WordPress.com VIP Platform Outage Reverts Sites To Default Themes

An anonymous reader shares a report: Web blog hosting platform WordPress.com is currently facing a significant technical issue that has resulted in premium blogs going down or reverting to using default themes. Impacted sites include major news outlets like BBC America, TechCrunch, 9to5Mac, 9to5Google, VentureBeat, DroneDJ, and Electrek; but also many companies that were using the WordPress.com's VIP offering to host corporate blogs, such as Facebook, the Wikimedia Foundation, and others. Automattic, the company behind the WordPress.com service has admitted to the technical issue in a series of tweets and a blog post from its engineering staff.

Would using Rust instead of PHP prevented this?

[Anonymous Coward]

Would writing WordPress in the Rust programming language, instead of PHP, have avoided the bug or problem causing this?

Re:Would using Rust instead of PHP prevented this?

[phantomfive]

Worth mentioning that the primary use case for Rust is to prevent memory errors (leaks, overflows, dangling pointers). PHP already doesn't have this problem, and many of the vulnerabilities with Wordpress have been SQL Injection attacks, which Rust the language does nothing to prevent (at least, it does no more than PHP does. There are libraries for parameterized queries in both languages).

Re:

[mysidia]

Cough. Bullshit. Explain one thing Rust does to discourage and prevent SQL Injection and Code Injection in a complete poorly-written website application which PHP does not do.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[mysidia]

time to just give up and go back to clay tablets. They don't lie!

Until the person you've assigned to carve them deliberately inserts a malicious instruction very well hidden on one of the sections of tablet,
and now when your assistants go to execute the procedure on the tablet they'll be doing something that benefits to the evil actor

Re:

[phantomfive]

That's why the instructions for the rain dance in the Bible don't work anymore. It used to actually make it rain.

Re:

[mysidia]

But, FWIW, Rust is a compiled language and I'm pretty sure the opportunities for reflection are limited,

Well, remember that Wordpress has modules and Plugin and Templating functionality also the plug-and play install and update features are a major part of what makes WP so popular, useful, and easy for people to administer -- Anyways; a Rust implementation of WP would require a language interpreter to support these features ---- While rust is usually compiled; there are means by which a Rust program

Re:

[Dracos]

Only PHP4 could have spawned the tragic pile of garbage that is WordPress. Also, it predates Rust by 6 years. Either way, the WP developers wouldn't port it to a second language they don't know.

I will die of schadenfreude if this outage is because wordpress.com got hacked via a WordPress vulnerability.

Re:

[Anonymous Coward]

On the merits Rust is better. That doesn't mean *.* implemented in Rust by PHP forum cut/paste webmonkeys is going to be any better though. It's going to be the same with a new stack of different bugs.

The only reason people use WP is because they are lazy and it's a low barrier to entry. The only reason they stay is because they became dependent on plugins for a site/app that isn't worth rewriting in anything else.
So unless your Rust solution is going to play 100% nice with all legacy WP plugin garbage,

Re:

[jellomizer]

No, probably not. In some ways Rust like OpenBSD may be too secure for its own good.
When a system is locked down too much by default, and given to the hands of developers especially, they are focused on getting the software working, that they will often open bigger holes, then using other systems with reasonable security setup.

WordPress is one of these applications that is used in a way far greater then it was designed to be. Much like how a lot of businesses have this VB6 CRUD program, that the Owners Neph

Re:

[Njovich]

Of course, as your perfect piece of code written in Rust will only have half of the features and will be finished in a couple of decades, you won't have this kind of problems with clients as you simply won't have any clients.

Re:

[Njovich]

Rust exists to solve memory issues. PHP does not have pointers, memory access, threads, etc. Normally it doesn't even save memory state between requests.

Effectively there is no class of bugs that exists in PHP that Rust solves...

I really don't think you'd want to write something like Wordpress (with it's gazillion themes and plugins) in a language like Rust, but if you think there is such a huge market for it you better do it - from your comment I gather you care a lot about clients.

You seem to think that I

Re:

[Njovich]

Given Amdahl's law, if you spend 95% of the time waiting for I/O (as you do in Wordpress - given everything comes from MySQL), even with a 1000x speedup of the code you'll only save 5%. You would know this if you had any background in Computer Science.

About 95% of requests on Wordpress sites never even hit the PHP code and simply return from a network or disk cache. Excercise left for the reader: how much percentage of time can you save with pure code speedups?

Wordpress is nothing to write home about in ter

Re:

[Njovich]

For someone so opinionated about an HTML framework you might want to learn about formatting your post in Slashdot.

I didn't write the damn article lol, I picked it at the top of a list to illustrate that yes, version dependencies in PHP conflict with WP plugin upgrade paths, there are issues you may not know about lol

Your article writes no such thing and in fact even compliments PHP's composer.

