Quoting Todd Hawley (celticdm@gmail.com):
I used to maintain a site that ran WordPress, we migrated it to DH and they insisted they could only run WP if our URL included the Dreamhost name in the URL.
How funny.
Aha! I wondered why WP had so many security issues. Although from what I'd heard PHP was a nice scripting language and easy to learn. I had no idea it was prone to security issues.
Just for fun, here's a cranky rant giving a full rundown on the problems with PHP: https://eev.ee/blog/2012/04/09/php-a-fractal-of-bad-design/
I suspect it's difficult verging on impossible to write good and reasonably secure public-facing PHP code if it does anything significant. In any event, for whatever reason, there are continual, repeating security breakdowns in WordPress itself. Troublingly, these tend to keep occurring over and over in the same areas, suggesting that there are deep architectural flaws that give rise to the recurring implementation flaws, i.e., the underlying problems don't ever get truly fixed, only this week's manifestation of the problem.
If you've been around software for a while, you learn to recognise that pattern. Fixed, this time for sure! Oh darn, here's another one that's technically different, and we've fixed that. Wait, here's another one and a fix for it....
I'm personally sympatico with security expert Marcus J. Ranum's take on this: If signs suggest that code is fundamentally not very good, then the only reasonable remedy is to avoid running it, rather than continually applying the patch du jour, from now unto eternity. Here's one of his several rants about that:
http://www.ranum.com/security/computer_security/editorials/master-tzu/
It's also idea #3 on his list of the Six Dumbest Ideas in Computer Security: http://www.ranum.com/security/computer_security/editorials/dumb/
There's some keen thinking behind Ranum's views. On a separate page, http://www.ranum.com/editorials/must-read/ , Ranum singles out Nobel Prize-winning physicist Richard Feynman's insight in his much-praised separate 'Personal observations on the reliability of the Shuttle' report, Feynman wrote as a member of the Rogers Commission investigating the Challenger disaster:
In "Observations", Feynman is careful to point out, in his discussion of "safety margin", that, if hot gasses are not _designed_ to jet past and damage an O-ring, then there is no such thing as a "safe" flight in which that happens _to any degree_. You could take "Observations" and staple a post-it note to the front of it reading, "...and if the design doesn't say that heat resistant tiles are _supposed_ to fall off, then there is no 'safety margin' that justifies flying the shuttle if they do."
I have unashamedly paraphrased Feynman over and over again in the last few years, with respect to computer security: "If the design of your operating doesn't _say_ that it's _supposed to be hack-able_, then it shouldn't be and it's not safe for use in an environment where there are hackers." I wish I could boil that down to a Feynman-esque quip, or a Sun Tzu-style phrase - but it is no embarrassment for any man to admit that they aren't in that league of thinkers.
For context, as Feynman recounts, NASA administrators had written off the space shuttle's continual shedding of heat-shielding tiles as an acceptable risk (the estimated risk going down as one ascended the management foodchain), despite the fact that (to pick one example among several), according to the shuttle's engineering design, no tiles were supposed to fall off at all.
By analogy, the recurring security problems in both PHP and Wordpress are of the sort that make you ask 'Why are these happening at all, and why do they keep happening in the same areas?' The natural suspicion is thus that there are fundamental, deep flaws that aren't ever getting fixed, just the cracks spackled over.
Ranum's so impressed by the profundity of Feynman's observations that he mirrors a copy, here: http://www.ranum.com/security/computer_security/editorials/dumb/feynman.html