Fear mongering journalist pointlessly blasts WordPress

wp-in-govI encountered an article today that made my blood boil. Phillip Thomson wrote about the cost of three websites for the Australian Minister of Foreign Affairs for the Sydney Morning Herald.

The article blasts Julie Bishop and her department for spending $113,000 on upgrades and maintenance for three websites. I have no opinion on Australian politics, this politician, or the value of these three websites. I am an American.

However, I do have an opinion about the complete failure to do due-diligence by this author, the ridiculous fear-mongering attitude displayed toward open source technology, as well as the moronic quotes by the “security expert” in the article.

Three websites for Foreign Minister Julie Bishop’s foreign affairs portfolio have cost taxpayers $113,130, according to answers to questions on notice at Senate budget estimates.

Let’s use bits of the article to understand more about the $113,00 expenditure.

The costs include more than $68,000 for “website testing”, $19,000 for training, $15,000 for “website release management” and $10,000 for “website deployment”.

“I assume [website deployment] means pushing the button to put it up,” said Labor Senator Joseph Ludwig, who was asking top bureaucrats about the costs in the hearing on Wednesday morning.

I’m sure Senator Joseph Ludwig is an expert about website deployment.

As an aside, I’d like to point out to Mr. Ludwig and Mr. Thomson that $113,000 is not an extreme amount of money for maintenance and upgrades for three government websites. If you research a variety of governments’ expenditures, you’ll find that it’s probably fairly normal.

Now, onto the stupid.

Keen-eyed readers have since pointed out that Ms Bishop’s electorate website juliebishop.com.au is built on WordPress, a free online platform. Although heavily customised, it uses the 2012 theme template and many of the tools readily available to novice website designers.

Aha! Now Mr. Thomson has really nailed her. WordPress is free! What a waste of tax-payer funds!

Hilariously, Ms. Bishop’s office corrected the author, stating that her personal website was not part of the expenses. Think about that for a second. It means that the rest of these false statements are also, in fact, completely pointless.

Mr. Thomson, allow me to teach you a few things.

  • Around 22% of the internet (yes, the whole internet) runs on WordPress.
  • It’s the CMS (that means content management system) of choice for well over half of all websites that use one.
  • WordPress is used for far more complex applications than as tools for simply “novice website designers”. Although, it is quite usable for all — even ill-informed journalists.
  • Six and seven figure projects are not uncommon for website development and maintenance. In government especially, navigating requirements, project management costs, bureaucracy, and many other non-technological factors can quickly cause a project’s cost to go up.
  • Governments around the world consider WordPress a fine tool for web applications. NASA, the United States military, Sweden, the European Commission, and many others use it. This doesn’t even include the countless cities, county, and state governments that use WordPress (typically self-hosted!). Here’s a spotlight from WordPress.com VIP about WordPress in government.

Now, let’s break your number down. If you divide $113,000 by $150 per hour (a common rate, and probably too low for most government consulting work), you get 753 hours. That’s about 15 hours per week of work on three websites throughout the year — a very typical amount of time for even normal maintenance, much less upgrades. Even if these dollars are quarterly costs, that’s only one person’s time to manage these three websites.

Not that it matters. The websites in question are not even WordPress. Yet you continue to put FUD in your article about WordPress and open source technology.

Security expert Phil Kernick of CQR Security pointed to the potted security history of WordPress and questioned the use of the popular platform for a government official’s site.

“I’d never build it on Worpress or Joomla or any of those other tools if I wanted a secure website. When you are a public figure, you have to manage your identity carefully. I can’t imagine why anyone would do that,” Mr Kernick said.

Let me put this as simply as I can, Mr. Thomson. Your security source is an idiot regarding open source technology.

As noted above, WordPress is trusted by countless public and government entities, as well as businesses. Also, it’s actively developed by hundreds of talented developers. There have been no major core WordPress security breaches in years. Even when there are minor security vulnerabilities found, they are patched and updates are released in a matter of days, or even hours. The same goes for Joomla and other popular pieces of open source software.

Furthermore, open source is almost always a cheaper and better option for website development, because proprietary systems often “lock in” clients, making it very difficult to fire a consultant. With open source, hundreds or even thousands of consultants can work on the same technology systems. These open source technologies help your government avoid abusive consulting relationships and save money.

Last week, US-based firm Sucuri identified two security vulnerabilities on a plug-in that affects all WordPress websites. In March, security blogger Brian Krebs warned other users to be vigilant in light of a bruce-force attack on WordPress, adding to security incidents in previous years.

Mr. Thomson, I hate to tell you again, but you are once again wrong. The All In One SEO plugin referenced is in fact not on all WordPress websites. It’s popular, yes, but not even close to all websites. It’s not even installed on Ms. Bishop’s website, in fact.

And to bolster your argument, you link to blog posts that warn WordPress site owners to be vigilant about security. Mr. Thomson, in what world is it not a good idea to be vigilant about security? In addition, brute force attacks on WordPress were not due to WordPress vulnerabilities, but rather the goal of attackers to hit the biggest target, and — as you’ll remember from above — WordPress is a big target.