The article you linked to even notes how good PHP's Composer is and how Rust borrows from it" - The fuck does that

Re:

[mysidia]

I want to say no... if you're advocating rust, then you need to identify what the problem was and explain how Rust would have prevented this problem.

Choosing Rust for the project instead of PHP would also cause a bigger problem: Wordpress wouldn't exist, or it would be very immature --- rust is complicated and development is slow, and also, its not highly suited for building websites.

Cloud

[ledow]

I got off the phone today with a company that make the software behind a website that we host ourselves.

They are now going "cloud-only" so we can no longer host a version of the (very expensive, annual licence) software ourselves but have to abide by their timetable for upgrades/breakages, give them all our data (including that of our customers, right next to that of our industry competitors), and tolerate whatever changes they decide to implement.

They were quite taken aback that we had absolutely no interest, would be cancelling our contract and doing our own thing (What, precisely? None of their business, as I told them - they have lots of competitors, and we are perfectly capable of making our own in-house equivalent but never needed to up until now).

Sorry, businesses, but cloud is just a money-maker for you, and poor service for your customers. Even Google Cloud haven't managed the uptime I can manage hosting on-site. I'm sure they have greater "total customer uptime" because of their size, but for our purposes it's much more important that I can spin up a local replica of EVERYTHING in minutes, from commodity hardware and under our control.

Wordpress has the same problem - all the companies that want to sell it to us want us to host with them or with a cloud provider. Nope. Not gonna happen. I may have a reason to take our website offline at 4am, and I can do so without your intervention. Similarly, if you want to take a cloud service down for an enforced upgrade smack bang in the middle of our working day, there's nothing I can do about that.

The last website designers we used just sold us a Wordpress theme, a crappy set of plugins that were out of date on the day-of-supply, and it was quite obvious that the underlying site configuration was a copy/paste of another of their customer's - still with all their old articles lingering in the database, licensed plugins with their keys, etc. I've never seen such shoddy configurations, and these people are trying to sell that to me as a secure product on hosting that I can't interrogate? Like hell.

Sorry, but I'm trusting you with my data. I need access to my data, or I may as well not even have it. I also need you to *not* have access to my data unless you have some critical need for it. That makes the majority of cloud services useless. Especially when the site in question is filled with our own customers, their details and other data, and is running under our brand.

One day, people will learn and we'll flip-flop between "on-premises" and "cloud hosted" just the same as "thin-client, fat-client" or "distribute, consolidated".

In the meantime, our email server and AD has a better uptime than Office 365, our cloud storage has a better uptime than Google GSuite, our website has a better uptime than our website designer's, and there is literally one organisation to blame if anything goes wrong... rather than a finger-pointing of cloud providers.

In the EU, with GDPR etc., you literally can't afford for someone else to host your customer data. You're still liable if it gets out into the wild and though they can hand-wave and lose you as a customer, the only people liable to those customers of yours who lose data is *you*.

Re:

[XXeR]

If your org can afford redundant subject matter experts in all the technologies they require, then great. Many can't, or they don't want to and would rather invest in whatever their core business happens to be. There are certainly good points you brought up regarding disadvantages to having someone else manage a piece of software for you, but in the end it's a question of risk and cost...and there's no single answer that works for all organizations.

Re:

[ledow]

Where do you think your website customers are plugging all their account information into your CRM from?

Re:

[thegarbz]

Even Google Cloud haven't managed the uptime I can manage hosting on-site.

[Citation Needed]

Actually don't bother, let me give you the counter-citation: Your claim is that your on-site hosting clients are moving to the cloud to save cost. Already I can tell you the priorities of their IT department, and no uptime isn't one of them.

Re:

[ledow]

Office 365 is Office 362 so far this year, or less depending on your region. Google Cloud was down for an entire day, again depending on your region, only the other day (Jun 3rd/4th) and that's not the only outage listed in my Google App Status Dashboard.

I don't have hosting clients. This is *us*, the IT department of a SME organisation, hosting things ourselves rather than paying cloud people to host them poorly for us.

It costs us just as much to do so (not including the hassle when our software provider

why buying Wordpress 'from a company'?

[Herve5]

Why not downloading the open-source code from wordpress themselves, then uploading it yourself to your hosting of choice, like I'm doing?
Come on, I'm definitely no specialist, and I manage to do it...

Re:

[ledow]

Perfectly fine, and we do that too. A dedicated server, or "local cloud" or whatever you want to call it depending on your age.

Even so, your data is then running on a machine not under your direct control - and physical access beats any other kind of compromise.

Theoretical attack, maybe, but a viable one. You certainly shouldn't be *reliant* on that machine, though... it's not under your control.