They handle everything, which makes keeping a site up even easier than using RackSpace. Their support team is very knowledgeable about WordPress, which is a huge plus.
However, they take an Apps Store approach- they review every line of code. (I even once had Matt Mullenweg himself show up on a few commits; he changed the use of "Wordpress" in a few comments to the proper "WordPress")
This is problem. Their server is quirky- they have a lot of extra, mostly undocumented code (code that isn't part of WordPress), as well as some weird PHP settings. So, it wasn't rare for changes (that were thoroughly tested on our dev site) to break the site for no apparent reason. It would take a few hours to a few days to get the changes reverted.
This is to be expected from an abstraction layer. WordPress hosting is really a lot of abstraction layers that facilitate communication between bloggers and communities and it does a lot of that. One of the things wordpress hosting abstracts is server management, which Rackspace also does, though not specifically for wordpress.
There are lots of processes running on the machines and if someone uploads malicious code or bad performing code, it could be detrimental to other blogs on the same machine or machines or sets of machines which may even be managed by Rackspace, who knows, and databases all working together. Systems at that scale are constantly evolving to fend off hackers from within the wordpress community and outside it. From within the network and beyond the firewall.
Rackspace has their own set of problems lower in the stack than wordpress. Lower in the stack than any application specific code, be it within wordpress's open source or a JavaScript library, a custom website for a mobile phone or image processing.
We do code reviews to make sure VIP WordPresses are as fast and stable as possible, but more of that information could be documented. You're right and it's something we're actively working on.
There is going to be a dedicated VIP portal with documentation of all the special functions, lots of theme and system info, and best practice coding guidelines for WP.com.
The cool thing about VIP is you can get, say, a direct link from the Yahoo home page and it doesn't break a sweat. It's specialized to just WordPress, but more people every day are running their entire site through WP.
A friend's startup used Rackspace Cloud for all of two weeks. It's a really strange product. It pretends to be a cloud service but it's really just Yet Another Shared Host, only more expensive. After their account got suspended without notification for exceeding their "processor cycles" limit (wtf?) they bailed.
we used them for publictivity. though they say they could scale, they couldn't handle what we had for our duplicate contacts processing algorithm. Everytime it would run, we started to get: no suitable nodes to serve your request. I took this as: "we can't scale to meet your demand".
It's worth highlighting the difference between Rackspace Cloud Servers (aka Slicehost) and Rackspace Cloud Sites (aka Mosso). The former is pretty good and reasonably priced. The latter is not.
I am finding Cloud Servers to be a great system, especially when you have load balancing and backend servers that don't use any non-local bandwidth. at $10/mo for a 256MB slice compared to $20/mo for slicehost, it is a good deal if you need a lot of small workers.
GigaOm is funded by TrueVentures, and Automattic (WordPress's company trading name) is also TrueVentures back, with one of their partners working as the full-time CEO.
It's not surprising GigaOm is so tightly integrated into Wordpress.com - it's more surprising a competitor like TC now is.
1. Write horribly insecure free/open source blog software. Become massively popular.
2. Wait for peoples' blogs to start getting hacked. Users then realize they can't / don't want to keep up with the alarmingly frequent vulnerabilities / patches, and turn to wordpress.com to handle hosting.
I'm not sure the tone is appropriate. This happens at every layer of the stack. Entire ecosystems evolve around hosting software systems from laying the wires between cities to comment hosting services. Really, who better to maintain it than the people who built it?
If you were an oracle database customer, wouldn't you outsource your oracle database management to oracle before you'd outsource it to microsoft?
For the last couple of years, you can just click an "Upgrade" link in your admin and it just upgrades itself painlessly. It also lets you know in the admin Dashboard when there's a new version out to upgrade to. Honestly it seems like they've gone out of their way to make it easy for self hosted users (like myself) to keep current.
If you're willing to allow FTP connections and create an account for WordPress to fix itself sure. But I'm not willing to support FTP and also not trusting that WP can't be hacked in a manner that will either then cough up my FTP details or download a hacker's copy of WP.
You can upgrade WordPress automatically now without using FTP. It means that PHP has to execute with write permissions to the files involved however. Exacerbating this security risk, a lot of people run mod_php which means PHP executes as the apache user, thus giving write permissions to every other website on that server. They'll either chmod 777 or chown www-data (or apache) the wordpress folder/files.
I personally use FastCGI+SUExec to ensure that WordPress' PHP code executes under a specific user account other than Apache's. It does not address the possibility of WordPress code itself somehow being hacked, but it does provide some sort of sandbox protection to the site.
I'm not thrilled with WordPress' past security track record, but I think they have made it so easy to use that a lot of users simply throw the scripts up on a shared server without knowing exactly what they're doing so far as server configuration goes. I wonder how many WordPress blogs are exploited because of a stupid permission setup?
