Monday, May 30, 2011

You should stop using WordPress

It's not just WordPress, it's all Content Management Systems. A self-hosted CMS is a bad choice for a personal site or a small business. There are better choices than taking on the risks that come with using WordPress, Drupal, Joomla, and other CMSs.

What's Wrong With CMSs
Security. According the Secunia Advisories Mailing List, in the past 2 months there have been 18 vulnerabilities related to WordPress, 10 for Joomla, and 9 for Drupal. A lot of them are with plug-ins or modules, but some are in the core product. If you host the CMS you will have to update it constantly.

You are probably thinking that's easy, there is this nice little button in the admin interface that allows me to upgrade with one click. That's bad, very bad! What that means is that your web site can update itself. Your web server has permission to write scripts in your document root. If there is a security vulnerability it can be used to upload a whole new site! In technical terms, the user running your web server, usually www-data or apache, should not have write permissions or own files/directories that are used to serve pages. There are obvious exceptions, like a directory for image uploads, but those directories should have the script handlers for .php, .py, etc. turned off.

Even if you only allow write access during the upgrade, or upgrade from a tar file, how do you know it will work? Have you tested the upgrade? Do you have a test environment with that custom module or theme? Most small businesses don't have the test infrastructure to test web site upgrades.

Why Would Anyone Hack My Little Site
You're not the CIA, no one wants your data. What they want is a place to advertise male enhancement drugs and push malware on to your users. They don't target you, no one is sitting there hacking your site. There are automated bots the crawl the web looking for vulnerable sites, and using file upload or SQL injection exploits to post their illegal content on your site.

Some companies do have valuable data, even if it is not stored on the web server, your data may be at risk. If someone does hack your site, how hard would it be for them to change the log-in page to email your password to them? The likelihood of someone in your company using the same password for the web site and their email is high. With access to an employee's email they can reset their password to your source code version control, then they steal the source code for that top secret project your company is working on. It sounds like paranoia, but that is how hacks really happen.

Why Are People Using WordPress
I think all the people running to WordPress and Drupal is a reaction to large monolithic Flash sites and other sites where the business owner can't update content without paying the web developer to do it. I also think CMSs have become the new Dreamweaver, an easy way for people new to web design to get into it. Flash sites have always been bad thing, I have to say I'd much rather have WordPress than Flash. But there are other options.

Are You Going To Create The Site In Custom PHP
STOP! Don't do it! It seems like a valid reaction to automatic exploits of open source content management systems, but it isn't, at least not for the average person. I recently looked into a developer that was using a custom PHP CMS. I went to the web developer's site, and checked out a few reference customers. And guess what, every form of user input allowed for SQL injections; the URL bar, the search box, the log-in page -- they all allowed me to type in SQL and have the database run it! If you don't know what an SQL injection is you should not be writing PHP or any other web language for that matter. That includes WordPress plug-ins and Drupal modules.

Pick a Hosted Platform
There are good reasons to have a site that is easy to update, like this blog. But you should not be responsible for keeping the blog software up-to-date. Blogger will host your site, at a domain you own, for free! (not the WordPress open source software) will host your site for a minimal fee. Tumblr and Posterous are free. I consider a much safer option that hosing your own WordPress install. The people at make WordPress, it will always be up-to-date. They only allow a limited number of supported Plug-ins, and lets face it, plug-ins written by Joe Blow are the biggest security problem.

Or Don't
Do you actually need a dynamically generated site? If you are like most small businesses you only need to update your site once or twice a year. If you are a little technical, and you have a good web designer, maybe they will do your site in something like Jekyll. It could be even be hosted on Amazon S3.

What Else Is Out There
Is there a good hosted web site platform targeted at small businesses? There are Squarespace and Weebly for SMBs, and Behance ProSite targeted creative professionals. Squarespace looks pretty awesome, and at $11-$13/month they seem way better then having to host your own site for $5+/month. Does anyone know of other good hosted platforms for business web sites?

I wish there were more CMSs that would publish to static HTML, while keeping all the dynamic scripts behind your firewall. MovableType can publish to static. It would be great if they had a little button that would commit a static site to a version control system like Git, which you could then push out to a public web server.