Robert Scoble
I don’t feel safe with Wordpress, hackers broke in and took things -
Well, if you have fixed the hole by upgrading; you should feel a lot safer now. I guess strong user adoption does bring the wrong kind of attention. - Anindya Chatterjee
Anindya: we're watching. Looks like they haven't gotten back in since the upgrade and some of the other changes we made. Knock on wood. - Robert Scoble
I'm very tempted to switch to a SixApart install. As a Perl programmer I'd be much more familiar with the backend. - Jesse Stay
Robert, btw, I'm sure between all your users you can find a backup. I have a bunch via Google Reader I could get to Rackspace to import for you. I'm sure others have even older entries than I have. Let us know if you want help restoring the old! - Jesse Stay
robert - i can tell you this - you need to watch it like a hawk - when i thought i was safe - i wasn't - InsideTransit continues to get hit - and I still believe there is some patches and stuff that RS can do as well - the bigger issue is what's on the server - because that's where they put the shells and then they can do whatever they want. - Allen Stern
Not cool, hopefully things will work out. - Kim Landwehr
Jesse: luckily it was July and August, when I wasn't doing much blogging. No biggie. Thanks. Allen: yes, Rackspace Cloud has a security team now and they are actively looking at ways to make Wordpress safer for our customers. It really sucks getting hacked. Let me know if you find any other ways to protect the systems. - Robert Scoble
Robert: Yea getting hacked sucks. My early days with my blog I got hacked and luckily my ISP had a backup. Since then I have treated my Wordpress blog like any dev site - with a subversion repository and complete backup. But there are days... like today... when I think strongly about a platform like typepad. - Arthur Coleman
what i have found is locking down the files helps - but you need to ftp into your site and make sure that nothing has been edited or added - in my case, on all my sites, the hackers put files all over that were base64 files - and what they do is include them into WP or they just run them direct - nearly a full shell. i've asked RS to create a way so that i can be notified of any changes to files - they say it's too heavy to run. - Allen Stern
Robert, I just miss the traffic from your "You are SO Unfollowed!" article. (one of the casualties) ;-) - Jesse Stay
There's a lot of great info they deleted - I'm a little ticked they would be completely insensitive like that to prove a security flaw. It affected much more than just you. - Jesse Stay
Jesse: yeah, that's probably the one blog that I miss. It's also the one that got me to notice they deleted a couple of months. - Robert Scoble
Jesse: that still is cached over on Google at - Robert Scoble
No way "You are SO unfollowed" is out? I loved that one! :-( thanks for the cache Robert - Sofia @ SoMaFusion
If you have no time to take care of yuors blog, maybe it's better if you choose the pro offer from ( I think can have the minimum requirement to stay there). - wolly
here it the VIP hosting - wolly
wolly: it's not just about time, attacks come from all directions so you've gotta have a holistic approach to security. How many of you regularly change passwords and make sure they are really good ones? (Twitter got broken into not because of hacks, but because they didn't practice good password security). - Robert Scoble
It saddens me: it is morally reprehensible your hosting company convinced you to switch with the seduction of plugins and customization without emphasizing or handling the increased responsibility of upgrades. Your blog was not unique and not a special target, the worms sweep across millions of blogs indiscriminately and hit whatever is vulnerable. If your host is lax in upgrading, the same will happen again and again. (Hosted platforms are vulnerable as well, just they usually have stronger incentives to stay updated.) - Matt Mullenweg
that's true :-) I use password very strange and very verylong that I cannot remember and I use a service like to login. - wolly
wolly, Robert was hosted on for about 4 years -- he was actually the very first VIP. Although there were dozens of security updates to WordPress in that time, his blog never had a problem because it was always up-to-date. He only switched away a few months ago. - Matt Mullenweg
Ciao Matt :-) I didn't know that, so scoble come back to the light side :) - wolly
Matt: yup, that's true. I've learned my lesson. Running your own servers are a lot harder than just having them hosted on - Robert Scoble
To be frank, it completely breaks whatever trust I had in Rackspace. - Matt Mullenweg
