Wordpress blogs hacked : Law firms need to consider Wordpress support costs
After Wordpress came under attack by hackers over the weekend, well known blogger, Robert Scoble, reported last evening that he no longer feels safe with Wordpress.
A few weeks ago some hackers broke into my blog here (this was before 2.8.4 was released). At first I thought they just left some porn sites in a couple of blog entries. So we upgraded Wordpress (I was on 2.7x back then). Deleted a fake admin account. Deleted the porn sites. And thought we had solved the problem. We didn't.They broke back in, but this time they did a lot more damage. They deleted about two months of my blog. Yes, I didn't have a backup. I should learn to do backups (we're doing them now). Life has a way of beating you if you don't have backups.
Anyway, this time they also put some malicious code on my archive pages. Google sent me an email saying they had removed my blog from its index. That got a whole team to look into how they broke in. Now thanks to TechCrunch and Mashable you know there was a vulnerability in Wordpress which let them break in. Even more good details on Lorelle's blog.
Turns out that if you ran Wordpress at Wordpress.com (Wordpress hosts your blog), you were probably safe from attack. The reason being that Wordpress kept doing regular updates to its software to prevent such attacks.
However, a lot of publishers, including a lot of law firms, do not host their Wordpress blogs at Wordpress.com. They want more control and features on their blog than Wordpress may offer. They're hosting their blogs on their own servers at co-location facilities or having service providers host their blogs on the service provider's servers. In which case, timely updates may not have been made to prevent major hacking like this.
And it's not easy as just keeping up to date with every Wordpress update (which can come quite regularly and making the upgrades. It's possible the Wordpress upgrades won't work on your blog or worse yet, the upgrades will cause other parts of your blog to fail.
As discussed in Scoble's Friendfeed comments, lots of Wordpress blog publishers, including law firms and firms hosting blogs for law firms, use plugins to add various features to their blog. Wordpress upgrades are not necessarily tested on blogs with such upgrades. So when Wordpress upgrades come out those running Wordpress blogs on other than Wordpress.com can not just install the upgrade. Testing and often fixes to bugs that develop must be done.
Wordpress is good blog software and may be the most widely used. The fact that it's Open Source has allowed it make major advances and develop quite a following. But with mass use and open development, it can be susceptible to hacking like this.
For law firms running their blogs, it's not as easy as just downloading blog software and being up and running. In addition, when outsourcing your blog hosting, having a solution provider whose business is blogging is a plus.
Bottom line, when you are considering the cost of Wordpress (free) and all the plugins created on Wordpress for blog features, you need to consider the cost of the support you need.
+1 for outsourcing (software) when you aren't the expert and it's not worth the money to become one. (aka SaaS)
There's a whole lot more to blogging than writing. One benefit of the recent attacks is that a whole new slew of people have had to face up to this. A more secure internet is a better internet IMHO, but you do have to make some sacrifices to achieve that. Do you really need the latest plugged-in bell and whistle to make your blog look Kewl? Or do people come to you repeatedly because of the quality of your writing? If it's the latter than with effort you should be able to maintain a reasonably secure blogging environment. Still got to do your housework though! I use a plugin that allows me to automatically email a B/U to my inbox on a scheduled basis, and if it stopped working after an upgrade I'd be manually backing up every time I blogged till it did. I know it's time-consuming - so is commenting like this :-) - but really, a stitch in time does save nine. Blogging's about a lot more than writing.
BB
Hey I just found this, knew I had it somewhere...
http://wordpress.org/development/2009/09/keep-wordpress-secure/
HTH
BB
I'm glad I wasn't affected. I always upgrade my wordpress-based sites to the latest version whenever they become available. I understand this may not be always possible, especially when you have custom work or plugins that may not be compatible with the latest version.
It's a risk you take.
WordPress makes the backup and update processes pretty simple. Of all people, Robert Scoble should be able to perform these beginner blogger tasks.
I don't know that this example necessarily implies that a law firm needs extra support for its WordPress blog. It's more of a heads-up to the admin of the firm's blog to do their job as admin and backup/update.
Hi Kevin,
While I understand the point you are trying to make about outsourcing blogging hosting in order to cut down on IT support costs of your blog, it is rather bad taste to imply that the problem is with wordpress.
Recent versions of Wordpress have featured the much touted one-click-upgrade to update to new versions to fix security patches and even major new releases with a touch of a button. Plugin installation and upgrades have gotten easy as well, you can search for new plugins from within the administrative console, and install them with a click, you can also upgrade plugins that have had new releases with single clicks of "upgrade" links from the plugins page.
Your much beloved Movable Type is much more difficult to upgrade. Every upgrade has to be done painstakenly, and unlike Wordpress, you simply can't upgrade between major releases without guaranteeing that something will be broken.
The Templating engine changed so drastically between MT3 and MT4, that most people who use MT3 have simply stuck with it.
Sixapart no longer supports MT3 despite the fact that a large number of security vulnerabilities have come out for MT3 and a large install base of MT3 users simply can't upgrade without substantial time commitments to rewrite templates in a new format, not to mention learn a completely different admin interface.
This has led to a vast number of older MT3 blogs being hacked due to their security vulnerabilities, and unlike Wordpress, if you are hacked on your MT3 blog, you may be out-of-luck when it comes to fixing it, as their choices are hunt for the vulnerability and patch it, or upgrade to MT4 and break your templates, and urls.
What's more, plugins for Movable Type are far less often updated, and if they introduce a security vulnerability themselves, you may be waiting a long time for the new release (perhaps forever as the developer of that plugin has moved on), and plugins for MT are much more version specific then Wordpress ones. While some wordpress plugins may break in upgrades, the popular plugins are generally much more heavily maintained.
Anyway I've rambled enough, I just felt that your blanket statement "Law firms need to consider Wordpress support costs" should really be re-written "Law firms need to consider blogging platform support costs" as it's not something that should be labeled as a Wordpress problem, it's a problem with any widely used software, especially ones that use web based frontends.
Geoffrey, I was hoping to avoid the wordpress vs MT as a religion dicussion. Just talking about one or the other unfortunately seems to bring this out of folks.
We use MT and have modified it a good deal for ease of use for lawyers and other reasons. It works great for us. Other people use wordpress and it works great for them. Calling it my beloved MT is unfair.
All I am pointing out, and I am not blaming wordpress, is that here's a situation you can get yourselves into that can be avoided by being smart, having some tech apptitude, and staying up to speed with updates etc. Doing those things is more than some people in the legal profession are capabale of and just like pay a mecahnic to work on their car, they may be paying a tech person to deal with these matters. That's it.
This is a very good article about using "freeware" blogging software. Updates are not that easy to accomplish but it is an absolute must. Keep in mind all web related software is vulnerable to attacks. FaceBook apps, iphone apps, and general web virus are out there. I would tell people to keep things in perspective. There are viruses out there that can attack your PC or Mac at all times of the day, but we don't stop using them. Also, most anti-virus software doesn't even work. My point is, never make the exception the rule. Just be smart about staying on top of your updates with all your technology.
Geoffrey's points are valid, especially since your title reads, "Law firms need to consider Wordpress support costs".
This is true of ANY web site platform. Anything can be hacked. Scoble is a target because of who he is, not because he used WordPress.
This would have seemed less like an attack on WP if you had warned about the ability of being hacked on any platform.