Entrepreneurs take note. This is a problem that is not being solved. There are lots of smallish bloggers out there who want more customization than Blogger/Wordpress.com/Tumblr/Posterous allow, whose best option is Wordpress and shared hosting. This is a sucky best option. Do something about this; make some money solving this problem.
This is a Turing Tarpit; the only infinitely customizable blog platform is "PHP" (or your choice of other actual language). And as your customization possibility space increases, the customization inevitably starts to look like a language. Because it is.
That's why nobody's "solved" this problem in the last ten years; you can't have programming language flexibility without programming language complexity.
Wordpress is like Apache or Sendmail. A 500-headed monster. It's simple enough to use and does everything. It's also sloppy and overgrown. Most people don't need all the extra stuff it does. Certainly not at the expense of security.
Apache => Nginx
Sendmail => Postfix
Wordpress => _______
That is room for an enterprising open source developer.
"It's also sloppy and overgrown. Most people don't need all the extra stuff it does. Certainly not at the expense of security."
The problem is that everyone needs a different 20% customized. This is what Joel Spolsky basically argues in Bloatware and the 80/20 Myth: http://joelonsoftware.com/articles/fog0000000020.html . He's talking about desktop software, but you can see the same essential thing in blogging software; I'm using Wordpress for Grant Writing Confidential at http://blog.seliger.com chiefly because it has everything I want and is easy to use.
The extra stuff I use includes themes and a couple of plugins, like one for generating an XML sitemap and another for cacheing. I know that blogging platform X probably has the particular set of features I need -- until I find something that it can't do.
I don't trust Sendmail but there's an emotional component to that; I would have laughed at you for using it in 1999, but I think 2 decades of analysis has to produce some result.
There's something more going on with Wordpress than simple complexity.
It's had its fair share of problems. Mostly in the past at this point though. It is heavily bloated and overgrown compared with something lean and mean like nginx.
Even if Wordpress didn't have security issues there'd be room for an nginx of blogging.
Understood, but I don't think people need infinite customizability. They need roughly Wordpress-level customizability, security, and relatively cheap hosting. Can no one really supply this?
"Understood, but I don't think people need infinite customizability."
Need, no. Want? Yes. Literally "infinite"? No. But variable beyond belief? Yes.
Elsewhere in the thread, you complain about hardcoded URL structures! That's pretty far out there on the "I demand customizability!" front, if you consider the horrible things that will do to your platform's internals. Random users running code in their templates, another feature you request, implies that we need to sandbox and resource limit the templates, if we also want to maintain the ability to have "cheap" hosting (which breaks if our users start writing infinite loops into their templates). (Sorry, did I say "if"? I meant "when".) Take your needs, and two other customers with the same level of detailed desires, but different desires, take the union of them, and you've got a freaking complicated product spec'ed out. One that, incidentally, is going to be pretty complicated to actually customize. Oh, and the odds of it suffering the classic "endless interacting-feature bugs because nobody ever said no to a feature" is basically 100%.
Weebly is solving this problem -- you just may not have noticed.
We have rich blogging features that are on par or better than most blog systems: create posts, edit your side bar, set catgories, human-readable (and adjustable) URLs, commenting, comment moderation (open/moderate/closed), close commenting after x days, post in the past, set time zones, post drafts, private drafts, etc.
Even better, a blog doesn't have to be the focus of your site -- it can be just a page. You can create other pages to put things like pictures, videos, photo galleries, slide shows, maps -- by just dragging and dropping them on. You can even create custom forms and surveys by dragging on the form elements (name, address, phone number, drop downs, etc)
While you can't upload PHP, you do have full customizability over your theme CSS and HTML.
To top it off, your site is hosted free of charge on our robust infrastructure that's machine and geographically redundant. We serve sites that hit the front page of Digg or the NYT every day and don't even see a blip in our traffic graphs :)
That sounds awesome, but I have too questions about your service that the homepage did not answer (atleast I could not find it straight away):
Is there an export option? I would have to be locked into using your guys just to see your company fail (and you don't seem to have a way to do revenue, esp. when you won't put ads on the blogs)?
