From some of my posts people might think I am anti-Wordpress… not so… I love WordPress. I really love Akismet.. I think Matt and the boys are building quite a empire. I just like to razz these future multi zillionaires a little bit 
Ok this post mainly was to respond to people saying that WordPress is so insecure. Here is the thing. WordPress is open source… which means there is going to be some security issues pretty much out of the gate. Especially something as infant as WordPress. Not to mention they have a pretty amazing release schedule and making leaps and bounds with major releases… and again being its open source its going to have some security issues. Now mix that with the fact it has HUGE market share makes it a HUGE target.
Sure there will be many security wiz’s sitting back reading this post saying like it wouldnt be that hard blah blah and pointing out the flaws… and ya… I tell you what why don’t you volunteer and help them? I know it seems like I out a lot of bugs publicly but for everyone that I out (and 90% of the time they are more cool then harmful) I have submitted 100x more bug reports and fixes.
I think the WordPress developers have done an outstanding job bring a incredibly powerful blogging platform to the masses that can do very very advanced things and does them VERY easily for the end user.
But here is the thing… You have to be responsible for what you install. AND you must keep up with updates. Its always a system of give and take and if you want the cool toys then you need to also make sure going to be diligent with updates and patches as they happen.
This blogged got hacked 1 time and it was purely because I had not updates when I knew I should have. It was down a couple hours… I restored and upgraded and all was well.
The best way to ensure you will not get hacked would be to install mod_security and use some of the config files floating around.
About the author...
Jeremy Schoemaker – who has written 2415 posts on ShoeMoney.com.
Hi I am Jeremy Schoemaker and ShoeMoney.com is my blog. 99% of the post here are done by me but you will see others occasionally make guest posts. This blog is fun to write but for my day job I run several online companies.
Images provided by ShutterStock
Using Delicious to Understand Your Users 
How To Get People To Promote Your Stuff 
The Gestalt Protocal 
{ 91 comments… read them below or add one }
I love complaining about free stuff as well, but seriously they have rocked the kazbah with what they have come up with. And if they want to give them selves some link love in my dashboard Im okay with that.
I couldnt agree more Jeremy. Many of the hacking incidents I have heard about turn out to be more errors on the part of the site owner.
Jeremy, you’re definitely right about this one. I am worried sometimes that because of all the security issues I will lose everything. I do have a couple blogs left on Blogger because of this. That being said, I do feel fairly safe using wordpress, but I haven’t had anybody try to hack me yet. Just scrapers. And you just gave me something to help deal with it!
especially since the script is free.
Great advice Shoe! As with all open source software/apps, you should update asap to avoid security issues – and don’t whine if things go a little bit wrong now and then – you didn’t pay for the thing in the first place..
Shoe, if you use the InstantUpgrade plugin, upgrades take one click and 5 seconds
If you backup frequently and keep track of the updates (including plugins), you minimize the risk as much as possible. WordPress is amazing in terms of its functionality and flexibility, and with that comes a bit of risk as you mention. Personally though, I think the risk is well worth the reward.
Just make sure you backup early and often. That way, even if you are hacked, the damage will be minimized.
Thats where, backups and making sure the mod’s are working properly come into play.
A secret, wordpress demo that you’ve set up doesn’t harm in testing out modifications
Thanks for the advice. The spammers are bad enough I dont need hackers either!
wordpress is free and awesome.
Almost anything can be hacked / crash, its the users responsibility to backup
One common thought is “I back up tomorrow”, never think like that do it on a regular basis. The best is if you can do a cron job on a server that backs everything up. Then you don´t have to think about it. But a agree with above posters, wordpress is great.
Power=responsibility The responsibility is the power.
I like using the db backup plugin. I followed gray wolfs advice and setup a gmail account for my databases. Wordpress emails a db backup to the gmail account everyday. It helps me sleep a little better.
Well, I backed up then figured I would post… Good advice…
Open source applications, like wordpress and phpBB, are great for the internet in general. They have security issues like any software does, sure, but like Jeremy says thats because many don’t keep up to date.
What I like to see is an army (millions) of open source code users giving companies like Google and Facebook a run. So much of a run that Google and Facebook actually launch platforms and/or pay to “coral” a lot of the new “apps” being created via open source.