If it's asking for FTP details, the problem is that Apache does not have write permissions to the files. The UX is pretty bad in that it doesn't let you know that it doesn't have write permissions, it just ignores that fact and presents the FTP details.
Here's where a lot of the security problems arise. As I mentioned, a lot of people are on a shared host and using mod_php. The only way they can make their files writable is to somehow give Apache write access to them. That opens up the possibility for other sites on the shared server to execute PHP that also writes to these files.
If you're stuck in this position, I'd recommend as a hack/workaround, to temporarily chown the files to www-data/apache. Perform the upgrade, then change ownership of the files back.
Ideally, if you're setting up your own server, I'd recommend FastCGI/SUExec:
You have much finer-grained control over how your PHP can execute. Alternatively, although I have no experience with it, you could try suphp to achieve a similar effect but by sticking with mod_php.
You could just run it from SVN and periodically go in and upgrade.
I host and keep 6 blogs up to date like this for friends and together with things like mod_security I've never had a problem with spam or being hacked.
I realise this is just anecdotal and isolated, but an upgrade doesn't get much simpler than "svn up".
I know people that use a similar approach (albeit) with git. Comments are hosted on Disqus so the entire site is essentially read-only. WPSuperCache is used on a staging server and the actual public-facing website serves up static pages that have been git pulled from the cache. The Apache process on the public-facing server only has read permissions to the public site files.
No you don't. It upgrades in place by pulling down files and updating itself. And you don't need to let it write to your whole webroot, just to the wordpress install directory.
Wordpress didn't just magically "Become massively popular", it got so because it served many people's needs (there were plenty of alternative free/OSS blogging engines all along). Its developers put in thousands of hours' unpaid work before monetizing became an possibility.
Providing supported/hosted services based on an open source solution, while continuing to release your work as open source, is about as noble as a business model can be, IMHO.
Did you even bother to read that? That's almost all from 2-3 years ago. The only recent stuff is the list from Secunia, which for 2009 is all marked as patched:
And that only illustrates the broader point here: WordPress is open source and incredibly widely used, so typically vulnerabilities are found and patched pretty fast. For 99.9% of people, there's not really a better alternative.
Wow, I can tell this is a touchy subject for you. I'm not claiming that I know of any unknown security flaws, I was simply proving to you that there have historically been quite a few critical security flaws. Are you claiming that the current version of WordPress has somehow transcended its track record of critical vulnerabilities, and surely, this one will be the one for the ages?
I don't know of any current zero-day exploits in Windows either... Does that logically mean that Windows is a rock-solid platform?
Also, there are no better alternatives to WordPress? A hundred startups and blog platforms would disagree! There certainly are quite a few more secure alternatives. I personally use Bloggart on App Engine. :)
This article refers to holes in previous versions. Do you have reference to holes in the current one? If there are, wouldn't Wordpress.com be just as vulnerable?
For what it's worth, the vast majority of compromised sites we look at are because of host vulnerabilities or issues rather than something at the WordPress layer, which is pretty far up the stack.
An up-to-date WordPress, which is easier than ever using the built-in upgraders, is secure. There are more bad sysadmins in the world than people who can't click the upgrade button.
There's actually a lot of discussion at the moment on the security of RackSpace Cloud Sites product. A lot of the exploits we've seen have focused around WordPress because it's probably the most common use of an RS Cloud Sites account rather than anything specifically vulnerable in WP.
So if you pay $15,000/yr you still only get two-day response time? Seems like only the Platinum/Black with "high priority" support seems to be worth it... assuming you have the traffic that makes 80/150k per year worth the cost.
WordPress.com has servers in two datacenters run by LayeredTech and one by Server Beach, around 1,200+ total. When one datacenter fails we (hopefully) fall over to the other two. We have DNS and monitoring services at half a dozen other locations, and of course utilize CDNs for frequently-accessed content.
Support is handled by a worldwide team of some of the nicest and sharpest people you'll ever meet, with escalation to the core people behind WordPress. We've seen and worked with more high-profile blogs than probably anyone else.
The typical floor for VIP is 1 million pageviews a month. Many clients do many times that, or host dozens of sites with us.
When you outsource your core competency, what value do you actually have left? What is this, the 4th "we're going to throw a hissy fit at our hosting company" that Arrington has done because he can't be bothered to learn how to replicate a simple blog?
They handle everything, which makes keeping a site up even easier than using RackSpace. Their support team is very knowledgeable about WordPress, which is a huge plus.
However, they take an Apps Store approach- they review every line of code. (I even once had Matt Mullenweg himself show up on a few commits; he changed the use of "Wordpress" in a few comments to the proper "WordPress")
This is problem. Their server is quirky- they have a lot of extra, mostly undocumented code (code that isn't part of WordPress), as well as some weird PHP settings. So, it wasn't rare for changes (that were thoroughly tested on our dev site) to break the site for no apparent reason. It would take a few hours to a few days to get the changes reverted.