But Matt, I've been talking with many blog owners, including at TechCrunch, and they say that Wordpress' updates break their custom plugins. That's why they don't upgrade immediately. So, sounds like Wordpress has a mess on its hands that the hosted version of Wordpress didn't have (I couldn't run a lot of plugins and video embeds and other fun things on the hosted version of Wordpress). So, to blame it on my hoster/employer (Rackspace) exclusively isn't really a good attitude either. - Robert Scoble
Robert, It happens. We were hacked too. My observations lead me to believe that this summer was the worst in a long time. Its a war and its going to be a war until the attitude towards hackers changes. Let's stop being fascinated in the least bit by how they do it (this goes towards Kevin Mitnick and his supporters- I don't ever want to pay good money to read about your scams on the elderly and the unwary as a required college textbook again) and treat it as the crime it really is: one that disrupts people's lives and jobs. - Melanie Reed
Matt's got a point that with greater power (self-hosting) comes greater responsibility (more need to keep an eye on security), but I think to say that Scoble's blog was not a special target is a bit disingenuous. High-profile sites are always a higher-value target. - Rachel Luxemburg
Matt: I think you need to really look at all the damage that's being done to a wide range of sites, many of which are NOT hosted at Rackspace, before throwing more barbs. That's bull. Sorry. But I added a link to this conversation to my blog so people could see your point of view. - Robert Scoble
If a plugin is preventing you from upgrading (did it?) then let's figure out how to fix that plugin. All I can do in WordPress is build in the notices (your blog was asking you to upgrade for months) and the one-click updates for both core and plugins. I agree it's not your (Robert Scoble's) fault because I don't think you made the conscious decision to take on the increased responsibility. - Matt Mullenweg
Matt: the reputation around the Net is that upgrades on Wordpress break things. This wasn't a Rackspace recommendation. It's also a problem with all upgrades. I've gotten hosed by upgrades elsewhere. Look at all the people upgrading to Snow Leopard who are having things break. - Robert Scoble
Matt: TechCrunch hasn't upgraded its blog either and it wasn't hosted on Rackspace (at least not until a couple of days ago). - Robert Scoble
I'm not saying there isn't lots of misinformation around the net, I'm saying "how can I help your blog, please." If it's a plugin preventing you from upgrading, let me know the plugin and we'll fix it even if we didn't write it. That's the beauty of open source. - Matt Mullenweg
Robert -- Avoiding upgrades because they're annoying to deal with isn't a viable longterm strategy. - Rachel Luxemburg
they need to take care of Scoble's blog, well for he is a VIP and the smashing they would have would do a lot of damage to your customer base and otherwise, would they reply to an ordinary guy say like me? i think not,well wordpress/automattic is having their tough moments, hope things get well and they get their repute back - testbeta
Matt - you blaming Rackspace for security vulnerabilities in YOUR software platform is kinda like blaming Dell when a Windows box gets hacked. I think you are being irrational. - Rob La Gesse
Matt: in my case it was the REPUTATION of Wordpress's upgrades that was keeping me from upgrading. I was waiting to see what other people reported broke. I didn't realize the severity of the security problems. But, I am now upgrading automatically. So I'm fixed. But you still have a reputation problem. Lots of people are reporting things break when they upgrade. - Robert Scoble
Rob, I'm not blaming them. I'm saying it's the responsibility of any host, of any software, to stay up to date. If there was a SSH vulnerability on Robert's box I would say the same thing. Software updates are inevitable, there is no such thing as bug-free code, so staying up to date is a must. - Matt Mullenweg
Isn't all this open source code? If it's broken, why not fix it? Doesn't everyone have the responsibility to do that? It's not any one source's fault in that case. - Jesse Stay
Matt - I agree with you. So make Wordpress upgrades SAFE, automatic AND do some internal validation of plugin code to let users know they may be running something that is potentially insecure. - Rob La Gesse
Matt, agreed. Not when its turned out as fast as people are yelling for it. People can't have it both ways. - Melanie Reed
Matt: all Rackspace was providing to me was a Linux host. I was responsible for getting my upgades done on anything I ran on that system. But now we have a team making sure we're following best practices. That is NOT Rackspace's problem, though. That's like blaming Microsoft for a bug in Adobe software. - Robert Scoble
