write about WordPress have it as a significant part of their lives, for the vast majority it’s just a thing they use to run their personal website. If they made a mistake, it was in picking WordPress.
I like WordPress a lot and use it exclusively. This recent attack isn’t going to change that. But every so often I look around for something to replace WordPress because I’m spending too much time doing upgrades. Sure, I like working on the “plumbing” but I don’t like logging on and seeing there’s a new security update that plugs a vulnerability and I now have an unplanned upgrade cycle. WordPress 2.8 was released in mid-June, in the three months since then there’s been four security related updates.
So if you’re going to run a standalone WordPress install you need to be a webmaster (or plumber), no matter what your hosting company and the WordPress PR tells you. Don’t want to do it, then check out WordPress.com or Blogger for free hosted solutions or pick something less prone to attack like Moveable Type. Back in Feb 2008 I moved a site to WordPress.com simply so I could avoid the maintenance time on it.
If, like me, you decide to stick with a standalone WordPress site you’ll need to devise a plan to stay current and secure. My own plan is:
- Enabled WordPress administration over SSL
- I create at least two new IDs on my WordPress site. One to be the administrator and one to use for posting. I change the built in admin ID to a “subscriber” level. Each ID gets a unique and complex password. The administrator ID created by default is useless on my sites, just like the account named “Administrator” on my Windows PCs.
- I’m paranoid about security so WordPress’s built-in update facility doesn’t work for me. (My web server doesn’t have the access necessary to write to the WordPress files) I set up SVN to do the updates. Since this is easily scripted it makes updating multiple sites quicker and easier than going into the admin panel for each site.
- I did enable the built in update for plugins. I figured the risk was worth it since plugin updates are a huge hassle without the feature.
- Backup, Backup, Backup! I backup my database on a daily basis. Eventually I will need this, either because of a hack or because of a system failure. Because the latest backup may not be problem free (if the problem went unnoticed) I then copy this backup file, along with the entire site’s file system to my local PC on a daily basis. From there it gets saved as a daily archive for couple weeks so I can go back to older copies and minimize the loss of data if the problem went unnoticed for a couple days. While I’m paranoid about backups I’m also lazy , so all this had to be scripted and automated as I would never do it manually.
For more information about the current attacks and a list of WordPress security resources you can visit Lorelle on WordPress.