It is VERY possible still to this day for some basement genius to come up with a new idea using open source that could knock major “internet companies” out of business. Design a usefull app or popular site and people throw money at you, for now.
I’ve said this before – Patents filed by search engine companies could ruin open source apps like wordpress permanently. If google comes up with and patents an idea that becomes part of a website… and it becomes so popular that you hate visiting sites that don’t have this app, the tides will turn. Wordpress will shrivel, we’re not there yet.
coral = corral – someone needs to write a comment spellchecker asap!
Indeed. That is true! Most probably, the owners of the site have not been updating and then complaining why their wordpress blogs have been hacked. Quick FYI. Update asap!
I think that one can’t apply to Spiderman.
YOu can stop spammers with the Akismet plug-in. I hope you’re using it.
Wordpress got hack, is that a normal thing to happen will you are famous with something,
I have a post about wordpress and blogger on my blog, for anyone who use both of this which one do you all think is better because many people say that wordpress is better than blogger.
Backup is the most important thing because you sure don’t want your post to be fly away just like that.
Update regularly is good for anyone who wants their blog to be safe.
In wordpress aren’t there a features that allow you to delete spam comments.
If you use activate the Akismet plug-in most of the spam is deleted automatically for you and then you can just mass delete any that gets through.
Indeed, people adding value to the Web through free information and tools should always be appreciated, especially when we are talking about something as great as WP.
I would also suggest making sure that you don’t save your data in just one place since, let’s face it, you never know what can go wrong with your computer and having something like this happen exactly when you need to restore data is not exactly a pretty picture
I always have a blog I only use for testing purposes on a separate server since trying things out there first definitely never hurts.
Akismet is great but it will not be able to handle everything, you will need to keep an eye on things as well
It is important to make performing backups a weekly habit at the very least since you don’t want to be taken by surprise when something goes wrong, problems are unfortunately something you cannot plan
As far as I am concerned, WP beats blogger hands-down, I may not be entirely objective but I wouldn’t even think of touching it at this point.
Alan Johnson
I love Wordpress, although I did get hacked a few weeks ago… but, it was my fault, I suppose. Luckily for me, Google Cache had my latest posts… my backup was not complete. Yikes.
Wordpress is hand’s down better then blogger in my opinion
Thats a good point. Many people forget to backup and thats why its harder to recover when they get hacked
I’m glad you do. Personally i think everyone should
That is why you need to have a backup. I recently just post 2 topics on my blog and back it up since that jeremy has post about backing up your post for safer protection.
I agree…I’ve used both wordpress and blogger, and I like blogger a lot better for a variety of reasons. A big thing for me is professionalism. Wordpress just seems to have a more professional feel and design to it. Blogger seems to be what teenagers would use, although I do know of some very professional looking blogger blogs in existence…
It’s useful information, but can I Install it in older wordpress version such as wordpress 2.0.5 Thanks
Funny this post is up as about a dozen of my WP blogs just got hacked by the wordpress.net.in virus which crippled my adsense earnings… dropped them by 60% almost instantly. I stumbled upon the problem as I decided to look at my source code and found a bunch of pron spam links. This is all my fault as I’ve been too lazy to keep my wordpress up to date. But, it’s a bitch when you have 50 blogs or so.
I think the main thing WP needs to do is make it super easy to keep our wp blogs up to date…. without having to go in and redo all of the templates after each update.
To ANYONE OUT THER USING WP…. please check your blogs now to see if you are infected. If you ignore my warning you could lose $$$
See this link:
http://blog.kakkoi.net/wordpress/how-to-removed-wordpress-net-in-spam-injection-infected-by-mike-jagger-goro-class-mailphp/
It irritates me when people complain and moan and groan about Wordpress. It is good. It is free. Need I say more?
Jeremy, you’re powerful in blog and marketing circles, so in the spirit of this post can you fix the of this blog purdy plz? I’m always scanning code to see mods that people make but keep quiet about (i’m addicted to peeking and learning honestly) and the head is making me scroll down 380 lines of code before the page even starts.