I never listen to the reputation, I always upgrade as a security upgrade is out, and if a plugin doesn't work or I deactivate it or I fix it. Security is much more important than a plugin and Matt knows how many plugins has my blog (when he looked my backend he was very sad ad he said that it was the first time for him to see so many plugin in a blog :-) ) To have a self host blog it's difficult and time expensive. - wolly
There are several very useful plugins specifically addressing security issues; and monitoring WP for suspicious activities (both on file and database level). Here are some articles with tips to harden your blog (delicious bookmarks). I only install plugins from authors from whom I know that they implement top level php; no breaking of upgrades on my 3 WP blogs has taken place (2.7-2.8-2.8.4) - Jeroen De Miranda
Yeah, plugin issues are the responsibility of the plugin developer, not Wordpress's. I don't see how this is Wordpress's or Rackspace's fault. - Jesse Stay
By the way, Matt, Sheamus, over on my comments on my blog, says he has the latest upgrades in place and he's still being broken into. You might help him figure out how the hackers are breaking in still. - Robert Scoble
Sorry, I was under the impression Rackspace had recommended you move away from and taken responsibility for the system. I was worried about your blog -- I emailed you about this in August but never heard back. It breaks my heart when someone's WordPress gets compromised. - Matt Mullenweg
I understand the feeling though - if people are still being broken into after being told a fix was made, especially if you're not a developer, that can be a little scary. I'd look to other solutions in that case if it were me, and it's no one's fault. It's just perception and fear, very valid fear. - Jesse Stay
I do believe there is a false sense of securty that WORDPRESS fosters by hosting plugins. I think many assume that because they download the pluging VIA Wordpress, and FROM Wordpress, it is somehow vetted. - Rob La Gesse
Matt: no. I wanted to move to my own install of Wordpress so that I could run many more plugins and start doing stuff other professional bloggers were doing. I am learning very quickly just how much work goes on behind the scenes to make sure my words were protected. - Robert Scoble
Once you've been hacked once if you don't clean up every trace (preferably a systems person does this) it's very likely something is left that allows the spammers to easily break back in, regardless of what version you're on. That's why the trouble with upgrading is worth it, it's much, much less than the trouble of fixing a hacked blog. - Matt Mullenweg
Jesse: yeah, at Microsoft when a box got broken into they wouldn't let you use it anymore. They forced you to reinstall it with all patches loaded. They assumed that it was compromised and that someone stuck a back door in somewhere. That's a lot of work too. - Robert Scoble
install either wp-backup or wp-dbmanager and configure database backup: every day; download to your local pc (or to a system other than your hosting provider); run a check once a month to see whether you can reconstruct the blog in case of calamity, That is my procedure; works fine. - Jeroen De Miranda
if a commoner gets hacked, then he should move to services or what? - testbeta
they should just make it not have any security holes! - Mark
Robert, if you like I'd be happy to host your blog for you (and I'm on Rackspace servers). I can keep it secure as well. I'd only ask some mention of SocialToo somewhere (or payment of some form in order to cover the cost of bandwidth). - Jesse Stay
I would also be able to keep it backed up for you. - Jesse Stay
I'll also install any plugins you're interested in trying - Jesse Stay
Jesse: in my case, I now have a team of the top security guys at Rackspace working on it and making sure my system is up to date and backed up. They also are learning a lot about this and other people who have had problems and are building a list of best practices. - Robert Scoble
This is eventually why I didn't go with Mosso. The service looks good, but you still have to manage your app yourself which opens you up to problems like you've experienced. It would be cool if they offered another layer of management on top so apps could be completely hands free. - Todd Hoff
the alternative (i.e. strong vetting of all plugins) would turn the whole WordPress ecosphere into something such as Ning.... only some 300 addons (as far as I know); little flexibility very intransparent how to get your addin accepted .... Not an attractive model for me.... - Jeroen De Miranda
