« Hackers, hackers everywhere! | Main | From WordPress to MovableType - part 1 »
June 22, 2005
Bye bye, WordPress
Apparently, there is a WordPress exploit at wild on the net. Some people have already started reporting missing databases and problems with their WP-weblogs. Coupled with the fact that you need a day to update a WordPress installation, I'm finally dropping it for good and moving on.
The replacement, as you may have noticed, is Movable Type. I've been playing with MT for about two months at www.fotomagazin.ro, and I like it. It's CGI, so no more unsafe PHP scripting inside, it is flexible and easy to maintain.
Moving from WordPress to MovableType is not straightforward - just search on Google for "moving from WordPress to MovableType". You'll get several hundred links, but on how to move from MovableType to WordPress.
The solution is a script which exports the WordPress database in a MT-readble format. Then, you can use MT's import function to populate the weblog. Apparently, this worked well, but please excuse any glitches during the transition period.
There are some things about MovableType which could be improved, such as the afore-mentioned import function. A links section would also be nice. However, these missing features are a small price you pay for peace of mind and better security.
Posted by Costin Raiu at June 22, 2005 3:12 PM
Comments
Why is CGI significantly safer than PHP? Sure a CGI script runs as a separate process (so the overhead is bigger) so even if a malicious code take control of the process he will not be able to attack the webserver software but if behind the whole application is a MySQL DB then the SQL injection will still be a threat. Am I wrong? :P
Posted by: Razvan Musaloiu-E. at June 22, 2005 7:56 PM
> Why is CGI significantly safer than PHP?
To be honest, I don't know. But IMHO, judging from experience, PHP is significantly less secure than CGI. Or, to be more precise, safe PHP programming is much harder to master. Or, PHP programmers, corrupted by the wonderful beauty of the language, its power and ease of use, are inherently less caring about the security issues. Pick the one you like most. :)
Of course, there are safe PHP scripts out there. I dare naming one: CGAL. ;-)
But in the end, it's all in the mind of the programmer. I don't know why PHP programmers write less secure code.
Finally, you are right about the MySQL issue. However, MovableType, at least in my setup, doesn't use MySQL. :-)
Posted by: Costin Raiu at June 22, 2005 8:07 PM
Your MT doesn't use MySQL? I did not tried it yet but I though MySQL is the only backend for MT. If this is not the case then I'm very interesting in trying it! :-)
Posted by: Razvan Musaloiu-E. at June 23, 2005 5:28 AM
I also prefer CGI over PHP. PHP has some dangerous features that programmers don't understand it's implications on security and also, generally, it runs with the same privileges of the webserver, in a way that a compromised PHP script may have rights to write on other users area. With CGI it's much easier to setup a different account to run only the CGI code.
Besides that, just quoting a famous security thinker: "...if you're running code on an internet-facing system that has a history of needing patches every week: you're running the wrong code."
Posted by: vinicius at June 23, 2005 6:41 AM
> Your MT doesn't use MySQL? I did not tried it yet but I though MySQL is the only backend for MT
MySQL (or any other SQL database) is "recommened" in the MovableType installation guide, but is not mandatory:
http://www.sixapart.com/movabletype/docs/mtinstall.html
I'm now using MT with BerkeleyDB, which is the default setting, and it works quite well. It even has a fast search function and I can easily archive the database without having to go to the MySQL backup panel; it's just backed up along with the rest of the site, through ftp, every night.
Feature-wise, MT is probably less powerful than WordPress. Security-wise, it's in another class.
Posted by: Costin Raiu at June 23, 2005 9:18 AM
old saying: same stuff, different p0wnage methods (Z. -=t_D=-)
Posted by: boyo at June 23, 2005 11:55 AM
Well, don't know about you, but for me, it only took 5 minutes to get my wordpress instalation to the latest version. Downloaded the files, replaced them on my local folder, then just uploaded over the last ones.
Posted by: Stefan Tanase at June 23, 2005 9:00 PM
> Well, don't know about you, but for me, it only took 5 minutes
The inevitable WordPress fan. :-)
Posted by: Costin Raiu at June 24, 2005 9:16 AM