The debate about the new 10 Downing Street website has been rumbling on for a short while and having commented about it on a few blogs it’s probably worth summarising what I make of it. I have had nothing whatsoever to do with the development of the site – this is just an opinion about it…
First of all the site is a big improvement on the old design and technology – it’s well presented, makes good use of images and has a smooth Web 2.0 feel about it. So far so good.
Secondly the site is based on an open source CMS – WordPress. While this blog and a number of other sites I administer run with WordPress it’s not however the system I would have chosen for the Number 10 website. WordPress is great for quick and simple publishing of content. It’s not much good for the organisation of lots of information. I would have gone for Typo3 instead.
Using open source software brings with it security concerns – how easy would it be to exploit a bug with WordPress and bring down the site? Contrary to what Dizzy insinuates there is not much comparison here with the Number 10 site than the Harriet Harman blog ‘hack’ which was due to a password falling into the wrong hands. It wasn’t a security issue with WordPress as such (which is used for Harman’s blog).
Problem is that you’re damned if you do and damned if you don’t with this – use open source software for a high profile project and everyone has a go at you for not taking security seriously enough. Don’t use open source, you probably don’t get a site that’s any more secure, and people have a go at you for the cost.
Which then leads me to the final issue: the cost and what you can expect for close to Â£100K, and issue that Mike Rouse has written about in depth. While I cannot determine all of the work that has gone on behind the scenes, it does seem that you could have expected a rather more rigourous testing procedure within the development of a site with a budget of that scale. There are even allegations that the code used comes from a freely available WordPress theme and but the site bears only Crown Copyright. With such a budget why was it not possible to code a theme from scratch? It’s not hard to do and there’s a handy guide for it.
Given the amount of money that the government will have paid to this agency, on behalf of the UK taxpayers, it may have been reasonable to conclude that any design would have been built from the bottom up.
Just to pick up Dizzy’s absolute statement about the WordPress Admin area having a guessable URL. So let’s try these standard WordPress admin URLs:
Not quite that easily accessible, then.
@finid – I think you have the wrong impression. I *only* use Open Source software for all the political projects I do, you will not find anyone who is more of a fan. The paragraph you highlight is a summary of what the reaction from the press, bloggers etc., will be, not what I want the reaction to be.
Just because something has been programmed for a specific project that does not make it more secure – quite the contrary in fact. Problem is few people seem to see that.
“Problem is that youâ€™re damned if you do and damned if you donâ€™t with this – use open source software for a high profile project and everyone has a go at you for not taking security seriously enough. Donâ€™t use open source, you probably donâ€™t get a site thatâ€™s any more secure, and people have a go at you for the cost.”
You are telling your readers, based on the quote above, that open source applications are not secure. Whether intended or not, you are helpiing to spread FUD about open source projects and the open source community. The same was tried by Fortify in a recent report. That report and its bogus conclusions were debunked here
Fair point… There are ways of installing WordPress to stop that though – if you have root access to the server where you’re installing it, which I presume they do for the Number 10 site. Unless they are doing that for, let’s say, bargain prices too?
Jon, was not implying HH WordPress was owned because if an exploit, although the point stands though that a wordpress site does have an admin section that is easily accessible if you know the url string format. I was merely pointing out that if HH got targetted, then the chances are even greater for GB and that WordPress is a bad choice in that respect