Robert, excellent - just wanted to make sure the offer was out there. Maybe that could be a tiered service for Rackspace, although I'm not sure it's something Rackspace wants to get into. Bluehost barely makes any money off of that type of service. - Jesse Stay
Steve: I think that's a reasonable set of assumptions. The grass is always greener on the other side of the fence. When I was on I was always jealous of blogs that were able to run the latest plugins and use the latest embed codes from various sites. - Robert Scoble
Robert, it's even more fun when you can customize the plugins and themes as a developer. :-) - Jesse Stay
@testbeta is a very good choice if you don't have time or you don't know how to manage security on yors self hosted blog - wolly
wolly: that takes out the open source fun part ;) well i have nothing much to do on my blogs so i keep mine updated ;) - testbeta
I agree with you :-) but many people love blogging non update theirs blogs :-) - wolly
when my sites were hacked - a wordpress employee reached out to me- i dont remember her name but we sent a few emails - i could write for days about what happened to my 5 sites - my take is simple - i think the issues are a combo of rackspace (my host) and wordpress (my software) - i can tell you this - in 3+ yrs on drupal, i was NEVER hacked. and Matt is right - the real issue is that the hackers put files all over which can control all your stuff no matter wp version you are on - in addition, the real power is in those shell files - that keep killing my sites :( - Allen Stern
Allen - what version of WP are you running today? - Rob La Gesse
2.8.4 on all of them - Allen Stern
Allen - good :) - Rob La Gesse
If there's a shell script on the same server as you, even if it's not your account, everything on that server is at risk regardless of the software or its version. - Matt Mullenweg
Matt - that is NOT true - Rob La Gesse
I would switch to a new server if I were infected at this point. - Jesse Stay
Properly configured, user space can be isolated and these scripts cannot cross-pollinate. - Rob La Gesse
It can be -- but publish a shell login on your server and we'll see. ;) The right answer is to scrub that sort of access. - Matt Mullenweg
Matt - that comment on the "shell script" is silly. What are you actually trying to say? - Robert J Taylor
Some sort of backdoor that allows a remote user to execute code -- it's super common. - Matt Mullenweg
rob/matt - that wsa one of the biggest issues with my RS account - i had all the sites together in one "client" so when they hacked one - they were able to move around with their shell script into all my other sites - now each site is in a sep. "client" so the damage can only hurt me on one site - and believe me it does hurt :( i believe insidetransit and centernetworks are hit in google - Allen Stern
Allen - that was within one user space though. So what I stated above still stands true. - Rob La Gesse
Allen and Robert are big enough that if they had a problem they could contact us and we'd help them, though as far as I know neither did, but I worry a lot more about smaller folks who get hit in the same way. The knowledge for how to properly clean up after a hack is more systems than software and not widespread. - Matt Mullenweg
As Allen mentioned above, he did have a conversation with Wordpress. - Rob La Gesse
matt - thanks for putting me in the same category as robert! *blush* - i did reach out to you - and your security guy was helping me big time - it seemed to turn out that the WP Contact Form 7 was the thing that caused it to start - i didn't document it all online because the security guy wanted time to get the plugin developer to fix the upload hole. - btw his name was mark jaquith and he was great - Allen Stern
So why not some scheme where Wordpress vets a plugin and "blesses it" - perhaps a small charge for this service? As long as Wordpress is advertising plugins on the dashboard I think there ample reason to hold Wordpress to some level of accountability for those plugins - Rob La Gesse
rob - that's what i told mark - they should offer that service for a tiny fee - stamp a "certified" stamp on it. - Allen Stern
Just updated all my sites, doesnt look I was hit. - sean percival
sean - no one would hit you - they know you would lala all over them - Allen Stern
sean - happy for you! - Rob La Gesse
I've read almost all of the comments here, not hearing these mentioned once: Robert did not backup, kept the default 'admin' username and failed to update. These are three of the most basic security measures out there. Not blaming it on Robert, because we all fail on this sometimes, but these basics really are important! - Abounding Media warning of Mark in April - kept me away from WP contact form 7 - Jeroen De Miranda
I've written a much longer post on this: - Matt Mullenweg
