> I am hoping to get some reasonably knowledgeable, and unbiased, > responses. > > I was thinking about putting together a wordpress blog. Then I came > across a recent slashdot article about recent wordpress security > issues. I did a little research, and found that wordpress has quite a > history of security issues. A lot of people argue that wordpress has > serious design flaws when it comes to such issues. > > I also understand that joomla, and even drupal, have a history of > security issues. > > Certainly django has less issues, but then, let's be honest, there are > a lot less django sites. Hackers love to target the more popular > apps. > > Then again, I have heard some fairly knowledgeable people claim that > django is designed with security in mind. Although I am not a PHP > hater, I have found that python developers tend to be less hackish, > and more design oriented. > > I would love to get a response from somebody who actually knows a > little about php, and the popular php apps, as well as some django.
My background: I moved to using mostly Django/Python last year after using PHP for 9'ish years. Included in that has been developing some sites with Wordpress. Even more relevant I also spent this last Sunday hurriedly upgrading various Wordpress blogs, some for clients, some for clients of clients. I've seen several of these sites hacked previously. You don't say who or what the blog is for. If it's for personal and frequent use then you only have to look at how many active django developers themselves use Wordpress. I say frequent as it's easier to be reminded of security upgrades. If it's for someone else factor in having to upgrade it for them. Also factor in upgrading the various plugins you'll find you end up using. Some of those plugins may break during a WP upgrade. You also don't really mention your own knowledge. Remember to subscribe to the Wordpress development blog feed to keep up to date with upgrades. I've now stopped doing any client sites using it and want to move our blogs away from it. The security issues are one reason but I'd not say Wordpress is necessarily the most insecure app, as you say it's quite likely it is being targetted as much due to its ubiquity. Besides, you could argue that its fairly frequent attacks will make the developers more vigilant than many other projects. Having said that there are things about it's structure that I didn't like (aside from the code): It stores all app content in the public folder (django does not advise this in contrast). It includes content (eg image uploads) inside what is partly an application folder (wp- content) which means not only are there folders inside an app that need to be writable for uploaded content but also that manual upgrades are a fiddle. Third party plugins exist in this directory too and I've had several require additional directories with full write access. Many of its options are stored as serialized data and are written by any new plugins making spotting unwelcome hacked entries more difficult (I've had to do this). Another reason is simply development. Wordpress has loads of plugins but if you're any kind of fussy developer there will always be things you want to change. As soon as you change them they no longer fit into the upgrade cycle and you're then maintaining code like you would any other project without the lazy convenience of Wordpress. As far as comparing Django to Wordpress; the comparison is flawed. As others will point out, django is a framework better compared to, for PHP, Zend Framework, Symfony, CakePHP, etc. You'd then have to build your own or find one of the many blog and bloggish apps developed on Django. As far as python developers being less hackish I do wonder in part if that has to do with the somewhat higher barrier to entry particularly for web apps. PHP: <?php echo 'Here is my web app'; in index.php in most any host and you've started your path to PHP stardom. PHP does give you a loaded gun and shooting yourself in the foot enough times is all part of the course. Python takes a fair bit more setup and experience to get it all going. Those that come to Python for web development (like myself) have often done so based on prior experience and are looking for something more. Anyway, I must be on a rambling spree today, hope it helps a bit, Nick --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~----------~----~----~----~------~----~------~--~---