Is there a way for me to host blog._somedomain_ with you, I would rather not make my blog the focus of the domain...
First, our company won't be going under any time soon -- while 95% of the features are free, there are an extra 5% available to power users as part of our "pro" package for ~$4/month. We also sell domains. We're strongly profitable, so you don't have to worry about us going under :)
But should you choose, you can export your site as a .zip file and host it somewhere else.
Also, you can choose from either a .weebly.com subdomain or point either your domain.com or blog.domain.com to us -- in either case, we'll still host your site free of charge.
Well, at the risk of derailing the conversation... I've extensively customized tumblr. I have beefs about some other elements of their service, but what sort of customization are you talking about that's not possible with tumblr?
Honest question, can you upload a script file (PHP/Perl/Python/ASP/Whatever) to tumblr and integrate it with other parts?
When I was freelancing I used to get a lot of requests like this: I want blog/comments/sharing, image gallery, video, and --insert business specific thing here--.
And Wordpress and its plugins make this easy(ier).
No server-side code allowed, but you can work all the jquery magic you want and they have a facility for static pages with arbitrary URLs. I'd probably not recommend selling it to a business, because, for example, here's how I'd do an image gallery:
1) upload the pics to flickr
2) use jquery to grab the pics
3) make a static page to display them
Also, because it's clear that their service is designed for single-person blogs, their group blogs have some annoyances that range from minor to severe.
As I understand it, with Tumblr you can't customize your URL structure, you need to use external commenting systems, and your themes can't run non-js code. Also, many people use Wordpress as a hybrid CMS/blog; the ability to have pages (again with a defined url structure) is important.
Tumblr has a great bookmarklet, a good iphone app, a good community, reasonable uptime, and a good admin and customization interface. I don't recommend their group blogs, though I have several, but I highly recommend their service for one person.
llimllib, thanks for the reply. I can think of a number of reasons that you might want to have dynamic elements in your theme. I understand the concern over themes running code, but if you want things like breadcrumbs and your CMS doesn't come with them as a native function then you need to be able to run native code. Ideally, the CMS would include a wide and extensible array of native functions that themes could take advantage of, but tumblr certainly isn't that CMS.
Good to know about the pages.
One other issue is file uploads. Say I want to host my CV at domain.com/CV.pdf. I don't think I could do that with Tumblr. Is that too much to ask?
I have 2 Wordpress blogs that get comparable amounts of traffic. They're both on the same shared hosting (MediaTemple), they're both updated at the same time.
One never seems to be touched, the other seems to have gotten a high spot on some l44t hax0r's list and is exploited just about every time there a security flaw is discovered. It's annoying to say the least.
Slowly over the years I've been moving everything that I don't absolutely have to host off shared hosting or VPS's and onto hosted services (I love Tumblr) that allow backups/exports. In my experience, it's just not worth the headaches to self-host things like blogs.
Agreed. Also, making small changes to some of the config helps too. This is why I laugh at people who know nothing about hosting, permissions, or php in general deciding that they know WP, put it on a shared box without doing the proper setup, and then blame wordpress when it gets hacked.
Note that you could tell me that Wordpress has changed drastically for the better since I stopped paying attention to it. I would concede that you might be right, but wouldn't change my recommendation at all. It's simply not worth arguing about. Here goes:
* It's written in PHP, a platform on which "remote file inclusion" vulnerabilities --- where attackers can source code to run on the server from MySpace --- continue to be found. I hesitate to bring this up, since (for instance) the last public vBulletin flaw that would have cost you your site goes back to 2008.
* It has an authentication design that uses the same database tables to track administrators who can run code on the site and anonymous Internet commenters.
* It has a template language that allows graphic designers to write templates that run code on your server.
* It hand-codes SQL statements largely out of concatenated queries.
* It is internationalized but has no coherent strategy for dealing with character sets and input filtering, on which it relies heavily, resulting in relatively recent vulnerabilities enabled by for instance UTF-7 inputs.
* It includes in the admin interface an editor for site templates that amounts to a remote login to the server, since, again, templates can run code.
