Absolutely. However, even though a site can and should take steps to mitigate risks, that doesn't really excuse the vendor for shipping software that doesn't even attempt to adhere to security best practices in the first place. Especially in the world of PHP software (forums in particular - vBulletin/phpBB/IPB/etc.) where it's marketed pretty much as an all-in-one solution. Easy to setup, easy to manage, easy to grow. It's the software equivalent of "just add water."
But when you're marketing solutions like that to lay audiences, the onus is on you to at least try and account for the fact that most of your customers don't really have a clue what's going on. Especially at first, their customers are placing a great deal of trust in the software and the notion that the people behind it know what they're doing. What's a shame is that, if you've ever had the misfortune to dig into the source code for pretty much all of the PHP options out there, they really don't know what they're doing.
To call it a mess would be an understatement of epic proportions.
But when you're marketing solutions like that to lay audiences, the onus is on you to at least try and account for the fact that most of your customers don't really have a clue what's going on. Especially at first, their customers are placing a great deal of trust in the software and the notion that the people behind it know what they're doing. What's a shame is that, if you've ever had the misfortune to dig into the source code for pretty much all of the PHP options out there, they really don't know what they're doing.
To call it a mess would be an understatement of epic proportions.