Removing a WordPress 2.1.1 installation and replacing it with a static mirrorEdit
Disappointed with the WordPress security track record, I’ve decided to remove it from my systems. The straw that broke the camel’s back was a cracker replacing the official WordPress 2.1.1 archive on wordpress.org with a trojan.
This decision was made in the context of the Month of PHP Bugs (highlighting security problems with PHP in general) and after a series of WordPress upgrades due to security problems. The problem is that WordPress simply doesn’t have the security required of a public-facing, network-enabled application. These upgrades are more or less forced upgrades (that is, "upgrade or your server might get 'owned'"). I am a little tired of having to invest the time required to install all these updates (and not just to WordPress but also UBB.threads and MediaWiki as well) so I decided to retire my existing WordPress install and replace it with a static mirror of the existing dynamic content.
I made this decision even though I was not exposed to any risk because of my Subversion-based upgrade policy (see "Upgrading WordPress using Subversion"). Among other issues, I don’t think the vulnerability disclosure practices of the WordPress team are really up to scratch. The just-released version 2.1.2 actually includes a fix for another security flaw. The [http://wordpress.org/development/2007/03/upgrade-212/|official announcement] states that it "includes minor updates", but that’s not really an accurate description of what got fixed (an [http://trac.wordpress.org/ticket/3879|XSS vulnerability]).
So I mirrored my existing dynamic content using wget:
wget -m -k -K -E "http://example.com/path-to-word-press-installation/"
And uploaded it to the server in the place of my WordPress install. No more updates or security holes to worry about, ever!