Is WordPress poorly-designed, security-wise? Is it just a matter of WordPress being phenomenally popular? Or is it both? I don’t know. The same argument continues to rage, 15 years after it started, regarding Microsoft Windows. WordPress has much to offer, starting with its large, generous, active developer community. But I can’t recall any widespread security attacks against Movable Type or Expression Engine, or against hosted services such as Squarespace, Posterous, Tumblr, or, yes, even WordPress.com (a hosted service, rather than software you host yourself).
First off, I call BullShit to the statement that Movable Type or Expression Engine have not been attacked by hackers. I know of several people that host/hosted those applications and were hacked in one form or another. As far as the attacks on those user-hosted sites being “widespread”? All I can say is the same thing I say about Windows vrs. OS X viruses. There are way more attractive WordPress sites than there are other blogging application sites.
Now, I can’t speak for why Daring Fireball hasn’t been attacked more frequently than it has assuming it has at least once. Mr. Gruber certainly posts articles that rub folks the wrong way at times. (The above quoted article comes to mind…)
As to the need of having “constant vigilance” when running WordPress, if you run a weblog, no matter what blogging application you use, keeping it up-to-date is an important process. Just like Operating Systems, Windows or Mac, if you slack off keeping the OS up-to-date, you are running the risk of being hacked/getting a virus.
WordPress has always been extremely easy to keep up-to-date. Even before the semi-automatic process that is in place now. I have run WordPress for many years and upgrading to the latest version was never more complicated than uploading the latest files to my host, and running the upgrade script. Five minutes (at most) later, I was up and running again.
I have tried other blogging applications like Movable Type and Expression Engine. My impression was that none of the tools were as easy to update as WordPress was. In fact, I have made several attempts to “install” Movable Type and have never been successful in the last two years. The process is way more complicated than it should be, in my opinion.
So my sympathy goes out to the folks that have had their sites hacked/destroyed in this latest attack of WordPress installations. However, I don’t feel to sorry for them since it takes a just a few minutes out of anyones busy schedule to upgrade WordPress, no matter what version they are running prior to the latest version.