There has been a lot of ink spilled over the recent security holes found in older versions of Wordpress. John Gruber of Daring Fireball has pointed out—fairly, I might add—that Wordpress is relatively alone when it comes to this class of wide-spread security breaches.
Is WordPress poorly-designed, security-wise? Is it just a matter of WordPress being phenomenally popular? Or is it both? I don’t know. The same argument continues to rage, 15 years after it started, regarding Microsoft Windows. WordPress has much to offer, starting with its large, generous, active developer community. But I can’t recall any widespread security attacks against Movable Type or Expression Engine, or against hosted services such as Squarespace, Posterous, Tumblr, or, yes, even WordPress.com (a hosted service, rather than software you host yourself).
There is something to be said for the popularity of Wordpress. More virus and whatnot are written for Microsoft Windows than Mac OS X not solely because Mac OS X is more secure than Windows, but also because Windows has an exponentially wider audience. If you’re going to spend the time writing a virus, it’s far more profitable to write for a larger audience.
But there’s a second element, in my opinion. The Wordpress security issue is a Black Swan—an unlikely event that is predictable in retrospect. It’s not that Movable Type is any more or less secure than Wordpress. If we were having this conversation, two weeks ago, it would have been much different—as neither platform had suffered a major security breach at that point. Because Wordpress has been hacked in the past it seems much more likely that it will be hacked again in the future—even if the probability of either one being hacked is equal.
It’s the same heuristic that has us always fighting the previous war or protecting ourselves against the last terrorist attack or economic meltdown and not the next one.
I don’t religiously keep my installation of Movable Type up to date, and I know many other MT users don’t either, and yet our sites don’t get hacked.
Just because Movable Type hasn’t been hacked as of this writing, doesn’t mean that it won’t be (it also doesn’t mean that it will be). A minor security hole only becomes a major security hole after it’s been exploited.
Nota bene: When all is said and done, it’s not so much an issue of which personal publishing platform is more secure (or superior, in general). I think the lesson to be learned is upgrade often. As a long time Wordpress user, I know how tedious—and often destructive—upgrading Wordpress used to be. Frankly, if this website hadn’t bitten the dust as a result of human error a few months back, I’d probably be running an ancient version of Wordpress as well. Just because outdated installations of Movable Type haven’t been exploited yet doesn’t mean they won’t be. It’s, apparently in all of our best interest to update often. (Added September 7, 2009 at 1:55pm)