Mr. Thomson, I have to give you credit. You managed to pull a triple whammy.

Not only did you make a non-issue an issue, rousing feathers of an uneducated audience by criticizing a department about spending a relatively normal amount of money on their websites, but you also were able to get the facts completely wrong, as well as falsely blast an ecosystem and technology that doesn’t deserve it and wasn’t even party to your critique.

Nevertheless, your ridiculous article will live on as another source of WordPress and open source being a bad idea for government use, when in fact both are a very good idea. You’ve contributed to the problem of perception that many have attempted to refute.

Oh, and allow me to recommend Jeff Waugh and Pia Waugh for your future articles regarding open source technology in Australian government.

Next time, please do your research. Your article is an embarrassment.

*Image credit, WP VIP

Similar Posts


  1. Wow. Great writeup, and baffling to think that this could even occur. Thanks for the “blast-back” to Mr. Phillip Thomson, Brian. Well-informed, and well-stated.

  2. Brian,

    I LOVE these kinds of writeups. The naïveté that comes from clients about the actual costs of website development is one thing, you can educate them; but this is just really irresponsible journalism.


    Don’t they have other things to worry about in Syndney?!


  3. Perhaps the recommendation of a good Internet security expert would be a good idea too, clearly the one used in the original article is well out of the curve. I wonder whether the journalist paid him for the information, and how much it cost his employers. Now that would be a waste of funds.

  4. Good article. You can’t take a journo seriously when they are on a tirade.

    Plus the fact his main hotpoint is ‘WordPress’ or the lesser known fork ‘worpress’ what a muppet.

    If you’re going to instill fear and raise eyebrows at least spell the offending platform correctly.

  5. I guess this is the problem when a technology becomes pervasive – it becomes a buzzword and an easy target, and leads to many so-called “experts” having an opinion on it based on half-facts and non-truths.

    Unfortunately there are many people who remember WordPress from the earlier days (when it was a blogging platform and become synonymous with link farms) and opinions are often based on these recollections mixed in with some poorly research reactionary journalism. I come across this attitude in developer circles as well from end users.

    Great deconstruction of the article though – WordPress use in government should provide reassurance of the platform, although perhaps the other issue is the general public’s belief that government is too witless when it comes to technology and related issues, expecting (hoping?) for them to screw up!

  6. Unfortunately, this looks like a hit piece in the Sunday Morning Herald. The author would have said anything that would not embarrass the newspaper or landed him in jail that pushed the political agenda of the paper.

    This obviously has nothing to do with WordPress, but it will be used as “proof” by people who wish to push “custom bespoke web solutions” using their favorite trendy programming language about how you’re not a “real programmer” if you’re using a CMS for your web app.

  7. Brilliantly put, Brian! I’m embarrassed to share a last name with this “journalist”.

    I’ll share this response as far as I can 🙂

  8. OMG! What an absolute idiot! So annoying reading nonsense like this from people who are obviously ill-informed. I’m surprised he didn’t pull out the ol’ “WordPress is just for blogs” line as well. Well done for pointing out all his inaccuracies. Good stuff Brian!

  9. BRAVO! Great article, oh and WordPress ROCKS

    If you are serious about security, here are some tips to lock-down your WordPress install:

    move wp-config.php to ROOT directory

    rename wp_ prefix on database tables

    Remove any indication of wordpress from your theme files and raw code

    utilize SSL for all administration pages

    and stay updated!



    If your data is top-secret and so important that you don’t want anyone to ever be able to access it here is what you do:

    Step 1 for securing TOP SECRET data:
    Print all your data on paper, place it in binders labeled “Top Secret” and put it in a large barrel.

    Step 2 for securing TOP SECRET data:
    Encrypt the drive that contains your top-secret data, do this at-least 5 times so you have at-least 5 levels of data encryption protecting your TOP SECRET data.

    Step 3 for securing TOP SECRET data:
    Format your hard drive atleast 10x. Make sure to do a complete format, don’t “quick format” that S#!+

    Step 4 for securing your TOP SECRET data:
    Run your hard drive through a magnetic degauss several times to permanently remove the data. Do this several times.

    Step 5 for securing your TOP SECRET data:
    Take a sledge-hammer to your hard drive and once it is smashed into tiny pieces take the pieces bury theme one at a time. Make sure they are buried atleast 100 miles apart.

    Step 6 for securing your TOP SECRET data:
    Now take that barrel of your TOP SECRET documents and burn it. Eat the ashes and then burn the poop.

    Your TOP SECRET data is now secured from prying eyes….

    (security is an illusion)

  10. Well, what you say is true and accurate. Unfortunately you say it in a way that is . . . . . . well . . . unfortunate.
    Hopefully you will come to understand that being ‘right’ in itself, is admirable, but it’s significance is diminished by a misplaced sense of self importance.

Comments are closed.