Abounding: yup. And the lesson here is don't host your own version of Wordpress unless you have a security team making sure you're doing it right and backing up (something I never did on, by the way). Oh, and Twitter taught us that even if you do all of that you've gotta make sure you pick great passwords and think through ways that social hacks could be done to get into your accounts. - Robert Scoble some great tips of Mark Jaquith on writing secure plugins - I use these and other tips when scanning the PHP code of new plugins that I intend to use (before deploying them) - Jeroen De Miranda
Jeroen, thanks for posting that. I've had phishers getting into one of my WP installs recently, but couldn't tell which plugin it was. I deactivated two plugins, including CF7, the other day, and haven't had any more problems. And a shoutout to Ryan Boren on the WP dev team for helping me to de-infect. - John Craft
Robert: Welcome to the world of web development for impatient users and disgruntled hackers - Melanie Reed great post of Matt Mullenweg about WordPress security! - Jeroen De Miranda
john - the CF7 is what killed me a few months ago - it's because the form allows uploads even if you don't actually have them on - i believe they patched it but i have not gone back there. - Allen Stern
anybody know if a little smily face appearing in the lower right hand corner of ones footer is a sign of a compromise on a self hosted wp blog? - Richard Reeve
John, your are welcome! SQL injects attacks specifically exploit data entry fields used by the plugin; one should at least scan the PHP code of these plugins, and look at what kind of escape functions are used around handling of the data entry. - Jeroen De Miranda
"it's because the form allows uploads even if you don't actually have them on" - wow. That's bad. - John Craft
Richard is wp-stats smily :-) - wolly
"anybody know if a little smily face appearing in the lower right hand corner of ones footer is a sign of a compromise on a self hosted wp blog?" - if you didn't put it there, it probably is. In your admin go to appearance, theme editor, and read the footer.php file. - John Craft
Richard - are you using the Stats plugin? - Andre Natta
some plugins worth considering to install are: wp-exploit-scanner, wordpress file monitor, WP security scan, anti virus - Jeroen De Miranda
I don't understand why people are worried about a plugin breaking when it comes to upgrading WordPress. If a plugin does break, disable it for the time being. I rather have a secure installation of WordPress running and would worry about fixing the plugin afterwards. - Jason Hansen
Hmmmm . . . I run WP Stats, but see no smiley face. - John Craft
ah...thanks folks...stats it is. I'm not paranoid... - Richard Reeve
The problem with WordPress is that it forces you to upgrade. Imagine if Microsoft forced everybody to upgrade to Vista/Windows 7 in order to get their security holes plugged. WordPress should release security patches for the current and at least for the previous version. - Nikolay Kolev
They dont force you to upgrade. If you dont want to patch, you can leave it at the current version ( but with a risk ) - Kashif Khan
Where's the patch for the 2.7 version then? - Nikolay Kolev
Their versioning strategy bumps up numbers even for patches . And how many versions behind should they support ? - Kashif Khan
Many of the WordPress security issues are not coming from the WordPress itself, but from the poorly written WordPress plugins. I think it would be nice if Automattic starts an "Automattic Certified" program giving blog owners the peace of mind they need. Every hacker can upload a plugin at, advertise it as something great, bloggers install it, see that it's nothing as advertised, uninstall it, but the WordPress instances are already hacked. - Nikolay Kolev
Plugins are open source and free and nobody (well, with some exceptions) would pay to get their free plugin certified. The only way to do this is by having a community review process, based on some credibility score and voter authority system where 1,000 fake hacker accounts won't, for example, outweigh Matt's or Mark's votes. - Nikolay Kolev
part of the problem is the cry wolf syndrome - if i updated every day wordpress had a security problem i'd want to be salaried on the payroll :D Wordpress needs some sort of alert notification - twitter or something that indicates if there's an update AND the severity and if its severe enough sends it to my phone. - mal
let me play the other side of the coin - i've been using vbulletin for my forums for probably more than 5 years - and it's never once been hacked - why is this - is it because it's paid? is it just more secure? would love to get some input on why wordpress seems to be the attacker's gold. - Allen Stern
@allenstern because it pays back better to have wp hacked - A. T.
