WordPress users need an upgrade to a fairly new version (2.8.3 or newer) to fix a security hole that was recently discovered. That bit of news has been dispensed via various outlets including Twitter. John Gruber, a smart and interesting tech blogger, seems to be thoroughly enjoying this business, from what I can tell. This is not the first time he has opined on WordPress, but despite what seems to be poorly concealed glee (the man has made three comments — and counting — thus far), I think he is almost as equally wrong this time around as well.

First some background:

As per my reading of Matt Mullenweg (the primary creator of the WordPress platform) this exploit is possible if:

• You failed to upgrade WordPress for two releases (i.e., both 2.8.3 and 2.8.4 do not include this susceptibility)
• and you have registrations enabled for your blog (how many self-hosted blogs do that? I do not know)

Gruber’s basic argument seems to be this:

1. If you run a self-hosted WordPress blog and ignore updates, you can get hacked.
2. This is the equivalent of “finding your home burgled and your valuables missing”.
3. He (Gruber) does not know if WordPress is poorly designed (“security-wise”).
4. However, whether it is poorly designed is a question that is similar to the one that “continues to rage” (for “15 years”) about Microsoft Windows.
5. Gruber can’t recall any widespread security attacks against Movable Type, Posterous or Tumblr.
6. Gruber doesn’t update his MT installation but he hasn’t got hacked.
7. Therefore “the situation with WordPress is different, and clearly more dangerous, than it is on other platforms”.

In consecutive breaths, Gruber first ponders:

I have to wonder when WordPress users will start switching to some other platform.

and then disclaims:

Nor am I attempting to persuade anyone to switch from WordPress to Movable Type.

Let us take him at his word, the second one that is (i.e., he is not interested in persuading anyone to switch), and look at the argument he offers. He starts out with a truism in computer security: all software has bugs, and if you run some software that is reachable via the Interwebs, you can get hacked, especially if you don’t update the software with fixes for such bugs. If you didn’t realise that and decided to run a WordPress blog anyway, then like Gruber I would distance myself from “blaming the victim”, but I would still wonder what else you may have expected.

What you should expect, if I am following Gruber’s argument, is that if one platform (MovableType) has not suffered any “widespread” attacks in one individual’s (Gruber’s) memory, while another (WordPress) just suffered one, then that information recalled from memory “clearly” makes the second platform (WordPress) more “different” and “dangerous”. Even if we do not know if there is anything about the second platform that makes it poorly-designed security-wise.  Or in his other words, this one reported vulnerability in a version of a software two releases old is the equivalent of 15 years of [raging debate on] Windows security (or lack of it).

I am afraid that what is unfortunately made obvious by this line of argument is only that John Gruber runs an outdated version of Movable Type (that he does not care to upgrade) because he thinks, though he does not necessarily know, that it is a safe[r] platform. Which in turn leaves one hoping that he will not be in the unenviable position of blaming the victim, himself, some time in the near future. As I wrote at the top, Gruber is smarter than that… or will be once the 15 minutes of schadenfreude wears off.

Some smaller clarifications: As long as you or your hosting provider perform[s] backups, this exploit (if it occurs) does not mean that you have lost your blog content. Without doubt, restoring that content can be a painful affair, but it’s a lot easier and reliable than contacting the police to recover your belongings.

Oh and Movable Type? Here’s just what one random Googling produced (author: distler):

Remember insecure formmail scripts? How very 1990s, eh?

As if comment spam were not bad enough, MovableType includes, in its default installation, a CGI script called mt-send-entry.cgi which — you guessed it! — can be used to send email anonymously to anyone in the world.

And, no, this is not a merely theoretical issue; it’s being actively exploited by spammers.

Want more?

• http://securepoint.com/lists/html/bugtraq/2007-01/msg00603.html
• http://secunia.com/advisories/16899/

All these demonstrate is (not that these are the same vulnerabilities discovered in WordPress but) that software is by nature insecure. And all that rot that we all know quite well.