Should WordPress implement some native security tools?

[Rarst]

Dealing with "I think my blog was hacked" email at 4am is not much fun. One thought that had kinda stuck is that WordPress core is not much help.

I am not bashing WordPress security. WP fault or not either blogs are getting hacked all the time. My issue us with cleanup, which is currently huge pain. There are some excellent security plugins. Problem is no one bothers to install them until after blog gets screwed.

I think some basic security tools would be immensely useful in core. Wouldn't it be nice to have by default:

• login log;
• plugin activations log;
• core, theme and plugins integrity check (repository has code, hash it, add it to updates API);
• force re-install for themes and plugins, core already has it;

I know plugins can do all of this and more. But I think these things should be present without user having to bother or even know.

Opinions?

[chipbennett]

Dealing with "I think my blog was hacked" email at 4am is not much fun. One thought that had kinda stuck is that WordPress core is not much help.

I am not bashing WordPress security. WP fault or not either blogs are getting hacked all the time. My issue us with cleanup, which is currently huge pain. There are some excellent security plugins. Problem is no one bothers to install them until after blog gets screwed.

I think some basic security tools would be immensely useful in core. Wouldn't it be nice to have by default:

• login log;
• plugin activations log;
• core, theme and plugins integrity check (repository has code, hash it, add it to updates API);
• force re-install for themes and plugins, core already has it;

I know plugins can do all of this and more. But I think these things should be present without user having to bother or even know.

Opinions?

Other things to consider logging/alerting:

• Any changes to WP core files
• Any direct-access (i.e. phpMyAdmin, etc.) changes to the database
• Any direct-access (i.e. FTP) changes to plugin/theme files (with perhaps option to filter out user's IP address)

[Otto]

You know, I think this is simply down to having a good host that knows what they're doing.

I may not like GoDaddy hosting for various reasons, but I've ran many WP sites on them and not one of them has ever been "hacked".

(Obviously if you get a virus and your FTP credentials stolen, then that's a problem that no host can solve.)

[Rarst]

Other things to consider logging/alerting:
Any changes to WP core files
Any direct-access (i.e. phpMyAdmin, etc.) changes to the database
Any direct-access (i.e. FTP) changes to plugin/theme files (with perhaps option to filter out user's IP address)

Changing core and other files falls under integrity check. If hash is different from what repository says than something was edited.

Database access is not something WordPress would be able to monitor technically.

You know, I think this is simply down to having a good host that knows what they're doing.

WordPress can't force everyone to good host. WordPress can include some native security options. Yes, I would much prefer former, but I would gladly take latter.

[chipbennett]

Changing core and other files falls under integrity check. If hash is different from what repository says than something was edited.

But that might not always be accurate. For instance, for a LONG time, I maintained a custom, hacked copy of quicktags.js, with some custom quicktags I had added. Every time I updated WordPress, I over-wrote the core copy of quicktags.js with my own. At that point, my core install would fail such a rudimentary integrity check.

Far better, IMHO, for the site to monitor itself, and alert if core files change unexpectedly (e.g. outside of the normal update function).

Database access is not something WordPress would be able to monitor technically.

Well, it can't monitor access, per se - but it could monitor changes to the database. (Perhaps through a hash mechanism like you mention above - update the hash whenever WP is modified through wp-admin (posts, options, etc.), and alert if the hash changes unexpectedly.)

WordPress can't force everyone to good host. WordPress can include some native security options. Yes, I would much prefer former, but I would gladly take latter.

And notification - where applicable - regarding the unsafe host environment (file permissions, "nobody" group rights, etc.) would be helpful.

[Ipstenu]

*ponder* Does ANY web-app have that level of security? Not to pish-posh the matter, but seeing as how most of the hacks are done by actual server security, I don't know if this is a WordPress issue. My server (VPS) does that for core/system files. It also alerts me when I have files changed:

The following list of files have FAILED the md5sum comparison test. This means that the file has been changed in some way. This could be a result of an OS update or application upgrade. If the change is unexpected it should be investigated:

Now... Should THAT be WordPress, your server or something else is a really interesting question. I'd lean towards this is something your server should be able to tell you. "Hey, this IP logged in to your PHPmyAdmin setup as this ID on this date at this time."

On the other hand, for those of us who go in and mess around alot, it would get annoying. Too much white noise to signal, you know.

I think that, were it WordPress, it would both increase the overhead of the app (though maybe not too much) and increase the technical ability to people using it. Now, that may not be a bad thing, but it would raise the bar for newbies.

[Rarst]

But that might not always be accurate. For instance, for a LONG time, I maintained a custom, hacked copy of quicktags.js, with some custom quicktags I had added. Every time I updated WordPress, I over-wrote the core copy of quicktags.js with my own. At that point, my core install would fail such a rudimentary integrity check.

WordPress strongly discourages messing with core files. There are many ways from Plugin API to pluggable functions to make modifications without touching core.

Problem with constant monitoring and notification - it drives you crazy. I ran plugin that checked all file system for changes. Even if it supported exclusions there still was constant plugin updates here and there, theme edits I did myself...

I don't really want loud pro-active security system in core. I want a way to quickly check files for authenticity and if needed nuke an re-install everything in few clicks.

I think that, were it WordPress, it would both increase the overhead of the app (though maybe not too much) and increase the technical ability to people using it. Now, that may not be a bad thing, but it would raise the bar for newbies.

As above - I don't want anything complex that you have to mess with. Just some simple logging and on-demand checks that are there when you need them.

People hardly use every single WordPress feature. But features are still there for those who do need them.

[chipbennett]

*ponder* Does ANY web-app have that level of security? Not to pish-posh the matter, but seeing as how most of the hacks are done by actual server security, I don't know if this is a WordPress issue. My server (VPS) does that for core/system files. It also alerts me when I have files changed:



Now... Should THAT be WordPress, your server or something else is a really interesting question. I'd lean towards this is something your server should be able to tell you. "Hey, this IP logged in to your PHPmyAdmin setup as this ID on this date at this time."

On the other hand, for those of us who go in and mess around alot, it would get annoying. Too much white noise to signal, you know.

I think that, were it WordPress, it would both increase the overhead of the app (though maybe not too much) and increase the technical ability to people using it. Now, that may not be a bad thing, but it would raise the bar for newbies.

There is at least one plugin (WordPress File Monitor) that takes care of part of this security monitoring. It alerts via email (and admin page) regarding changed files, based on file timestamp or hash.

[Ryan]

• core, theme and plugins integrity check (repository has code, hash it, add it to updates API);
• force re-install for themes and plugins, core already has it;

I don't think either of those are likely to go into core unless the business model for VaultPress (http://vaultpress.com/) turns out to be a flop.

I don't think the following are available with VaultPress, but I assume they could be added.

• login log;
• plugin activations log;

[chipbennett]

I don't think either of those are likely to go into core unless the business model for VaultPress (http://vaultpress.com/) turns out to be a flop.

I don't think the following are available with VaultPress, but I assume they could be added.

Decisions for core should absolutely NOT be made based on VaultPress. VaultPress is a commercial product targeted at commercial WordPress users.

Also, VaultPress is an Automattic product, NOT a WordPress.org product.

(And, as we're told incessantly, the line between those two entities is always bright, perfectly clear, and never crossed. )