- drop all javascript into an external file
-drop all .css into your .css file (or create a new one and link to it)
Just those two steps would save you over 350 lines of code per page and “me love your blog long time”. (search engines will too, actual content prominence rocks)
.ps – if brians threaded comments gives you a headache since it has php and css mixed together give me a shout, i’ll send you a link to one of my sites that has that fixed. It’s my masterpiece!
Another tip – Passwords – when you subscribe to anything open source DO NOT USE THE SAME PASSWORD! as with your site login etc..etc.
Although open source uses secure MD hash measures the one thing people forget is that when you register online, to a forum or wordpress or anything else, the site often sends you a welcome email. A lot of the time the email has the login and pass in it for your future reference. Did you know that any returned emails go straight to the admin for troubleshooting, who can then see the password you typed in? If you made a typo, the admin will get the password and if he knows you or tracks you down may try to get into your stuff.
It’s not just about WordPress, every single software whether open source or proprietary has flaws and bugs. And the great thing about WP is that they release an update as soon as they discover a major bug.
That means good.
The automatic update plugin makes doing this so much easier
Hm.. Yeah it is frustrating if our blog / website/ email being hacked..
I agree do not using same password..
Especially your online banking ,paypal, moneybookers,etc,..
thanks for the tip Shoe. I am often scared to update incase something does go wrong. But, you’ve just scared me into updating, so now I’m going to have to do it.
I’ve wondered about the same thing re:spam comments. At first I just assumed that I had to go in once/week and delete the 5 – 10 spam comments that I would get. Will this akismet plug-in help that or will I still have to go in and delete it out manually every week?
Wordpress is by far the BEST software I have ever used. So easy to install, so easy to maintain and so easy to customize; all for free! So far as hacking is concerned even the software that costs hundreds or even thousands of dollars gets hacked.
i agree – these guys have to be appreciated ! they are doing a really good job out there! usually errors by newbies are the culprits
I love wordpress too
I am working on getting mod_security installed now.
No matter what you do, there will always be whiners and complainers. It’s the nature of some people to just be incompetent. So although I agree with you, it seems like this post is falling on deaf ears with the people it was intended for. On a lighter note, I have little to complain about with Wordpress and hope they continue to light the way for other dev teams.
Even if there are occasional errors on their part, it would simply not be fair to complain since they are offering everything for free, unlike others, who charge money for products which are flawed as well.
These days, hosting can be as cheap as it gets, add a throaway domain to the equation and there you have it…the possibility of avoiding potential problems by paying a little pocket change (after all, it sure beats wasting time trying to fix things)
It would be understandable to complain if you’ve paid a fortune for something, but to choose such an approach when they are offering it for free simply doesn’t make sense.
Indeed, just because something costs a lot of money doesn’t mean that it is 100% safe. It does however give you the right to complain
I couldn’t agree more. Personally, Wordpress has been working just great for me and, by using the wp-cache plugin, I have managed to handle the Digg frontpage without encountering any issues (my hosting provider also deserves credit for this), even though a lot of people call WP “problematic” as far as the Digg effect is concerned.
I hear ya. Making backups are almost as important as updating. I remember losing so much on failed HD’s
what is this instant upgrade you speak of?
You are so right. I had to stop everything and upgrade and install some new widgets.
Keep up the good work.
Can comments be automatically approved? If yes, can anyone explain please?
Yes, all you need to do is visit the “options” section of your WP admin area and uncheck all fields such as “users must be registered and logged in to comment”.
Sorry I probably should have included the URL. You can find InstantUpgrade here: http://www.zirona.com/software/wordpress-instant-upgrade
Your wordpress install directory needs to be writable by whatever user your webserver is running as, most likely Apache.
I was thinking about this, but that almost seems like more work for something so small like wordpress. How much can you really screw up while testing new things?
Once you approve a comment none of their comments have to be approved again.
Got it under WP admin > Options > Discussions and unchecked the first and third option under Before a comment appears:. Thanx
Wordpress has been working amazing for me and, by using the wp-cache plugin. It has helped my site so much…
Wordpress really give ooportunity to everyone to simple make their own blog, thats why most people use now wordpress, its the leader in blog scripts, even if have a problems i really prefer wordpress then other similar alternatives. Big advantage of Wordpress is tons of plugins u can instlal, like in firefox, people love it same as surfers.
