WordPress Takes It On the Chin

Over the weekend, Robert Scoble had a public (and well warranted) temper tantrum after his WordPress blog was hacked. Not surprisingly, the experience left him upset and digitally vulnerable. But what really disappointed Scoble was WordPress’ casual and, arguably, cavalier, reaction it could have been avoided if he had upgraded to version 2.8.4.

This led to a lively discussion on Friendfeed between Scoble and WordPress domo Matt Mullenweg.

Looking back, WordPress was technically correct in stating that blog users must be diligent by upgrading to avoid any security attacks. There’s a never-ending war going on between software makers and hackers, software makers new to keep counter-attacking.

That said, WordPress dropped the ball by publicly “shrugging its shoulders” with the you should have upgraded message. When your blog has been hacked, the last thing you want to be told is you’ve done something wrong by not upgrading.

From a PR perspective that doesn’t help the situation or make anyone feel any better about things. Instead, many WordPress users wanted to be told what to do, how to fix things, and whether there was anything else they should be worried about such as rogue plug-ins.

If there are lessons to be learned, WordPress has to be more pro-active approach to Web security. If it’s not safe to use versions of WordPress that may only be a few weeks old, then WordPress has to really spread the word – and more than a short message on the WordPress dashboard.

As Elliott Ng suggests, WordPress also needs to create a directory or system that identifies what plug-ins are “safe and which ones are funky”.

Don’t get me wrong, I’m big WordPress fan and user, and respect the work that Mullenweg has done to create and evangelize the technology. But WordPress needs to re-load on how it handles security, and how it deals with its millions of users from a communications and PR perspective.

More: Daring Fireball has some thoughts, including an observation that Movable Type users don’t get penalized for not upgrading, while econsultancy’s Patricio Robles offers some security tips.

(Note: This blog was hacked a couple of weeks ago, apparently by Black Hat SEO hackers. As you can imagine, it spooked me about the security of everything I do online, not just my WordPress blogs.)

This entry was posted in Blogs and tagged , , , , , . Bookmark the permalink.
  • Liston

    Mr Scoble is worked up because he neglected to backup his work. Quite surprising. To blame WordPress when they fixed this issue is poor form. Do you not update Windows, Office, AV, etc applications when patches come out? So why blame WP for you laziness?
    It you put yourself online, there is a risk someone will hack into your info. Thus, if you're going down that path you and you alone should be diligent to not only backup your work, but pay attention to what vulnerabilities are out there.
    Hackers will ALWAYS attack the most popular services AND popular people.
    Looks like he was using a old version ["2.8.4, the current version of WordPress, is immune to this worm. (So was the release before this one.}]
    Mr Scoble, of all people, should understand these issues – he worked at Microsoft!!

  • photomatt

    If you need help upgrading your blog let me know, there are no unsolvable issues with regards to plugins or themes and new versions of WP.

    Unfortunately on the other side if your blog has been compromised things get infinitely harder and you really need your web host or someone savvy with systems to clean up the damage. Even if you fix WP there's no guarantee they didn't leave a backdoor somewhere else in your account and you need to diligently check for that. (Like if you get spyware on your computer.)

    • markevans

      Thanks, Matt. I think what you're suggesting is the kind of information that people were seeking initially. They took the hit for not upgrading to 2.8.4 so they were looking for insight about how to make things right again, and what to keep an eye on. WordPress has a loyal following that wants and needs to be kept in the loop. From the optics perspective, WordPress dropped the ball by slightly scolding people for not upgrading. That may be the case but it was the wrong message at the wrong time.


      • Liston

        The upgrade message was front and centre on my page – it was quite clear – was it not for some people?

  • Joseph Thornley

    Nice post Mark. A good overview of what happened with an insightful analysis of the shortcomings of WordPress' response. Case study material.

  • Smart Boy Designs

    Thanks for sharing this information Mark. It's important that we update as quickly as possible when it comes to WordPress – but I do agree – a few weeks isn't much time. If it is something very important- or a crucial update – we need a messaging system.

  • Pingback: A Long Weekend of Deep Thoughts | Mark Evans Tech

  • Boris

    "From the optics perspective, WordPress dropped the ball by slightly scolding people for not upgrading. That may be the case but it was the wrong message at the wrong time." — sorry, but no. Either a) run on a hosted service where you don't do upgrades or b) learn how to work the complex stack of machinery that makes up modern CMS / blog / hosting.

    It just SEEMS easy most of the time, and a lot of people have had to work very hard to make it seem that way. Any bitching about WP or any other CMS is FUD — learn how to backup, learn how to upgrade, or pay someone to do it for you. EVERYONE that isn't technical enough to do this has been accumulating "technical debt" for a long time.

    Learn or pay.

    Also "WordPress's response". The company? The open source project? Various people that volunteer their time to work on it? It saddens me that people STILL don't understand that THEY are a part of this system, and this isn't just some corporation.

  • bsharwood

    Good post. I'm looking after 4 blogs right now, and all of them when I sign in recommend the upgrade right when it's available. (my company blog is on a separate secure server so the upgrade required logging in on SFTP using another program and carefully putting folders and files in the right place) So the issue is whether that's enough. Or whether there's fear of upgrading because certain features might not become available. Did Scoble not upgrade when recommended? does he have so many features up that he's worried some of them might not work?

    It reminds me that I posted on my blog last week that when I upgraded my OS to snow leopard (figuring there's many benefits, including security) my Rogers Rocket Stick was made inoperable.

    So the question still becomes: what is the risk of upgrading, vs the reward of new features or security?
    Wordpress's attitude is that everyone should upgrade, features and plug-in be darned. That's not everyone's attitude.

  • Pingback: Matt Brett - Freelance Web Designer with a magic touch | We Like Your Stuff