Nick Garner's Blog

SEO | Online PR | Marketing | Social Media

Smackdown. WordPress loses for enterprise

March 17th, 2010 · 4 Comments

Smackdown: WordPress loser on security

Smackdown: WordPress loser on security

I’m such a fan of WordPress, I’m speaking at the 2010 UK Wordcamp ? and I’ve met Matt Mullenweg (founder of wordpress, who I found inspirational). In fact I advocate WP nearly whenever I can for small / medium sites.

The bits where WordPress are great on? is flexibility and massive community, so tons of great add-ons.

But where I work, we are obsessed with security and because WordPress is? moving so fast, every change on the CMS means a security review and every change on a plugin means another minor review. That’s fine, except it’s lots of reviews and so lots of time spend rubberstamping.

The other BIG issue is the security gap betweenWordpress and MT - the article explains it in more detail. I don’t have up to date info on WordPress and security holes, but I imagine it has improved a lot over the last 2 years.

Wordpress V MT security

Wordpress V MT security

Another reason I?m not a fan of WordPress for enterprise blog / news publishing is that MT can handle hundreds of users across hundreds of blogs in a single instance of the CMS. Of course you can say that WordPress? MU will do it, but from what I can understand, its a whole world of complxity and hacking to make it work well. Forinstance, things like extensive role management are native in MT, in WordPress the role manager is a 3rd party addon.

With Movable Type as you may know, it renders static files with a few dynamic elements. In other words you get a server full of flat HTML files that don’t need a database to render them. Of course WordPress for the most part is dynamically rendered.

This is important because its nearly impossible to do a cross side scripting attack on Movable Type. This is demonstrated by their security record. More secure = happier ?powers that be?.

WordPress gets upgraded about 3 times more frequently than MT and if you don?t upgrade, you are likely to get hacked. Upgrade = security review because its new. And on it goes.

So there you go?I still love WordPress, but for BIG multi user, multi blog I’m waiting for a little more maturity.

Related posts:

  1. Installing Movable type on a windows XP PC with Xaamp xampp
  2. WordPress Plugins and SEO how to
  3. WordPress as a CMS. Example: Rentpiemonte.com
  4. Robots.txt and duplicate content in wordpress
  5. WordPress duplicate content fix

Tags: Wordpress

4 responses so far ↓

  • 1 Carl // Mar 17, 2010 at

    Hi Nick,

    I remember speaking with you which must be over a year ago now and you mentioned all of the above.

    I plan to take a look at MT over the next few weeks as more to do with learning what else is out there, but want to compare with wordpress.

    I agree that I have found wordpress very hard to be scalable and a few of my bigger projects I have had to move from wordpress to custom sites.

    I have a lot of blogs and I have yet to automate plugin updates and wordpress upgrades, therefore I have to login into every blog – time consuming and time wasted.

  • 2 David Coveney // Mar 17, 2010 at

    Nick, whilst I agree to some extent with your points, I have to suggest that there’s a few things worth considering:

    1. The coming WP 3.0 addresses some of the MU complexity issues – it really does work.
    2. It’s possible to harden WP versions and installations adequately in order to protect the implementation. You also have to consider the nature of the vulnerabilities – not all are critical to a given installation.
    3. From within an enterprise, eg for Intranets, attacks on WP are very limited and there is less of a need to consider the four monthly upgrade cycle.
    4. It’s possible to back-port a lot of the fixes. As our Enterprise client base grows we’re looking at offering this as a service, but there’s complexity in managing this that needs to be addressed but we feel we have answers.

    What WP needs is a company with an Enterprise focus that can contribute the requirements of Enterprise into the system and/or maintain a fork that fits better. We are that kind of company, but until recently there wasn’t enough interest to justify the expenditure. However, interest has improved dramatically since late 2009 and as a consequence we have plans that will help to make WP something that is far more attractive to the large companies both from an Extranet and an Intranet perspective.

    2010 is, I feel, going to be the year where WP starts to hit the Enterprise sweet spot.

  • 3 Nick Garner // Mar 23, 2010 at

    You know Dave – I really hope so. I look at what I can achieve with WP in dev output relative to MT and its way ahead.
    Its just I get slammed by securty when I talk about WP. In fact a few months ago I mentioned Wp as a vehicle to run one of our sites on – they laughed at me and for about 3 weeks afterwards when my name was mentioned, it was followed by… yes the guy who suggested WP :-( ((((

    Its a big business culture thing I suppose.

  • 4 Dave Mee // Apr 14, 2010 at

    Hey Nick! Interesting article, and some interesting points you raise.
    As a former (paying!) blogger user, who adopted MT before WP became stable enough to use, I can’t take MT seriously. I know a large public broadcaster who uses MT – but only because they’re a Perl shop and don’t use PHP. But they constantly fight implementation issues, are several versions behind, and exactly as you say – have a huge team testing updates and checks every time a vulnerability is raised.

    Ultimately, the reach and low cost of WP will win out – see also Apache – and the slog of getting there will ease up. And of course, using SuperCache is the only real way to deploy WP – at which point you’re effectively using the same architectural approach as MT.

    Thanks for sharing your thoughts, Nick, and to everyone who’s chipped in – particularly the insightful note from Dave.

Leave a Comment