Thalasar Ventures

Movable Type VS. WordPress Round 3

There are a large number posts comparing the WordPress and Movable Type. In fact based on the popularity of my Drupal vs Movable Type post, I have decided to revisit this issue since many of these posts are more than a year old and in light of recent developments are completely out of date.

Most of the posts comparing the two software programs are the opinions of the authors. While this post will also be my opinion, I hope to back it up with examples and uses. I feel it’s important to revisit this issue in the light of the recent developments at Six Apart and WordPress. I am wearing asbestos underwear for this one.

Unless you have been living under a rock for the last week, you have heard that WordPress 2.1.1 was dangerously compromised. This wasn’t a simple exploit either.

“It was determined that a cracker had gained user-level access to one of the servers that powers wordpress.org, and had used that access to modify the download file. We have locked down that server for further forensics, but at this time it appears that the 2.1.1 download was the only thing touched by the attack. They modified two files in WP to include code that would allow for remote PHP execution.

The WordPress team didn’t notice it but they received a note about it to their security mailing list. This highlights the power of open source software. With many eyes all bugs are shallow. It doesn’t reflect well on the development team’s ability to parse and find bugs. In fact here’s a report from a year ago on a 2.0.2 security release

The problems addressed are unannounced XSS issues privately discovered and reported to the WordPress team. Thanks to Michael Boman, Mark Jaquith, Robert Deaton, and David House for assisting with this release.

It appears that the WordPress team has completely outsourced this sort of bug finding to the community. That’s a bad idea in the long term for several reasons. The community should be an important source of bug finding – it should never be the primary source. So not only was someone about to compromise their servers, they were successfully able to attach code that allowed remote PHP execution.

Remember I developed an open source ecommerce solution on the LAMP stack so I have some experience in the area. Sometimes you gotta clean your own stables – as we did with a re-factor of Xao.

When you treat software bugs as something to be done in 24 hour marathon coding session you just got to expect bugs to be pretty low on the list. In fact when you treat the software development process in this fashion you can expect bugs to pop up in a pretty regular fashion.

Design and testing are crucial components to the software development process and having a team dedicated to them as Movable Type does, makes a qualitative difference in the code shipped.

Why am I taking this approach with comparing the two programs? I am a firm believer that design matters. With security problems like these, this definitely limits the number of places you can effectively install a program like WordPress, especially in the corporate environement.

WordPress has taken off as product for several reasons. Firstly is the perceived “sellout” of Movable Type with a paid product. Secondly WordPress is written in PHP which has become a relatively popular web programming language quickly. The ease of learning PHP means quite a few developers are using it. Thirdly it’s free in both senses of the word. As a free software product it has attracted a number of developers who have developed plugins for the WordPress platform. This is the strongest feature of WordPress currently is that it has an good number of developers actively developing plugins. Once again demonstrating the power of an open source approach.

MT itself has an active developer community as well and if you see below, you will see that Six Apart is actively working to highlight their developer relationships with their plugin directory and professional services profiles. If anything this advantage WordPress has over MT will diminish, especially in light of the security problems with WordPress. No corporation is going to adapt something like WordPress which means less paid developer work which often sustains an open source development model.

I usually tend to be language agnostic for packages like MT and WordPress. Some people like to make claims about the language the language (I am often surprised when people claim that Perl is too old. For the first decade of the web, Perl was the web in terms of dynamic page generation.) This post claims that Perl is old technology.

Movable Type is a bit like Windows XP in the sense that its underpinnings aren’t up-to-date — MT still has a large Perl backend, and Windows XP still runs on NT kernel — it’s like putting lipstick on a pig. Back when MT was developed (late 90s I believe) I’m sure that the reasoning behind using Perl was two-fold: Ben Trott was a killer Perl programmer, and PHP wasn’t installed on as many web servers (nor was it as popular) as it is now.

This commits a pretty standard fallacy – that newer is always better. Why then Linux must drive you absolutely nuts since it’s based on Unix which is a 38 year old operating system. Newer isn’t necessarily better. PHP isn’t a radical development in terms of languages. In fact the inability to truly separate presentation from content is a true weakness of WordPress. Further more this blog makes the same mistake I always see when discussing hitting the database – namely, that’s it’s faster than statically generated pages – it’s NOT and WILL NEVER be.

“WP is very fast, publishes quickly, and is a very stable piece of software. Unlike MT, WP is built completely with PHP so it is future-proofed so to speak.”

Future proofed? Exactly what does that mean? It’s completely meaningless in this context because Perl is far better at text handling than PHP. Perl isn’t even close to a dead language. It’s quite the opposite. I am not certain what future proofed means in this context.

MT made the decision to go the corporate route and be the enterprise blogging platform. It has certainly paid off since this can fund further development of the product. This means MT has a solid customer base and can build on the platform. Having cash in the bank makes development a lot easier. So when looking for a blogging platform for a small or medium sized business, it’s not much of a decision really. MT provides a robust platform without the security concerns. For larger corporations it’s also a no brainer – Six Apart provides great support and an easy to use platform.

So what case might someone install WordPress. Well someone wanting to tinker in PHP could naturally install WordPress. WordPress because it is free is often a one click install for shared hosting accounts. This means a small blog without a lot of traffic, and an installation that the user doesn’t need to maintain. If your blog is successful at all, you will need to install a wordpress cache.

