Movable Type: A History of Security

By Anil Dash

If you follow blogging news, you've undoubtedly heard a lot of concern recently about blogs on other platforms being hacked or blocked from search engines. Good news: Movable Type has a proven track record of having excellent security and an established reputation for fixing any known issues quickly. And that history of security is by design. We think there are some key things our community needs to know:

  • We believe in making Movable Type secure out of our obligation to making the web better: Insecure web software can be a vector for spreading spam, viruses, and malware.
  • Movable Type has the best security track record of any popular installable blogging software, according to the U.S. Department of Homeland Security's own reports.
  • Movable Type security updates are prominently publicized on our Movable Type homepage, and through the application itself. Our team proactively contacts Enterprise and Community Solution customers if a security issue has been raised.
  • Movable Type's security record is getting better, while other platforms are getting worse and seeing increasing numbers of reported vulnerabilities.
  • When any issues have been found with Movable Type, they've typically been discovered through our own routine security audits, and fixed without ever having been exploited in the wild.

These facts show that Movable Type has a significantly different history than other platforms. But more importantly, they show that we're attuned to the concerns of the publishers and bloggers who rely on Movable Type to build their businesses and make a living. 

We're not saying our track record is perfect. But take a minute and review our last security update in January. We listed our history of issues ("It has been 116 days since the last recommended update to MT4 and 273 days since the last recommended update to MT3.") and we mentioned whether applying the security fix would affect templates, plugins or performance. (No, no and no.) There are dozens of reasons to upgrade to MT4, from unique reporting and management features to powerful community capabilities. But above all, you shouldn't have to worry that sharing your ideas with the world or wanting to publish for a passionate community means putting your site, and your reputation, at risk.

The Bottom Line

While we're proud of our work, and especially proud of our community's focus on security, you don't have to take our word for it: Look at the data provided by a neutral third party. In this case, it's the U.S. Department of Homeland Security's own National Vulnerability Database. We searched the vulnerability database since 2005 for Movable Type and for WordPress, and included the partial reports for this year. In the chart, a lower bar is better. The results speak for themselves:

DHS: MT vs. WP Security

We think it's inarguable that there's a dramatic difference in the security of these platforms. And, as we've demonstrated for nearly seven years, we're working every day to maintain Movable Type's excellent record of security.