|
|
|
|
|
|
by abbott
4681 days ago
|
|
|
When I saw the headline, I immediately thought, "they must be using WordPress". WP is a giant exploitable target, and I've personally told Matt this. Automattic saw an opportunity long ago and started VaultPress for WP security. He argued it's not a WP problem, and I frankly disagree, but he obviously understands the situation better than anyone. WP is free, but security is not because self hosted WP is so exploitable. A launch for a client also went through the same problem in 2010, and that was after 5 years of managing other WP installs (including 2 VIP WP sites). I've seen it happen too many times for it not to be Automattic's problem to address more so than they're doing now. Stay away from self hosted WP unless your install is absolutely bullet proof, and cross linking, especially to resource files from other WP sites is the last thing you should ever do because you do not control their security which can directly affect yours, or at least your black list vulnerability due to associated content. Our office used to be above Automattic's in SF, and I love those guys, and what Matt has done for the web, but with great power comes with great responsibility. |
|
|
WP probably gets a bit of a bad rap because the types of sites made with it often don't have the budget to bring high quality development. When you serve 20% of the web, and people choose you precisely because they can get cheap developers, there will be some problem sites out there running WP.
In this particular case, it seems to me that they would have been flagged if they had been running anything, Drupal or Jekyll or a static site - they had an external theme provider who referred to a domain in CSS comments that was listed by google.
The problem seems to be the accuracy of Google's flagging, not WordPress.