Another devil - I have clients using Expression Engine for years (with plugins) and haven't had a problem either. Checking security sites, EE has had very few vs the many with WP and some with Drupal. Matts suggestion that one hosts with him to avoid problems and keep updated just isn't in the cards for business sites. Just too many vulnerabilities with WP over the years for me to recommend it. - PXLated
i can tell you that within 2 days of moving from drupal to wp, my sites were hacked - all of them - and it made me seriously question the move - the reasons i moved were because wp is a bit easier to edit/code than drupal and because the admin panel in wordpress is awesome compared to the crap panel in drupal - i wrote up a whole post about why i moved - i'd like to see matt write a post about their qa and security procedures for their releases - Allen Stern
Alen, once Drupal 7 get released, you may actually go back. :) - Nikolay Kolev
Robert - If I were you I'd move away from Wordpress and fast. Its security record is dire and has been for ages. Other solutions are a lot more stable, whereas Wordpress seems to have security bugs every second week. Why anyone puts up with it is really beyond me. I moved to MovableType and haven't had to worry about caching issues or security problems - Michele Neylon
#somethingpersonal WP calls you "technical evengelist", Robert. When you say «Yes, I didn’t have a backup. I should learn to do backups» I call you a mediawhore. Nothing TECH-NI-CAL, just bulled ego. Learn Security, Performance, Reliability, you ignorant piece. - our service is dope
Robert - "the reputation around the Net is that upgrades on Wordpress break things" I'm sorry but that's just not true, I use many many plugins across about 20 sites and I've only ever ONCE had a plugin break during a WP upgrade. - John O'Nolan
Definitely check if Google Reader has your lost posts - as of a few months ago, it didn't handle deletes very well :) - Michael Herf
This recent wave of WordPress incidents shows the negative side of using open source software. Matt says that there are many people looking into WordPress' source code, but the problem is that probably half of those people have malicious reasons for doing so. - Nikolay Kolev
@Matt - why not have a module that adds *automatic* upgrades? The one-click update feature is very nice, but zero clicks is better. With a decent snapshot/rollback system you could update most people securely right away--email them and let them rollback if something breaks. - Michael Herf
@robert: we might be able to help you recover the lost blog posts if you want. Google Reader has an archive of them and we helped another blogger in the past recover her losses. Let me know if we can help. - Edwin Khodabakchian
I run just a few plugins, and research and vet them first. And upgrade to new WP versions within a week. Look, attacks happen, running self-hosted can get complicated. But this is true with any software or OS - Bob Morris (polizeros) from iPhone
Nikolay, it's always better to have more people looking at the code, because a bug that's been found is better than a bug that hasn't. WordPress used to get almost no security problems and people thought it was because it was coded differently, when in fact it was coded far worse than it is today it just didn't have enough users to make it worthwhile to target. Also where many commercial or proprietary companies try to minimize information about their problems or sit on a fix for months so they can package a bunch into one update, we put everything out there doing a new release as soon as possible after a problem has been reported. - Matt Mullenweg
Nikolay: I would also push back against your assumption that using Open Source software equals less security. Microsoft Windows and OS X are both closed source and both have security holes - there is a competition each year to help MS and Apple find them and fix them. Both Apple and Microsoft came away with security holes to fix this year. So just because it's open source doesn't automatically make it more open to security holes. I agree with Matt and believe that have the source open to all makes fixing the holes much quicker. - Tim
that's what you get for the fun of installing and hosting your own installation, instead of using "the cloud". - Ihar Mahaniok
Robert - I recommend WP S3 Backups for backing up your database to off-site storage. Amazon S3 is a great place to host backups of your Wordpress database and is relatively inexpensive. You *always* want backups *off* the server so in case the server is compromised, the backups are still clean. This plugin works like a charm, is automatic and could have saved you. Cheers! - Scott Jarkoff
anybody know of a test that can be done to see if a wp blog has been compromised? Has a few strange user subscriptions about a week ago...but not noticing any thing else...I did upgrade weeks ago, but soon enough? - Richard Reeve
bug exploits keep security IT folks in their day job, sad but true. - Jim Posner
In IT it keeps me busy but the reality is if you update your software on a regular basis you can minimize these from affecting you. - Rob Cairns
Robert, any chance has some of your old blog posts? Google Cache? - drew olanoff
Matt, another thing to note is that is often blocked in China (even if you have your own custom URL like There are advantages to NOT being hosted by although your point about increased responsibilty for keeping up with security patches is still valid. - Elliott Ng
Drew: yeah, but what do I do? Just republish them? - Robert Scoble from iPhone
