Hmmm...time to switch to MovableType? - Jesse Stay

i don't know jesse - but as i told the guy from rackspace a few minutes ago, this is still happening way too often :( and now that it is inside google, once again i am going to lose rankings - Allen Stern

The Wordpress code-base is a mess. Either some one needs to do a re-write, or something new needs to come out that's written well. These systems are all getting old. Of course (can't say for today), the last time I tried MovableType, its code base was a mess as well. - Jesse Stay

I'm tempted to try MovableType though because I write Perl, and MovableType is part-written in Perl, something I'm familiar and comfortable with, and something I can seriously contribute to if it isn't working well. - Jesse Stay

its too bad that drupal has such a crap admin and can't handle things like trackbacks - otherwise i never would have left :( - Allen Stern

A friend of mine is finishing up his custom blogging solution. I might just give it a test subdomain next week. - Chris Heath from iPhone

I have an MT blog and a WP blog and WP is worlds easier for me to work with. Unfortunately, it appears hackers feel the same way... - Dennis O'Neil

I find WP is easier too Dennis - and you are probably right - Allen Stern

rackspace now thinks it might be an issue with the all in one seo pack - we are going to do some testing shortly - Allen Stern

now they are running some xss scanner - Allen Stern

Possible that your local system has been compromised? keylogger and such? - EricaJoy

Unless someone takes an OpenBSD approach and extends it right down through the webserver and on through to the blog/CMS application, more than a couple (many more) vulnerabilities per decade should be expected. However, the most secure stack would have far fewer features and won't have the sizzle to which a mainstream audience is drawn. - Micah

Micah, can you expand a bit on what you mean by "extends it right down through the webserver"? what's it? wordpress? and down through the webserver? do you mean making a wordpress specific webserver instead of apache? or on top of? i guess you can see i'm a bit confused - Chris Heath

Based on this post, I went and checked my 3 day old, no weird plugin, WP 2.8.4 installation with my spamcheckr tool, and I find out -- I've been hacked again. No FTP ports open, WP has become too unsecure, period. - Jorge Escobar

And I'm hosting on a dedicated EC2 instance with all ports closed - Jorge Escobar

Chris, what I mean is the security of the "platform" depends on the weakest link of the stack. Debian + Apache/mod_php + Wordpress + Plugins + user customizations is a lot more risk exposure than just Debian. An OpenBSD approach means the whole stack is maintained with a strict, security/correctness standard—raison d'être even—that supersedes and holds back other design goals. Doing so solely within the confines of an OS is hard enough. A commodity blogging solution is a much steeper challenge. - Micah

I've been considering moving my blog to AppEngine for a while. I've been a fan of WordPress's easy install/customizability/updates, so it's not an easy move for me to make. - Matt M (inactive)

Micah, thanks, i kind of thought that's what you meant... sounds a bit like my aforementioned friend's custom solution he's been working on. - Chris Heath

Chris, interesting - keep us updated. :) - Micah

fyi - rackspace sent over a log showing someone from russia logging into CN through the admin panel and manually editing the footer file. We don't know what username they used but I can assure you the CN password was a strong one. I am going to make a longer post about some very simple things WP could do to make the blogs instantly more secure - for example - why can't i turn off theme editing? i never use their theme editor - clearly if i could this wouldn't have happened perhaps. - Allen Stern

You can always change the permissions on your themes and plugins directories so they can't be changed from the Wordpress admin - Jesse Stay

just did that Jesse - I wonder what percentage of WP users edit their themes using the editor - Allen Stern

i bought exploitpress.com :-P - Allen Stern

Allen, one thing I do that I think would protect you is to use an .htaccess file to protect access to your /wp-admin directory. It gives you a lot of extra protection for only a little bit of trouble. Here's how to do it: http://www.mattcutts.com/blog... - Matt Cutts

It's time for a "new Sheriff in town". We have been avoiding this for sometime, too long. And I don't know why other than the paradigm of response to bad behavior over the 7 disciplines of life has been redirection and avoidance rather than confrontation. Hackers need to be confronted. Period. Stiffer penalties not more castle moats, honeypots and double-locks. Attacks have gotten to the "If you build it and it gets popular stage, they will come". There is no longer any place to go that will be safe until this showdown at the "OK corral" is a done deal. - Melanie Reed

