Over the last couple of weeks, there has been renewed debate on the security of various blogging platforms. TechCrunch began the discussion by noting that WordPress has become a prime target for hackers. The author, Nik Cubrilovic, touched upon the slew of security releases WordPress frequently issues, the fact that it is often hard to identify that you have been hacked and concluded:
If you are currently not running the latest version of WordPress then there is a very high chance that your site has already been compromised.
MTOS Security Update
Anil Dash, Vice President of Evangelism, added to the discussion by comparing the track records of Movable Type and WordPress and even provided a bar chart that succinctly summarizes the security difference between Movable Type and WordPress (for example, in 2007, WordPress had 49 compared to Movable Type’s 3):
Movable Type has the best security track record of any popular installable blogging software, according to the U.S. Department of Homeland Security’s own reports.
Matt Mullenweg and Anil Dash continued the conversation in the comments about what, specifically, the numbers represented (vulnerabilities in the core vs. the ecosystem of plugins) concluding that Movable Type’s infrastructure was the source of its resilience – allowing plugin developers to use robust APIs and not tempting them to directly interact with the database.
Of course, as was pointed out in the original post, that’s not to say Movable Type has a perfect track record. An XSS vulnerability reported in the wake of this post and was a good opportunity for Six Apart to demonstrate its security reporting and patching process. A security update was released mere days after the vulnerability was reported which included a full description of which versions of Movable Type were affected, how to fix them and what the vulnerability was a refreshing change. I strongly encourage everyone to take the time to backup and ensure the security of your Movable Type installations. Besides the next feature release of Movable Type, no other security or maintenance releases are planned, you won’t be hit by upgrade fatigue!
MTOS Community Updates
Integrating MTOS and Plurk: Chad Everett launched a new plugin called MT Plurk that provides you with a set of handy template tags to integrate Movable Type with Plurk, a microblogging site similar to Twitter. In the comments Yves Luther also pointed out his Plurk Action Streams plugin which provides a nice alternative that integrates with the Action Streams plugin.
MTOS for JumpBox: Installing MTOS can be difficult but JumpBox is here to help with the recently released JumpBox for MTOS. What is JumpBox? A simple way of installing server-based software on virtualization software (such as Parallels or VMWare). See JumpBox for a full list of software it supports and instructions on how to get started with MTOS.
MTOS at YAPC: As I posted a few weeks ago, renowned Movable Type developer Tim Appnel attended YAPC:NA (Yet Another Perl Conference, North America) and gave a talk on Movable Type Open Source. Tim has put up PDF slides of his presentation during which he looks at how Movable Type has matured, debunks myths surround MTOS and takes a look at MTOS’ architecture. Developers unfamiliar with MTOS should definitely peruse his presentation, MTOS can be quite a satisfying platform to develop on!
20×200: 20×200, a site that offers members limited edition art prints – an edition of 200 for $20, 20 for $200 or 2 for $2,000, was a featured Movable Type site. The entry looks at how Jen Bekman, the entrepreneur behind 20×200, used Movable Type such that it didn’t look like a blog, integrated with Google Checkout and allowed her to send a newsletter to her members. Definitely worth a read!