Wordpress has had a catastrophic history of insecure code, based on a number of basic design flaws:

* Reliance on ad-hoc hand-coded SQL.

* A system that registers psuedonymous Internet commenters in the same user table as Wordpress administrators.

* Mishandling of internationalization.

Yes, Wordpress is also the most popular blogging platform, and yes, it's also much more dynamic than its competitors, but phpBB and vBulletin seem to have had better track records than Wordpress have. It's just not very secure.

Basically, Wordpress is written in PHP and this is the root of all evil.

Let's look at the roots of PHP: it was never designed as a programming language, it was a tiny script language used to create Rasmus Lerdorf's website. Thus, it has a lot of oddities like the === operaor.

Do you know why it it is there? Because they wrote a broken instr() wrapper and messed up the error handling. And instead of doing one thing right, they added another obfuscation layer. Great design.

Then, PHP was traditionally used by webdesigners, not programmers. This lead to tons of bad code and bad practices. It is not that you cannot write elegant code in PHP, but there is so much more bad code around that it is hard to find the good code.

So, why do wonder about this?

Can we stop this argument already?

Real hackers can appreciate every damn language out there. If it weren't for Basic in the early 80s, I wouldn't be programming now.

PHP is a wonderful gateway language for a generation of web programmers. It is installed on every webserver and is always ready to rock-n-roll. No other language has achieved that level of ubiquity.

No. We can have a productive discussion about whether a language and its frameworks are conducive to secure coding without it devolving into a language war. We're adults here, and there are more than just stylistic differences between PHP and its competitors.

Don't get me wrong, I like using Python. But I prefer small compromises addressing prior mistakes, allowing for backwards compatibility, over a full rewrite.

I think we're a few years past the arguments you make against PHP. If you want to be trendy, you should rail against the people running Internals (namespace separator).

Waiting a few years doesn't make his arguments wrong.

By "past" I meant that they've been adequately addressed.

Despite the qualms I have with PHP, you can't blame the language for design flaws in the software.

Sure you can. People do it all the time with C.

Hah! Fair enough, but my point was that those claims aren't legitimate. Especially those claims about C

phpBB has an atrocious security record as well.

I'd deploy phpBB in its default configuration before I'd deploy default Wordpress. (Our blog is Wordpress).

phpBB has an atrocious security record. It's gotten much better since version 3.

I think I could credibly dispute the record here, but I think we can also probably just agree that today, phpBB is hobbled by fewer design errors and better hygiene than Wordpress. Wordpress is just a scary glob of PHP code.

Isn't the basic design flaw being programmed in PHP?

There are PHP programs with decent track records. PHP doesn't make it easy to write secure web apps, but it's not a lead weight either.

Anyone that have read Wordpress' source code should not be surprised that it is the most exploited piece of software on the web.

It was not created by programmers. It was created by web designers (hence its great visual design).

Wordpress was probably the only company that has migrated from Ruby to PHP (when they purchased Gravatar).

Not just one. Derek Sivers: "I spent two years trying to make Rails do something it wasn’t meant to do, then realized my old abandoned language (PHP, in my case) would do just fine if approached with my new Rails-gained wisdom."

http://www.oreillynet.com/ruby/blog/2007/09/7_reasons_i_swit...

"Wordpress was probably the only company that has migrated from Ruby to PHP"

This is just childish. Different tools and languages have different uses. End of story. Ruby isn't better than PHP, PHP isn't better than Ruby - That's like saying a screwdriver is better than a saw - It depends what you're trying to accomplish with the tool.

Here's the script.

http://madnet.name/eng/files/1/10.html

Most of the blog exploits on the web (including the one in the article) seem to be focused on WordPress. Are there are a large number of people exploiting vulnerabilities in other blogging platforms, like Movable Type?

First, I assume this is for the same reason that most viruses are for Windows -- WordPress is one of the most common species in the ecosystem.

Also, If I understand the architecture of Movable Type correctly, it renders much of the site into static pages. I would expect that this tends to reduce the number of points where vulnerabilities would be possible, at least as far as points where it might be exploited via causing it to execute with malicious parameters via an HTTP request. i.e. In Wordpress, every page you load is the result of the execution of some PHP scripts, while in a blog that is rendered to a bunch of static files, it's conceivable that the only thing that unauthenticated users can mess with is the comment system.

Yep, much of Movable Type is static. I think there is an option for dynamic pages but by default it's static.

target platform is presumably based on the dominance of the platform in the market.

http://www.google.com/trends?q=joomla%2C+wordpress%2C+drupal...

This happened to one of my old wordpress blogs, I had to delete the whole thing. That's why I just use blogspot through Google now, it's not worth the time to keep track of all the updates and stuff.

Now point-and-click kiddies are the rage. Scripts are so 90s.

"No sympathy for the devil, keep that in mind. Buy the ticket, take the ride."