Not long ago, word’s been going around to upgrade WordPress to its latest version 2.8.4. Robert Scoble suffered some loss, some hackers broke in and deleted some of his blog posts. In addition to that, the hackers also placed malicious code in his archive pages and Google sent him an email stating it has removed his blog from its indexes.
I would be terribly upset if such things happened to me. I keep updating WordPress just in case. But what happens when it did get hacked? Are the WordPress developers to be blamed? One of things brought up is custom plugins being incompatible with the new WordPress. I hate to say this but when it comes to security, it’s still more important to temporarily disable the plugin and fix it ASAP instead of not upgrading. The risk is just too much.
And backups. Do them frequently. If it’s hard to do backups, just pay your host to do so. I just pay them to settle those stuff for me. I’m not too clever with all the backup utilities. I never had the time to explore them.
One of the comments in Scoble’s Friendfeed caught my attention:
This recent wave of WordPress incidents shows the negative side of using open source software. Matt says that there are many people looking into WordPress’ source code, but the problem is that probably half of those people have malicious reasons for doing so. – Nikolay Kolev
To which Matt of WordPress fame replied:
Nikolay, it’s always better to have more people looking at the code, because a bug that’s been found is better than a bug that hasn’t. WordPress used to get almost no security problems and people thought it was because it was coded differently, when in fact it was coded far worse than it is today it just didn’t have enough users to make it worthwhile to target. Also where many commercial or proprietary companies try to minimize information about their problems or sit on a fix for months so they can package a bunch into one update, we put everything out there doing a new release as soon as possible after a problem has been reported. – Matt Mullenweg
Here’s another response from another user, Tim:
Nikolay: I would also push back against your assumption that using Open Source software equals less security. Microsoft Windows and OS X are both closed source and both have security holes – there is a competition each year to help MS and Apple find them and fix them. Both Apple and Microsoft came away with security holes to fix this year. So just because it’s open source doesn’t automatically make it more open to security holes. I agree with Matt and believe that have the source open to all makes fixing the holes much quicker. – Tim
I think I can relate to this…
Anyway, Matt also wrote an article on How to keep WordPress secure.