Sure why not. Scoble's best of. Reason why I hate stuff on the net sometimes is good stuff gets lost. - drew olanoff
Give a try to the "WordPress Database Backup" plugin for WordPress and you'll receive regular backups on your email - Francois Lamotte
Robert, You can get all of your lost blog post html out of Google Reader. I'm not exactly sure how to link Disqus back, maybe it's as simple as re-adding the old posts with the same title/date i.e. Url (I don't use it). Yet another reason to use FULL RSS feeds (instead of summary). See RSS isn't dead.. it's now a backup tool too! ( - Chris Myles
Wordpress is a great blogging tool. It is however the largest target now - much like how Windows gets a crap-top more virii because it's the most used system. Someone used Drupal as am example of security... well I'm sure if Drupal was anywhere near the scale of usage Wordpress is you'd see hacks for that too. - Gregory Wild-Smith
Robert: Just repost them with the dates set to the original dates they were posted. Simple, and no-one will ever know ;) - Gregory Wild-Smith
I have always had a bad feeling about Wordpress. YMMV. - Gordon Joly from twhirl
Robert It could be a Rackspace problem and Not a Wordpress Problem. They might to increase there security on the Rackspace!!! You should checck into that!! - Paul
One of the reasons I waited 2 years to switch from MovableType to WordPress was due to the security issues. I felt that the track record improved over the past year and moved 11 sites over. I can say this I employ a very extensive back up scheme but still worry about it. The ability to upgrade with a single click of a button has made it much easier to upgrade, but I always worry which plugins are going to break as I use a lot of plugins. - Todd Cochrane
hmm... I think that a lot of this conversation is missing something. Most software security updates are usually tested in hosts and thus delayed in their own releases by at the minimum of a week's time usually. This is due to hosting internal testing of patches before rolling it out to all servers. Now, whether or not RS actually performs these types of procedures, I don't know... but I haven't seen anything about the fact that corporate procedurals do actually delay software loads, especially on third party hosting. - Ben Hwang
First: I keep my blog up to date. Always. Fuck plugins, I decided that when I made the decision to use WP for my blog that updates would be a priority, only because of all the security issues that I remember from the early early days. Having said that, I have to agree with Robert that the perception with WordPress, despite all the work with auto-updates and in-blog notification is STILL that upgrades can break your site. How truthful that is for MOST users (TechCrunch like Mashable where I work is an atypically large WP site -- I can see how TC could have genuine upgrade issues), that's the perception. Until that perception changes, people willl still be afraid to upgrade. The WP community needs to address that because just screaming update doesn't assuage ingrained user fears or longstanding plugins will break message - no matter how false that might be for the average user. I said this exact same thing on WTC a few months back and the so-called "community" attacked me for daring to say there was a perception issue. - Christina Warren from iPod
I am spending the day finally making a back-up of my web space, then the upgrade. - Sebastian Keil
you are right to not feel safe: when you are on the dominant platform, holes get taken advantage of really fast. At least it being open source you know it will also get plugged fast - Iphigenie
"what do I do? Just republish them?" - Robert, you can set the published date to the original July or August date in the "new post" form. Where it says "publish immediately," click "edit". - John Craft
I couldn't disagree more that the reputation is that an upgrade will break a plugin. How many plugins reach into the Wordpress core and screw around with it? Less than 5%? Any examples of plugins that broke w/ 2.8.4? - beersage
Somebody hacked into my WordPress blog earlier this year as well. It was a bummer because I was working on a draft copy of a blog post that was very rough and had not been edited and they published it. I was on vacation shooting in Chicago and didn't figure it out until several hours after they'd already published it. Fortunately they didn't seem to do anything malicious other than publish that post and add spam to a bunch of my other posts. I tried to do the upgrade myself but it failed and wouldn't work after learning that the WordPress vulnerability may have been how I was hacked. I had to pay Aaron Brazell to do the upgrade for me because I couldn't figure it out. Of course I don't know how I was hacked. It could have been another way. They could have guessed my password for instance. I really love WordPress though and hope that my site stays secure going forward. It is sort of a paint though that upgrading doesn't work for me and it's not something that I can do myself. Upgrading ought to be easier. - Thomas Hawk
@Robert: "[Rackspace] are learning a lot about this and other people who have had problems and are building a list of best practices." Is it possible this list is something RS might share? - John House
@Matt Mullenweg: I do like WordPress (even though we had a public argument with you and another Automattic employee on TechCrunch a while ago) and I am a passionate supporter of open source software - don't get me wrong. But sometimes open source code makes it a bit easier for hackers! For example, one hacker hears about an exploit and without communicating with others, finds the hole independently by just looking into the source code and starts exploiting it on his own. - Nikolay Kolev
