A hot topic going around in WordPress circles now is a worm making its rounds hijacking vulnerable WordPress installations, and how just a little effort on the part of administrators could have saved the trouble of cleaning up after the worm. This is the inevitable problem with IT security. No matter how hard developers try to make a software safe and secure, easy to update, and respond quickly to new emerging threats, it is never enough for some users. Someone, many people in fact, will fall prey to the exploits.
I’m actually pretty impressed with how easy it is to keep a WordPress installation secure. WordPress started out like any other web application, but over time it has improved itself so much that you could, starting first with online upgrade of plugins, now upgrade the entire core of WordPress online. No need SSH or shell access to your WordPress installation. Everything is done simply through the web-based administrative interface of WordPress itself.
This is really a whole lot easier than WordPress peers. I also run a Drupal site, and I can tell you upgrading Drupal is really very painful. At least, the official Drupal upgrading steps are painful, if there is any unofficial shortcut to simplify it, I don’t know about it.
I could not have asked for anything simpler for WordPress.
Now, I ask myself what could be simpler. I suppose some WordPress administrators are perhaps looking for “automatic updates”. You know, like how Windows could automatic check for updates, download and install those updates. This would certainly be a neat feature, although of course many other WordPress administrators (myself included) would be hesitant about my WordPress installation automatically upgrading itself without my knowledge.
Hackers are not going to go away. I think if there are any WordPress administrators, or indeed any type of system administrators, who don’t want to be bothered with the details of IT security, they would be better off buying a service from someone else.