: Is Movable Type among the most secure PHP blogs? How secure are the various PHP blog applications? Basically I'm trying to find a blog for a website, and security is the highest priority in
Basically I'm trying to find a blog for a website, and security is the highest priority in our case. We don't need any features that I would imagine are special. Wordpress was our first idea, but its reputation precedes it, and though it may have cleaned up its act lately, I'm not seeing much solid evidence.
I get the impression that Movable Type (at least the Perl version) has a much better reputation for security than Wordpress (historically at least). I'm not sure I want to take a chance with Wordpress at this point, but is there some objective source I can got to to back up (or counter) the notion that MT is at least among the best? Secunia doesn't recommend using their stats for comparisons, and securityfocus.com doesn't have stats at all that I can see. Searching here web.nvd.nist.gov makes MT look way better than WP (at least in 2007), but this site was referenced by MT's own page boasting about their security, so I don't know how relevant it is or how seriously people take it.
Any suggestions on sites where I could/should make a somewhat objective comparison?
More posts by @Samaraweera270
4 Comments
Sorted by latest first Latest Oldest Best
Is Movable Type among the most secure blogging platforms? I doubt it.
NIST's National Vulnerabilities Database shows the following number of vulnerabilities for WP versus MT between 2009 and 2012:
year MT WP
2009 10 3
2010 5 0
2011 2 1
2012 1 0
Though, to be fair, Secunia shows a very different picture:
year MT WP
2010 3+ 3
2011 3++ 5++
2012 0 1
(Each plus mark(+) represents 1 moderately critical vulnerability. All others are rated as "not critical" or "minimally critical".)
Now, I included the 2009 data from NVD because you mentioned the state of things in 2007. But really anything prior to 2010 is irrelevant since that's when the current major version of each CMS was released. In 2007 people were still using WordPress 2.2/2.3, which is about 9-10 releases ago. And WP3 is also a much better CMS than WP2.
The data I was able to find tells me that, currently, Movable Type is only marginally more secure than WordPress if at all. NVD depicts WP as being far more secure, whereas Secunia tells a much different story, with WordPress having 33% more reported vulnerabilities (though WordPress only has 2 moderately critical vulnerabilities to Movable Type's 3) and 1 unpatched non-critical vulnerability to Movable Type's 0 unpatched vulnerabilities.
That said, WordPress is much, much more popular than Movable Type. As a result, there are far more hackers and script kiddies targeting WordPress sites than Movable Type. And while this is a form of security through obscurity, it does have a practical effect in real-life.
Of course, there are also more whitehat hackers and developers scrutinizing WP's code and trying to seek out and patch vulnerabilities before blackhats can get a chance to exploit them, so if you keep your software up to date, there shouldn't be any appreciable difference between running WP and MT.
Another option, especially for the less technical-minded (or techies who'd rather keep their hands free for other things), is to go with a hosted SaaS solution. Squarespace, Wordpress.com, Blogger, and similar hosted CMS providers will not only free you from having to worry about patching your software, but, at least the paid ones, have SLA agreements that ensure that, even if something were to happen, you'd be taken care of. Plus, the security through obscurity element is much more significant with services like Squarespace compared to Movable Type.
One main difference - as far as I understand MT - is the fact it doesn't require the db to run. The publishing process you kick off in MT when happy with your new entry builds goode olde static pages; while most other blogs I know write directly to the db and pages are then build 'on the fly' as the user pulls them. If the db is down or hacked, you're usted. With MT and it's static pages, whether some hack has killed your sqldb or not doesn't interest MT one iota - until you need to rejig things. Also nice for speed when the shared host is puffing at near full load.
So IMHO as far as 'survivability' and speed of serving up pages is concerned, you'd be hard pressed to find something to beat MT. Can be a dog in other areas, but stability and security is certainly one of the better features. And this is what you asked for.
Bottom line is any online service is going to be exposed to security vulnerabilities. In my experience wordpress is as good as any (and actually exceeds most) in terms of security and releasing immediate security patches.
On techcrunch I just found a story of a guy that got hacked, then a security fix was issued. One of the main principles you must follow (as I'm sure you know) is to ALWAYS update to the latest version and install the latests security fixes. That, along with extremely high password strength is probably the best thing you can do, whether you go with WP, WT, Drupal, etc.
Having worked with WordPress a lot lately, what i've been doing to create security is avoiding defaults. When creating the database, i change the table name prefixes to something custom for that site. I create a unique user and make them administrator then delete the admin user. There are also security based plugins that make other tweaks available as well.
Wordpress offers other suggestions as well. WP Security Scan is useful plug in for adjusting permissions and making other tweaks for security. Keeping current is also important. Also if you are using a free theme, get it from wordpress.org's directory. Many websites that offer themes include encrypted backlinks that create security holes. See this post for details on that issue.
Terms of Use Create Support ticket Your support tickets Stock Market News! © vmapp.org2024 All Rights reserved.