* It has a vibrant community of plugins implemented by people who know exactly enough PHP to get their code working, which means every one of these flaws is repeated for every plugin developer.
Also: it's impossible to move or rename the admin directory in Wordpress without modifying a bunch of its code. This IMO is grievously stupid, because attackers can (and do) throw injection attempts all day long at the admin bits of Wordpress sites.
I was referencing that correct file permissions, on a dedicated server, with a well-selected user (NOT admin) will do a LONG way in making it safer. Also, putting in the time to shore up the main holes is 100% worth it. Sure, there are holes in it, just like ANY framework. Simply setting it up right helps a ton. My comment is directed to people who just unzip, dump it on a shared GoDaddy server, and wonder why it gets hacked.
Everything that you just mentioned, at best, protects the server environment from Wordpress vulnerabilities -- and that's assuming that a novice could set up a dedicated server as tightly as good hosting companies set up shared hosts.
None of your recommendations do anything to make Wordpress itself any safer, and if the Wordpress db gets compromised (which happened recently to a lot of folks), then you still don't have much of a site left.
Avoid Wordpress...really? I can understand avoiding shared hosts because you have less control of the environment but going to an alternative blogging platform because it is more obscure than Wordpress seems to be a bad approach (and if you go with a vps solution you might have the headaches of maintaining a secure distro). This is like saying "you should use Linux or Mac because Windows gets attacked more".
Any piece of software that is popular (I saw a recent statistic that wordpress powers %10 of the top 1 million sites as ranked by Alexa) will be much more vulnerable to attack than less popular software. At the same time, you get a bigger community and all the goodies that come along with that popularity (more plug-ins, themes, etc...).
I don't think that getting rid of the software is the correct approach in this case. You need to approach it by assuming that your wordpress site will be attacked every day and you need to have a plan to remediate this. There is no perfect security unless you unplug your web server from the internet. For a one blogger site - one simple approach would be to:
1. Run something like open source tripwire (http://sourceforge.net/projects/tripwire/) on a nightly basis so you can get alerted if any wordpress files get changed (HN peoplez: anyone have a better tripwire-ish solution that is free?)
2. Run a nightly backup of your files and db and mail it to an external account (like a gmail account)
3. have a script that can reload your files and database quickly from your backups (obviously - this needs to be tested)
I agree that Wordpress gets attacked more, and has more vulnerabilities uncovered, because it is popular. Unfortunately, that isn't the only reason. It is the same worst-of-both-worlds combination that WinXP SP 1 was in 2003.
Infrequent bugs are a feature, they keep users from having to upgrade their software, which is annoying. That's why I avoid Wordpress.
I've never looked at the WP codebase, but I'm just flabbergasted that a piece of blogging software that's been around this long has so many holes. Anyone who just wants to run a simple blog with minimum hassle on a VPS is terribly ill served by Wordpress.
As I mentioned in my other comment, I give a thumbs up to Movable Type, particularly in regards to security. The only database access is done on the admin side. When you publish anything, it generates pure html pages. So only you access the database. Users only access html. There are no complexities between these two arrangements.
Movable Type takes just a little longer to set up than WordPress, but hey, many of us here are hackers right? Plus you can tweak the code to your heart's content.
Static HTML is also a lot less resource intensive.
I think the main thing in the way of people using MT is that lots of people get their first introduction to blogging on some free WP hosting first and consider the switch to commercial shared hosting to be an upgrade.
People like this wouldn't see switching blog platform as an upgrade so much as an inconvenience.
Weigh PHP, categories, comments, human-readable URLs, and convenience against retaining control of your content or (potentially) the server it lives on.
The people running Sendmail in the '90s went through all these arguments too.
It's hard to understand how a blog package could have created a worse track record than Sendmail (though I can tell you how). But it did.
I rejected your premise. I didn't try to solve your problem. Your need for PHP, categories, and whatever else doesn't make any difference. Wordpress will be as, insecure as it will be independent of your need for it not to be.
Again: avoid Wordpress. If you can't, you have my sympathy.
