I have been a long time WordPress user and not very happy with it from time to time, but sometimes you just have to accept certain things. Using WordPress is one of them as it slow became the industry standard for weblogs. It also became the standard for trouble, quick updates and hacked weblogs. As I have to live with it, it became time to take a closer look at WordPress.
While WordPress has a lot of coding errors and that is something that can’t be fixed overnight, but what can be solved is the ability to install additional code. While it sounds a smart move to offers users a way to upgrade WordPress with one click in their browser or to install new plugins or themes, it is also a hazard. If a webserver is allowed to update the application it is running without any trouble, then it simply means anyone who can trick the application to write code to disk and execute it also can host anything he or she wants. A lot of phishing and spam sites do this trick to host their code in some directory of a broken plugin. And the PHP-interpreter always happy to execute any PHP-code it finds, this is a mayor flaw.
For Debian Squeeze there is a backport of WordPress 3.3.2 which matched my version already running. So installing the packages and switching the webservers documentroot to the one supplied by the packages resolved the first issue. Now only the user root can modify the WordPress installation which also include all plugins and themes for WordPress. The base of WordPress now has been secured as remote users can’t modify or install any code. Right? Both yes and no as people still are able to upload content for WordPress and this is something for further review. Most ideally the content will be hosted in an image gallery for example, but it is a risk to accept for now.
Switching to packages also showed something else as most WordPress users just install plugins and themes by using the webinterface. As only root can install new plugins and themes this reduces the choice people have to what the system administrator puts in a package and installs it. Sadly enough now script currently exist for building packages from plugin/theme files and a quick look it appears that this isn’t an issue for themes. But it appears to be an issue for plugins as some developers include an extract from PHP Pear to make sure the plugin always works.
So the coming week I have to spend some time in creating packages and do some coding to make packages work with system provided and updated PHP Pear code. But I still wonder why people write plugins and just copy code to make it “work”. I also wonder how many plugins have outdated code with some funny features or is it something I don’t want to know?