Akismet holds spam comments for I think it’s 15 days and then deletes them automatically. Akismet caught spam doesn’t show up in regular comments, there’s a separate section for it.
I detest blogger because you don’t really own your blog. It can be deleted at a moments notice if the Goggle mothership decides they don’t like you. WordPress on your own domain is the way to go.
Having released free, cheap and slightly more expensive software, the amount of complaints I get seems inversely related to the cost of the product. In other words, the cheaper my product is, the more people complain!
For those who don’t have it, get the Wordpress Automatic Update plugin mentioned above. It doesn’t work will all Hosts…
http://techie-buzz.com/wordpress-plugins/wordpress-automatic-upgrade-plugin.html
Thanks for mentioning mod_security. I LOVE mod_sec, I also use it with some custom rules from gotroot.. very nice indeed. Combined with snort/snortsam and fail2ban you could really have a active and robust intrusion prevention system in place.
hanji
“Wordpress is open source… which means there is going to be some security issues pretty much out of the gate” by Jeremy – Poor statement. Open source does not mean easy to brake-down or insecure. Many security apps out there are open source because having the code also means the possibility to create unique systems. Movable Type is now Open Source. Always update if you’re not an expert. If your system get into trouble – 95% the trouble maker is YOU.
Hey Shoe, Would you ever consider releasing what Wordpress plugins you have installed?
~Jonathan Volk
http://www.jonathanvolk.com
I wouldn’t be able to blog if I had to pay for things like this! Thank you to everyone who has ever given away something of value!
I definitely agree that the wp-cache plugin is great since it has helped me survive the digg effect without any kinds of issues (having a great hosts is, of course, also extremely important in such cases).
I wonder how secure Blogger is? Maybe since most sites there are smaller, it doesn’t happen as much.
Spammers are always finding ways around Akismet, but it does get the majority of it.
Plugins are quite a dilemma for OS blog software indeed. All web software actually.
You can either decide to integrate as many features as possible into the core in order to control as much security as possible (b2evolution approach) or you can have as many people as possible develop third party plugins in order to have a larger feature offer (wordpress approach). But you can hardly have both… as soon as you install your first 3rd party plugin, you no longer have a coherent security framework in place.
I believe there must be a solution where software projects would validate some strict input handling (input handling is the biggest issue with PHP apps) in plugins before lsiting them in their plugin repository. But I have yet to see anyone pull that off…
-F.
Reading this, I have taken measures to update my own security. Thanks Jeremy.
mod_security is still too risk, sure it will stop all the script kiddies running mass exploit sniffers whenever they learn of a new exploit in a widely used web application. But it’s still too easy to crash or byspass mod_security with BOFS or null byte attacks, a well done string can take down the mod leaving the system to harm.
But I stublmed over a good open source project that has done something more, much better than mod_security imo. I think you’d like it from a security point of view shoemoney.
It’s called Suhosin. And is produced by the Hardened php project. hardened-php.net
I use the backup db that emails the database to me (or a gmail account).
On your post, you said that Wordpress vulnerable because it’s open source… I use WP, and I love it… but perhaps WP is vulnerable because it’s Wordpress, not because its open source? One could easily make the argument that open source technology is much more secure than any crap that Microsoft puts out…
So, I love your blog man… but I really have to call you on this one…
PS – BJ Penn or Joe Stevenson? My last comment went against your picks… and I was victorious in saying that GSP would walk away the winner… lol! Cheers!
well the good thing with opensource is that is easier to spot and fix compared to closed source applications.
We all know the time difference in bug and vuln fixes between windows and linux…
I just downloaded mod_security. Looks like a very useful piece of software. Wordpress is great, their software is simply powerful and is so popular among webmasters however they lose out to the general public bloggers imo.
Just updated my blog with this – Cheers Shoe
I’m going to take a look at mod_security now that you mention it. Most hacks occur simply because the owner hasn’t updated the version or needed to make some tweeks to the site overall.
I couldnt agree more Jeremy. Many of the hacking incidents I have heard about turn out to be more errors on the part of the site owner.