Gregory Wild-Smith Bingo! - Melanie Reed
Social Media Club blogs got hit as well as several of our personal blogs (still sorting it all out). We try to keep up on most upgrades, but every time we do, simple plugins (like the Event calendar) break. Seems silly, but we have hours of work after each upgrade to try and keep everything intact, and sometimes, we end up downgrading until the 'essential' plugins catch up, which defeats the purpose of trying to upgrade to ensure these security hacks do not happen. Sucks. Ideally, I would love to have Wordpress vet all plugins to ensure they upgrade when the blog upgrades. I would absolutely pay for that service - maybe a per plugin fee (a couple dollars per) as the time and money investment we spend to fix it afterward is far greater than an upfront 'maintenance' fee. Not sure how easy that would be for Wordpress to manage, but maybe each developer gets paid a flat fee to make sure their plugins are compatible on the day of the blog release. - Kristie Wells
I have 2 wordpress blogs. One on my own domain and one at wordpress central. Still can't get my head around their upgrade gymnastics - may just stick with eBlogger after all. - Houseofmax
i don't know what will happen in times to come but from the existing platforms, i love wordpress and i am not going anywhere, but that doesn't matter for wordpress right? ;) - testbeta
Robert, at the end of it is just only your bloody laziness in upgrading that led you here :) Jokes aside, please at least be honest and say you didn't upgradede twice... :p. - Matteo Flora
Nope. I upgraded to 2.8.4 as soon as it was out but the hackers had already broken in. - Robert Scoble from iPhone
The fact that WordPress is currently being exploited doesn't mean that other platforms are immune. For example, the recently discovered XSS issue with Ruby on Rails makes not only blogs, but every unpatched site a target. So, the only issue I'm having is forcing us to upgrade to a new major version without much time to do proper testing (I'm not talking about personal blogs here). I know that supporting 2+ versions would make WordPress contributors' life miserable, but we can all live with bugs not being applied to older versions. Security patches though should be released not only for the current version, but at least for the previous major one (i.e., 2.7.1). - Nikolay Kolev
So Techdirt was hacked a bit ago. See their reaction: it is the reality of owning a web site guys - ANY software is hackable if someone really wants in. - Adam Singer
@Robert: as I see it Wordpress is as vulnerable as any other web app. Upgrading does good, but preemptive security does more and better. I know Matt and he knows I'm in awe with him and Automattic but simply spoken I DON'T TRUST WORDPRESS as I don't trust any other software. A little WebApp Security Firewall (or at least a little .htaccess rules for admin and preemptive locking of STANDARD xss vector attacks like ">, UNION, ; SELECT and so on) make you reasonably safe from any _automated_ attack. It doesn't PROTECT you 100%, but there is NO such thing as a SECURE website. I can send you the rules we apply in thousands-of-viewers wordpress old installations if you want. But at the end of it Security is a Process, not a Product. And daily backup off-site, updated cheap secondary server "just in case" (with dns switching) and a little of Security Improvements are the very MINIMUM standard I expect from a so visited and incredibly popular website like yours. In case I'm here, loyal reader, former penetration tester and Security guy, to lend a hand. - Matteo Flora
i find it interesting, and depressing that people are blaming Rackspace, they're blaming Wordpress, they're blaming Robert, but no one, *no one* seems to be willing to blame the only, ONLY people who deserve blame: the evolutionary failures that attacked Robert's blog. - John C. Welch
Thanks to your post, I found backdoor Admin in my own blog (created yesterday apparently). Promptly deleted it, upgraded blog and took other measures, which I blogged about - Adi Rabinovich
@Matt Mullenweg: "so staying up to date is a must. - Matt Mullenweg" You gave the birth to one of the coolest piece of free software on the net, also your community is strong an love-full, you can do some PRs listening to Scoble that is crying, but you couldn't do anything better than you did. Take it easy man, all your competitors still suck. (PS. also a cleaning utility to understand better if everything is ok on our hosts would be cool ;-) - simone righini
Matt: What does a user need to provide, in order to be considered for a VIP account? - Jim Connolly
caveat operator - Mike Chelen
I would simply like to reiterate the point that if you're going to put free open source software on a rented web server, you need to either know how to administer it or hire someone to do it for you. Neither Rackspace or Wordpress are to blame here. We discuss this with our clients all the time who view web development as a one off expense, then get upset when their site is hacked because it wasn't maintained. - JP Maxwell
One more point, I think there are way too many false lines drawn over aras of responsibility - "I'm systems, not a PHP programmer. I'm a PHP programmer, not a Javascript person. I'm a designer, not a programmer or a systems person." If you are a WEB developer or responsible for maintaining hosted WEB applications, you need to know a bit about it all. It simply isn't sufficient to demarcate your knowledge sphere and point your finger at the other guy. - JP Maxwell