Ultimately the differences between WordPress and MT are differences between a corporate and a freeware product. The freeware product works pretty well but occasionally has development issues. For a few dollars for MT you get a platform that will scale with your success. So if your budget is so constrained or if you aren’t planning on growing, then WordPress is fine for you.

The future looks bright for MT since it’s far easier to open source a closed source product than it is to close the source and come up with a commercial product. I emailed Anil Dash before writing this article and this is what he had to say,

We’re putting more resources into MT than we (or anybody else) ever has on any version. Ben’s been working with the team to rearchitect the database layer of Movable Type, and the whole team is redoing the information architecture and user interface of MT from top to bottom. In short, MT Enterprise’s success has given us the resources to do a totally new version of MT, from top to bottom. And MT’s personal version will remain completely free, while benefitting not just from the MT Enterprise work, but also what we’ve learned on Vox and TypePad. . . . The last thing I’ll point out is that our infrastructure for making MT is much more open now — there’s a public code repository, with daily builds and a wiki for suggesting new features or giving feedback. There’s a brand new plugin directory coming, along with profiles for members of our Professional Network. And there are now a number of companies that build on top of MT that are doing million-dollar+ proposals for services and consulting with MT as the platform underpinning the work. I bet we’ll see twice as big an audience for that in a year.

Given MT’s track record in the marketplace I suspect they will be able to execute on a strategy of reengaging the developer community. Anil did confirm something that I had long suspected.

Truth be told, we did have a lot on our plates while launching the hosted services. (You can see something similar with WordPress’ release schedule slowing down — it’s been a year + between releases, and it’s just a .1 release.) But now we’re refocused, and MT is a huge priority. Frankly, I’m looking forward to people seeing exactly what we (and our community) are capable of.

I look forward to a re-focused Six Apart. I noticed a significant improvement in 3.34 and 3.2. With these planned improvements and the financial backing that Six Apart has, I expect to see significant growth of their install base. It’s clear that Movable Type has seen the success that the WordPress approach has had with the open source approach with the developer community and are adapting some of those same methods with an public code repository and wiki. Seeing how they interact with the developer community is the real challenge.

Both comments and pings are currently closed.

4 Responses to “Movable Type VS. WordPress Round 3”

  1. Matt says:

    Hey, thanks for your thoughts here. A couple of things stood out to me:
    “It appears that the WordPress team has completely outsourced this sort of bug finding to the community. […] The community should be an important source of bug finding – it should never be the primary source.”
    You seem to be making a distinction between WordPress and its community where there is none. The people that were credited in the post you quote are regular contributors and we pro-actively audit the code for any security problems. Now that WordPress is one of the most widely used publishing scripts on the web, there are security professionals examining the code line-by-line every day. You might also note that although we had a big problem because of the compromised 2.1.1 download there hasn’t yet been a single hack reported because of that bug, I believe because the community got the news out there so publicly instead of trying to cover it up, as proprietary companies often do.
    “When you treat software bugs as something to be done in 24 hour marathon coding session you just got to expect bugs to be pretty low on the list.”
    We do “bug days” periodically as a way to encourage new developers to become a part of the community by guiding them and being available, like office hours of a professor. If you look at our development activity you’ll notice that there is quite a bit happening every day of the week, not just bug days. That’s truly open development.
    “No corporation is going to adapt something like WordPress which means less paid developer work which often sustains an open source development model.”
    Many are, and if you watch my blog you’ll see some big wins and switches coming in the following weeks. All of whom are scaling just fine and are the best counter-example to your saying “if your budget is so constrained or if you aren’t planning on growing, then WordPress is fine for you.”
    “The future looks bright for MT since it’s far easier to open source a closed source product than it is to close the source and come up with a commercial product.”
    We have no plans to ever “close source” WordPress, as that would negate many of the benefits that you pointed out MT trying to replicate.
    Anyway, thanks for writing about these issues and if you have anything you’d like me to clarify further feel free to drop me an email.

  2. Perhaps I should have said “commercialize an open source” product rather than close the source but I got wrapped up in parallel construction. Most open source products never close the source on the product. I realize you guys aren’t going to close the source.
    “All of whom are scaling just fine and are the best counter-example to your saying “if your budget is so constrained or if you aren’t planning on growing, then WordPress is fine for you.”
    You mean that large companies have the budget to scale WordPress? That’s not really surprising that a large media company can have the resources to make it work under a heavy load. Smaller companies tend to be more resource constrained and someone in a shared hosting environment is going to have a very different experience. With caching you can significantly improve WordPress’ performance but my post was running counter to the numerous claims (cited in the post) that hitting the DB every time is faster. It’s not.

  3. Matt says:

    Speed is about perception. Under a certain threshold (about 150 milliseconds) the difference is imperceptible. (Speed is different than scaling.)
    “You mean that large companies have the budget to scale WordPress?”
    I don’t know anyone doing “million-dollar+ proposals for services and consulting” but for a couple of hundred bucks a month you can have a platform that scales to several million pageviews a day and still remain fully dynamic, which means no waiting for posts or comments. We’ve learned a lot from running WordPress.com and have put that back into the source.

  4. “Under a certain threshold (about 150 milliseconds) the difference is imperceptible.”
    Quite true. Keep in mind that most WordPress deployments aren’t a couple of hundred dollars a month. That puts those firmly in the higher end of WordPress deployments with dedicated machines no doubt. Many WordPress deployments are in a shared hosting/shared MySQL environment where you will definitely notice a difference.