I've been using Movable Type for years, the differentiating factor being that it generates html pages. No worries about database load. No worries about database hacking, the only access to the data or files being through the admin login. The additional ability to customize the code at any depth is a plus too.
Hey guys - this is a serious question : what is the alternative.
Is there anything that provides 80% of the features of Wordpress at significantly higher security ?
What about Textpattern ( php), Movable Type (perl+php), Expression Engine (php), Mephisto (ror), Type (ror)... what ?
Static HTML files driven off a system like Jekyll or Webby, coupled with comments from Disqus would be significantly more secure. It's also much less convenient.
That code doesn't really say anything about how the blogs were compromised, or anything interesting about what the attackers did with it (yup, they added js to the page via PHP, like every other WP attack).
I wanted to snark "yes", but truthfully, the problem is that Wordpress' security has been average, not especially bad. The problem is that average is terrible. Most average products don't get hit with this level of scrutiny, but certainly the sort of errors that Wordpress makes with frightening regularity are made by numerous other commercial and open source projects as well.
There are unforced errors in Wordpress. Every web application will have a cross-site scripting mistake. It takes a special one to have "anonymous commenter" -> "admin" privilege escalation, or executable style templates.
Alas, I could (but won't) name fairly equivalent errors made at a place that I may or may not work. (If not worse than the ones you mention.) I think the only place we differ here is our exact level of cynicism. "More cynical than tptacek" probably means I need to tone it down.
One thing that was mentioned in the linked page is Fantastico, the auto-installer for cPanel. I checked and currently they are including WP 2.9.2(latest) but there is sometimes a delay updating Fantastico. On top of that, the hosting clients may not know how to update their WP install anyway.
I have seen no evidence that recent problems are anything other than shared hosting sites getting cracked. Note to admins -- running your system with all the virtual host files owned by apache is asking for trouble. Use something like the itk patch for Apache (http://mpm-itk.sesse.net/) where each virtual owns its files and uses normal permission restrictions to control access to the rest of the system.
Although this won't help those of you who are bone-headed enough to chmod 0777 all of your files...
WordPress is easy to learn. Technologies that are easy to learn tend to attract a lot of people. Once the people learn enough that they are no longer beginners, then they want more features, more abilities. Rewind the clock to 1999 and you could say the same thing about PHP. It did well because it was easy for beginners to learn.
I think a lot of the people who read Hacker News are people with considerable experience in the tech world. As such, it is easy for them to underestimate the importance of having some technologies that are easy for beginners to learn. It is easy to make fun of a beginner. But everyone starts off as a beginner. More so, technologies that are easy to learn tend to have a resilience that complicated technologies lack. There will always be some version of BASIC out there, even as other, better languages are forgotten.
I do most of my development with Symfony. As such, there is a part of me that thinks application frameworks (Symfony, Ruby On Rails, Django) should be used for all projects. But the application frameworks are only for experienced programmers. I would have felt overwhelmed if my first exposure to computer programming had been Symfony, or Ruby on Rails, or Django.
WordPress does a fantastic job enabling relative beginners to achieve a lot. It deserves praise for that. It offers people a smooth path to move deeper into programming, should they wish to move that way. I've had friends who first learned PHP dealing with WordPress, and later became good PHP programmers overall, and more recently I see them learning other technologies. In another era they might have learned with Visual Basic or Hypercard or Applescript or any of the previous attempts to build systems that enabled beginners to program. But for the last few years, WordPress has occupied that niche in the world of programming.
More so, WordPress is a great platform for web designers to work from. For the intelligent designer who does not want to become a programmer, WordPress lets them do a lot of customization, without knowing much of the technical details of what they are doing.
It is easy to curse WordPress for its security flaws. For that reason, it is important to remember how good it is at the things it gets right.
I agree with elidourado: this is an opportunity for entrepreneurs. The popularity of WordPress, and its occasional problems, provides a good market for services that help designers and other programmers achieve what they wish. Darren Hoyt and I started one such service, a paid question and answer site focused on WordPress:
It is appropriate to complain about the security flaws in WordPress, but entrepreneurs will also think hard about what kind of services can help all the people who need help with it.
Sometimes a short comment is that's warranted.