I've included a copy of my comments, here, for posterity :

It is worth mentioning, I think, that many (most) third-party weblog setups are often fuct from the start.

Not because there is anything inherently wrong with the software. Rather, the nature of multi-user environments, the nature of many of the protocols used to shuttle data back and forth, the inability of developers to account for every single case use (it's unreasonable, too) and the lack of specific tools on a given host all conspire to make doing this kind of thing "right" a difficult nut to crack.

[ There is also the tired old horse about making things "simple and easy" for people. For anything running on a Unix system (which is most), people need to take the bad news with the good : It will never be "simple" and will never just "do what I mean". On the other hand, it's just not that hard either. Boring, arcane and a bit confusing maybe, that's not the same thing. ]

Let's start with softwate that uses FTP to move files from one place to another: can anyone say clear-text passwords?

Not many hosts offer shell accounts (required to use a secure copy (SCP) program) and fewer still, I think, offer secure (encrypted) FTP (STFP).

Sniffing passwords out of thin air is not the easiest thing in the world, but it is possible. And, if you've got an account on a shared hosting server it's pretty easy to figure who else is using what for their weblogging needs.

Then there's software that runs as an a CGI program without a setuid wrapper : 666 is the number of the beast *and* world writeable files.

Translation: the CGI is running as the same user running the web server. Since plain old users don't have permissions the change ownership of files, their only recourse when they need to let their tool write static files is to make them writeable by anyone. No means no. Anyone means everyone.

[ It can, in fact, be worse: I've even seen software th...ed:wtf?! That Blogger suffered a break-in points out the risks of keeping lots of sensitive data in a centralized place. I don't, however, think that it demonstrates the relative merits of one weblog application over others.