Present Perfect


Picture Gallery
Present Perfect

wordpress I hate you

Filed under: General — Thomas @ 13:52


After seeing that I possibly might have had some exploits run on my site again, I upgraded to wordpress 2.8

After reading up on hardening wordpress, the official site mentions AskApache, some plugin that helps hardening. I'm not too sure about it yet, because it wants to be writing .htaccess files in my directories and for that I have to open up more than I would want. But hey, let's give it a go.

At some point it creates a username and password that you choose. I go on and configure stuff, not knowing very well which of its many modules I'm supposed to activate, or why.

I forget about it, and ten minutes later I check my mail. I have a mail from AskApache. With my login details. And the password in plaintext.


Is the WordPress security model just fundamentally broken ?


  1. yes

    Comment by anders — 2009-07-02 @ 14:25

  2. Yes.

    Comment by WP Hater — 2009-07-02 @ 14:27

  3. Yes, in fact, WordPress does suck. It only works with one database, the code is somewhat messy, and it has a horrible security record. The only good side is the large number of plugins and themes.

    Comment by Andreas — 2009-07-02 @ 14:47

  4. Your rss feed still contains spam. (the headings are the same as on the site though)

    Comment by Jauco — 2009-07-02 @ 15:25

  5. seriously, blame php.

    Comment by Andrej — 2009-07-02 @ 16:08

  6. Try Dotclear, a really good french soft ! http://dotclear.org/

    Comment by Kagou — 2009-07-02 @ 19:51

  7. Any progress on your CD ripping app?

    Comment by smably — 2009-07-02 @ 22:16

  8. You might want to just run a hosted wordpress instance (wordpress.com) and let them manage it for you… seems mostly ok, it’s fairly easy to point a domain there if you want to.

    Comment by Michael DeHaan — 2009-07-02 @ 22:27

  9. I saw this post on Planet Python.

    You should definitely give Zine a try — http://zine.pocoo.org.

    Comment by P. Gowda — 2009-07-03 @ 00:43

  10. I’m just glad your title isn’t “I hate AskApache” which given the circumstances seems more appropriate…
    Blame my poor php coding skills and lack of documentation. It was my decision and my code that emails you your htaccess login details, too many people were forgetting it.

    But since you make an excellent point about this being somewhat poor security, I will make the auto-emailing optional and include better documenation about the security modules.

    WordPress is by far one of the best programs I’ve ever seen in my long and torid affair with the net, and because it is open source it will continue to get better and better. Don’t give up on wordpress!!!

    Comment by AskApache — 2009-07-03 @ 02:53

  11. P.S. I’ve never been hacked or ever had any security problems. The only security issues that wordpress has are poorly vetted insecure plugins and also the webhosting server it is located on. Believe me I’m a hacker.

    Comment by AskApache — 2009-07-03 @ 02:56

  12. set allow_url_fopen to off in your php.ini.

    Comment by alex — 2009-07-03 @ 04:42

  13. Yes, the security model is rubbish (you should see the mod_security exceptions around to allow it to work) and it’s limited to MySQL, there’s two reasons to dislike it.

    The AskApache plugins are utter crap (I banned them from my servers) as they like to phone home quietly, which is probably the reason it sent you mail :-(

    Comment by Michael Fleming — 2009-07-03 @ 12:05

  14. if you aren’t prepared to follow the security mailinglist and update as soon as a new version is out, stop installing php apps on your server (although the same rule is valid for non-php webapps). it’s that simple.

    get a hosted blog and point a subdomain to it. then you have people looking after the security 24/7.

    Comment by sdf — 2009-07-04 @ 00:16

  15. Haha, clearly only an ameteur would say something like that about public, open source code.

    All my plugins source is online, so its funny that no code was posted to back up your flame… Of course if you weren’t outright lying you would simply prove it. Post some code to prove it or else keep your lies to yourself unless you don’t mind getting sued

    Comment by AskApache — 2009-07-04 @ 09:15

  16. @Sylvan: I’m getting it ready for a first release. Sadly I found what seems to be a bug in cdrdao with the pregap detection, and while I was hopeful to be able to work around it, now it seems the bug isn’t consistent so I can’t do a simple workaround. Might choose to release with a caveat anyway.

    Comment by Thomas — 2009-07-05 @ 19:17

RSS feed for comments on this post. TrackBack URL

Leave a comment