Current Events: Lazy Admins and WordPress Security

Posted: September 07, 2009 Comments(7)

WordPress has had a string of bad press as of late, and it’s important as a Web designer to know the real deal, and how (if) it affects your work, especially if you or your clients use it. I’m quite vocal about my admiration of WordPress. I’ve been a dedicated user since early versions, and I’ve come to know and love WordPress, for both the good and the bad. Mostly the good of course.

WordPress has had security breaches in the past, and there will be more in the future. That’s just the way it is. Attempting to classify any piece of software as completely void of security holes is a lost cause, and no software should be held to that standard. It’s up to the end user to take it upon himself to analyze the software and make an educated decision to use it. While it doesn’t remove responsibility completely, to WordPress’ credit, this most recent issue took hold only on outdated versions of WordPress. If you have been keeping your WordPress install(s) up to date, you were already covered when the incident first became widespread.

To me, the issue here lies with end users. WordPress is an extremely popular content platform. Millions of users happily publish their content to the world using the system, and that’s the extent to which they know about it. If I had to venture a guess, I would speculate that the majority of WordPress users have never actually installed the system, or are even aware if their version is the most current. Therein lies the problem, but that problem is in no way limited to WordPress itself. That is an issue with any piece of self-hosted software; there is an issue of responsibility on the owner himself.

There’s always a tradeoff

A larger segment of backlash directed toward WordPress revolves around the fact that it’s self hosted, that most of the end users wouldn’t know how to upgrade or even that it were possible. That’s not WordPress’ fault. That’s the fault of either the site owner, or the Web firm who set up his website. Someone needs to retain the responsibility of maintaining the install, it can’t be left to rust. If you’re handing over the keys to a client, you need to make him aware of the ramifications of your decision to use a self-hosted application. You’ll need to explain that the software will need to be maintained and kept up to date, if for nothing else, to avoid security issues. That puts the pressure on him. The other option is to make sure your client WordPress installs are kept up to date. That puts the pressure on you. One way or another, that decision needs to be made along with the original analysis regarding whether or not WordPress will effectively facilitate the project.

I use WordPress for the majority of my work. I know WordPress inside and out, I love the system, and I love the community. I know and expect there to be issues from time to time, and I take the time to make sure my WordPress installs are kept up to date. Not to toot a horn or anything, but I’ve never had a security issue with WordPress, and if that’s simply from keeping my installs up to date in reasonable intervals, I believe that’s a tribute to the WordPress team and community.

I realize that I’m running a risk by self-hosting my platform of choice, but there is no way I’ll ever return to a hosted solution simply because there are too many hoops to jump through. I prefer to hit the ground running, know what I’m doing, and get the job done in the fastest (most custom) way possible. Hosted solutions simply aren’t my choice solution, and as far as I can tell, it’s going to be some time before that’s the case (if ever). That’s a super opinionated statement, but I feel it’s important to convey that I do keep up to date on hosted solutions and consider each in comparison to WordPress as updates are rolled out.

Don’t be lazy

It’s tough to hear the integrity of WordPress be put in question because of lazy admins. To me, that’s what it comes down to after all. I’ve heard excuses left and right about why people don’t upgrade, right down to it being too time consuming, but it all comes down to laziness. The WordPress team has made the upgrade process a literal “click of a button” in the past year. It doesn’t get much easier than that. If your theme might break with a plugin upgrade or an upgrade to WordPress itself, write better themes. Your code should revolve around the fact that WordPress (and her plugins) are going to update, and it’s going to happen often. To moan about maintenance work is just a lazy excuse in my opinion.

I understand that there are other systems out there that don’t demand such care-taking, but I’m the type of person that wouldn’t simply let a version of software sit simply because I don’t take the few minutes to perform some maintenance. I would wonder why anyone would take such a stance to be honest with you, at least anyone in this industry for that matter. Why would you want to knowingly settle down with an expired piece of software?

Taking it for what it is

We know the issue of ‘Windows syndrome’. Crackers will spend most of their time and effort on the most popular system; you get the most bang for your buck. Not only is the software everywhere you look, it’s maintained by an exorbitant number of under qualified people. Unfortunately, WordPress fits quite snug in this classification, and that’s a major reason you’re seeing security issues get so much attention.

On top of that, WordPress is open source. Crackers have been given potential security issues arranged beautifully on a silver platter. More often than not, that works for the benefit of the community, and security issues are squashed before so much as a photon of light can provide exposure. In the eyes of security, this could be looked at as a con in comparison to a hosted solution. Without direct access to source code, malicious intent is much more difficult to bring to fruition. That’s why you aren’t seeing these security announcements from other self-hosted or hosted solutions, the access and desire just isn’t there.

I’m not trying to make excuses

Of course I would prefer to not read these security bulletins about WordPress, but I take the responsibility associated with my decision to use WordPress and this comes with the territory. If you’re a WordPress user, just make sure you understand that this is part of the job, and if it’s not something you’re interested in, you should start examining other solutions. If you’re not a WordPress user, take the experience for what it’s worth, and give your application of choice another rundown solidifying your decision to use it.

I’m also not trying to start a flame war here, it’s just disconcerting to hear the instant dogging of a system that many of the nay-sayers aren’t even using. I suppose that’s the way of the Internet and will always be the case, I just hope that many people take the high ground and realize this, like everything else, is both a learning experience as well as a reminder.

Remain educated. Don’t take software for granted. Make sure your scheduled backup systems are in place, make sure your software is up to date, and don’t be a lazy Web designer.

Get my newsletter

Receive periodic updates right in the mail!

  • This field is for validation purposes and should be left unchanged.

Comments

  1. The company I work for has dozens of clients using WordPress and it is not a “one-click install” to upgrade their sites. We have to run each system through a series of unit-like tests to make sure nothing breaks (from themes to plugins, many of which are custom). Then we actually have to update the site, submit paperwork saying what was done and why etc and this is all after contacting the client and saying why they need to upgrade if their current site “still works fine”. Yes, the upgrade is quick and (normally) painless, but all the crap around it that a business has to deal with costs both time and money.

  2. Great write-up Jon, and totally on par with my feelings on this matter. I was blown away when I saw people raging out on Twitter about having to upgrade.

    The fact that this hole was plugged 2 versions ago is the real kicker. This just proves to me that the WP dev team are really on top of their game. It’s not like there’s an emergency security patch you have to apply. If you upgraded in the last few months, you should be fine.

  3. Back up your WP, then upgrade. You’re right it’s not that difficult. Should be done, period. It’s part of the whole package with WP.

    If you contract with people using WP as the platform, then these upgrades should be part of that contract along with the process to handle them.

    “…WordPress (and her plugins)…”

    Funny, I always thought of WP as a ‘him.’

    Good article.

  4. Great Post. I especially like the paragraph where you talk about the upfront discussion on maintenance with the client. This isn’t just related to WordPress, but any self-hosted content solution.

    Freelance designers and developers just starting out, I imagine, skip this step quite often, but it must be addressed for everyone’s good.

Leave a Reply

Your email address will not be published. Required fields are marked *