If this was your personal site or a custom CMS, odds are there wouldn't be enough community support to report bugs (or exploits) like this one. You'd simply go about your business thinking your site was secure.

Wordpress is many good things. Secure is not one of them. It has a genuinely weak design.

If it was my personal site, I would serve flat files. The fundamental problem with Wordpress is a design decision to have live code serving what could easily be static content. If there is no code, there's no exploit.

Personally, the reason is that there are often many security issues related with wordpress. I know that no software is perfect, but if I write the software I can be responsible for it, while if I rely on other people software I'm still responsible but for something I don't truly understand. I think wordpress is a fantastic blogging platform, but from a security perspective it's not.

I know he didn't state which direction he chose, but assuming that he's incompetent is pretty bad on your part.

I remember few months ago, wordpress had a bug where an attacker could keep on resetting administrators account password. He might actually have a point

Incompetence has nothing to do with it. It's just all too common that we overlook something in our code. All software inherently has bugs as no developer is perfect. There's alot to be said about having millions of prying eyes nitpicking your source code. I'd much assume millions of people critiqued my code as opposed to none at all.

Have you looked at the code? When I started using WordPress on my personal site, people warned me not to look behind the curtains. It seems pretty notorious for being a mess.

Some software needs more of this sort of assistance than others.

... So what do you use for blogging software, if you use anything?

You didn't ask me, but may I suggest git and a static site generator? That's what we're doing, and we're thrilled with it.

Definitely a good idea. Blogs are inherently non-dynamic, except for the once-in-a-while article posting, for which you can have a tiny piece of public-facing software dedicated to that one small task (if you even want that). Or your software can just rsync the new version of your blog to the live server.

I've written off commenting on blogs... so while that was the reason why I made Angerwhale dynamic, I will never be tempted to make that mistake again. Blogs are static pages with an index, per-tag indexes, and a few XML feeds. No database queries should be made to show someone a blog post.

I want to start blogging, and I'm considering Jekyll + Disqus. Many people seem to use this combo to add comments to a static website. You may get the "best of both worlds": static website + dynamic comments.

There is a discussion on Jekyll (and Disqus) here: http://news.ycombinator.com/item?id=998411

Which static site generators did you evaluate, and which did you end up choosing?

Jekyll and nanoc3. We went with nanoc3, which was the first one we were able to get working right. I have very few preferences other than "want Ruby" and "must actually work".

For one website I use rails. I made the platform in 2 days with full cache caching (http://www.freestylemind.com). For my technical blog (http://oscardelben.com) I now use nesta, but I was previously using jekyll. For my needs they works very well.