Thanks Matt - the only issue with this is that I would have to edit the ftp each time I want to make a post away from home or the office - I guess this is what we must deal with... now I just hope my Google ranks come back - finally the viagra is out of Google for my other sites so I hope those stay clean. - Allen Stern

Yup, that's the main annoyance. But it gives me peace of mind to know that 95% of zero-day attacks can't get at my blog, because they aren't coming from the right IP addresses. - Matt Cutts

I want a WP-retina scan plugin. - Allen Stern

We can't just keep building up defenses and running. We have to fight back with stiffer penalties and focus on tracking software. No more excuses. No more 'we were just having fun trolling and sniffing'. ok, boys, but let's try not to have"fun" like this next time. Thank you , Mr. Gov for going easy on me. No. That's it. - Melanie Reed

Melanie - I don't think that stiffer penalties are the right answer. The determined script kiddies will just wardrive to find an open wireless network (or one with a poor password) and do their stuff through anonymous proxies. It's a technological failure here, not a legal one. We can prosecute a poor, dumb kid every once in a while to send a message but the dangerous ones will be getting away. - Matt M (inactive)

Matt, I appreciate that but respectfully, I disagree. I read nothing of Kevin Mitnick's exploits that indicated that he wouldn't have had a change of mind about his activities IF he had been dealt with properly in the beginning. It was his admittance of a growing lack of respect for the paradigm of response that furthered his "wardriving-hacking" efforts. In short, he was laughing at all of us. - Melanie Reed

One thing to consider is that Kevin Mitnick wasn't hacking with the intent of vandalizing and/or spamming. He was hacking to satisfy his own curiousity. I would say that intent has to factor into this - it's the difference between hopping a substation fence to explore vs. hopping the same fence to cause a blackout. If you were caught in that act of hopping that fence, the justice system would certainly factor your intent into the charge and sentencing. He shouldn't get away scott-free, but I don't think we should throw the book at someone who has a promising life ahead of them with the right guidance. - Matt M (inactive)

Micah, I rang my friend up and asked him about his project and he said that he has thought about open sourcing it, but decided against it -- but i'm working on him. He said that he'd have to code a conversion tool to import your WP database, and I replied that if he open-sourced his code someone else could code the conversion tool. ;-) - Chris Heath

Matt, there's a character in Dostoevsky's Crime and Punishment, Razkolnikov, I'll call him, "Raz" for short, who thought the same thing(being exempt from consequence of action because he believes he has more worth to society than his actions against it). In the end, he finds his theory does not pan out.;) - Melanie Reed

I'm not sure that classical literature is the appropriate model for IP crimes like this, myself. This sort of discussion doesn't make much headway on FF, I think. ;) You do bring up some interesting points though- thanks. - Matt M (inactive)

Matt, it logically ties my point from the abstract to Drama to "kitchen table talk". That is exactly my point: it is time society stopped sending the message that "you are special" to the already over abundant narcissistic tendencies our highly individualistic society encourages. C/P was making the point though drama what happens to both the individual and society when we allow that attitude to reach its logical conclusion. To bring it down to everyday: this attitude will not lead to more secure programs but an escalation in the war till very serious and irreparable consequences happen to countries not just individuals and markets - Melanie Reed

Allen: I can't comment over on your blog (the hospital I'm in is blocking access to it), but I see that Matt is still having an attitude that I'm getting some sort of special treatment. I am not. I'm still getting hacked too, despite putting in place all these measures and others. We need Matt to work with us to fix these issues, whether they are Wordpress issues or Rackspace issues and stop blaming (in return I won't blame him in public either). - Robert Scoble

Allen (continued): Rackspace probably is the largest Wordpress hoster outside of Wordpress.com so it's in both of our interests to figure out what's going on and get these issues fixed for our customers. - Robert Scoble

Thx Robert - I told the team tonight that if they can figure it out, it sure could be a great selling point. Rackspace does have excellent customer support - I mean they called me at 10:30pm on Friday night and I am not even a big customer. - Allen Stern

don't think movable type is secure to attacks, it is just that wordpress is very poplular, a lot depends on users' browsing practices too, true wordpress and rackspace need to resolve the issues inflicting such attacks - testbeta