29May/1015
Hello World!
Jackie and I have wanted to start up a new blog that we could both use instead of two personal blogs. I took my blog down last year to start working on merging our blogs and then we got BUSY! Neither of us have had the time or energy to set one up since then. We both have multiple projects to work on at all times and the blogs and websites sat on the back burner. We are hoping to have this up and running ASAP. I am just learning WordPress so please bear with me. If you see any problems please let me know and I will try to fix them. Thanks!
May 29th, 2010 - 13:56
Testing
May 29th, 2010 - 16:31
Congratulations on getting your web site up and running. Can’t wait to read your posts.
May 29th, 2010 - 17:34
Thanks Kathy!
May 31st, 2010 - 00:06
Thanks!
May 31st, 2010 - 07:21
Yeah, glad you’re both back, miss your perspectives and comments. Been following for years. All the best
May 31st, 2010 - 09:19
Eh, WordPress. You know you can still set up a Posterous on a custom domain, right?
May 31st, 2010 - 15:04
Having run a WordPress blog for years (and assuming you’re hosting it yourself), there are pretty much 2 things you need to know about running a WordPress blog:
1. You have to update WordPress all the time.
2. (related) WordPress has severe, deep-seated security issues; new attacks are found against it constantly and they patch them, but it doesn’t fix the poor foundation.
I’ve abandoned my WordPress–philwelch.net is now running a Posterous, but it doesn’t have any content yet. Posterous seems to have more of what you want and use out of the box, so I’d recommend it. (You can even import all the content you already have here just by giving them the URL.)
May 31st, 2010 - 16:37
Thanks for the suggestions, but like Linux (or any highly used open source software in general), shouldn’t WordPress be updated so much by it’s user base that it will keep getting better and better? So far I am absolutely loving it. It is very user friendly and there are a ton of plug-ins in place. We are also going to be running a few other sites (not blogs) that we will need a lot of control over the site, layout, etc.
June 1st, 2010 - 06:19
WordPress would require a major redesign, not just security patches, to fix its security issues. At that point you might as well just write another blog engine. In addition, the wide user base just makes it a more worthwhile target. Open source isn’t a panacea–while it’s undoubtedly helpful and possibly necessary for truly secure software to be open source, it’s not at all sufficient. Linux is well designed from a security standpoint. WordPress is not.
Posterous might not be as customizable as you’d like, but there’s a lot less headache in terms of keeping it updated and secure, as there is with most hosted services. There’s other blogging engines as well, and most of them will import from each other.
June 4th, 2010 - 03:33
OMG, Phil, I just found your 2007 summary of my old blog:
SUMMARY:
Jacqueline: I want to be a development economist. Let’s plan for grad school!
Blog fans: Yay, economics!
Jacqueline: I’m not very good at math.
Blog fans: Encouragement!
Jacqueline: I graduated, and am going to live in Costa Rica for a year before going to grad school.
Jacqueline: Fuck working! I can be self-employed and live in third world countries to cut my living expenses!
Blog fans: If that’s what you want!
Jacqueline: I’m in love!
Blog fans: Good for you!
Jacqueline: I left Terrence. Costa Rica depresses me.
Blog fans: We still love you!
Jacqueline: I’m in the Seattle area planning my next move. I want to be single.
Jacqueline: No, really, I want to be single, and I’m so much better than you that you don’t have a chance anyway.
Internet: Wow, what a bitch.
Blog fans: Eh.
Jacqueline: I’m in love!
Blog fans: ???
Jacqueline: It didn’t work out. I’m moving to Vegas. I want to be single. And a professional gambler. Working for a living still sucks.
Blog fans: *resigned shrug*
Jacqueline: I met a guy! He’s Christian!
Blog fans: ???
Jacqueline: I’m in love!
Blog fans: …
GK: People who work for a living are “donkeys”, and I enjoy taking their money away in poker games!
Jim Morrison: Jacqueline’s blog fans are losers and should commit suicide!
Blog fans: Wow, what a prick.
Jacqueline: Stop doing that!
Blog fans: …
Jacqueline: I’m broke and getting a job. It doesn’t pay much and I work 80 hours a week. This rocks!
GK: I’m proud of Jacqueline for working for a living.
Jacqueline: I’m moving in! We’re getting a puppy! And a kitten!
GK: She’s “staying with me”. We’re not getting a kitten.
Blog fans: Um, economics?
June 2nd, 2010 - 12:55
So, when do the comment fights begin?
carving fork()
June 3rd, 2010 - 01:35
Phil: What security issues? It’s a blog, and J&N know darn well what issues they’re worried about. Educate me, please, I’m about to build a WordPress website and want to be aware of what might come up… thanx!
June 4th, 2010 - 07:48
WordPress has a long history of security flaws, particularly ones where anonymous people can gain administrative access to your blog. They always patch them within a couple of days of the flaw being discovered, but there are several deep-seated design choices within WordPress which make it prone to these kinds of flaws.
June 4th, 2010 - 08:10
In the past, WordPress has had some security issues. However, I want to point out a couple of things to bring this all in to perspective:
a) WordPress has gotten better at being more security conscious. Better password management, salting, nonce, and striping and escaping input have all gone a long way to bring the base level of security up.
b) Not all vulnerabilities are WordPress/Automattic’s fault. Plugins create security issues too.
c) Some issues blamed on WordPress are actually the fault of the hosting company and not related to WordPress at all
d) I have yet to see a study that actually provides evidence that WordPress is indeed less secure than other open source blogging systems
In other news: I’m pumped for this new blog!
June 4th, 2010 - 14:31
“a) WordPress has gotten better at being more security conscious. Better password management, salting, nonce, and striping and escaping input have all gone a long way to bring the base level of security up.”
Does WP still store anonymous commenters and admins in the same table, the fundamental mistake that creates these privilege escalation issues in the first place?
“b) Not all vulnerabilities are WordPress/Automattic’s fault. Plugins create security issues too.”
If your platform allows third party plugins to create security holes, your plugin platform itself is a security hole.
One of the best security people I follow online (Thomas Ptacek) repeatedly warns people not to use WordPress. His reasons include:
* It’s written in PHP, a platform on which “remote file inclusion” vulnerabilities — where attackers can source code to run on the server from MySpace — continue to be found. I hesitate to bring this up, since (for instance) the last public vBulletin flaw that would have cost you your site goes back to 2008.
* It has an authentication design that uses the same database tables to track administrators who can run code on the site and anonymous Internet commenters.
* It has a template language that allows graphic designers to write templates that run code on your server.
* It hand-codes SQL statements largely out of concatenated queries.
* It is internationalized but has no coherent strategy for dealing with character sets and input filtering, on which it relies heavily, resulting in relatively recent vulnerabilities enabled by for instance UTF-7 inputs.
* It includes in the admin interface an editor for site templates that amounts to a remote login to the server, since, again, templates can run code.
* It has a vibrant community of plugins implemented by people who know exactly enough PHP to get their code working, which means every one of these flaws is repeated for every plugin developer.
http://news.ycombinator.com/item?id=1328261
And the much more pithy: “There are unforced errors in WordPress. Every web application will have a cross-site scripting mistake. It takes a special one to have “anonymous commenter” -> “admin” privilege escalation, or executable style templates.”
http://news.ycombinator.com/item?id=1328583
I actually didn’t care much about WordPress before reading tptacek’s thoughts on it every so often–as a former WP user, I was only slightly annoyed at the mediocre usability and high rate of reinstallations. I only mentioned it here because, well, it is Jacqueline and insecure blogging platform + tendency to internet drama could lead to some gnarly 0day attacks the next time a major WP security hole is discovered.