WordPress Security is About More than WordPress

[andrea_r]

The be fair and balanced, yes, they could address security a little more. But how far do they have to go, really? If you make it idiot proof, the world just provides a better idiot.

To put it a wee bit clearer, I once had a client who was managing blogs for their clients. They wanted the visual editor to work better. Don't we all, but that's not the point ;P The point was, they told me "Our users shouldn't have to know any HTML to post to their blogs"

Which, I think is ridiculous. You're on the INTERNET. At some point you have to learn HTML, even if it only how to do a manual link or a manual image code (in this case, that's all it was - one of those things).

So while the producers of the software have a responsibility up to a certain point, Dave's point still stands - the users themselves have a repsonsibility too.

I got hacked once, and it was the one thing I harp on - same password for a few things. They didn't get into my WP install, but they were able to read my config file and get into my db. That's not WordPress's fault, that's entirely mine.

[JohnM]

Users responsibility: To secure the individual blog from being hacked.
Matt/WP responsibility: To secure WP not being targeted as the blackhat hackers honeypot of choice.

[davecoveney]

I think that to help keep WP out of the honeypot list that there has to be a move towards supporting legacy versions for a given period. At the moment it's very much the case that the only versions supported in any way are the current ones.

Now, think about how this looks to a client who's just invested in a large scale, sophisticated theme. It's gone live early in 2010 on 2.8.6. Two months later, 2.9 is released and... then a hole is discovered that affects 2.8.6. It won't be fixed, simple as that. Try explaining to a client that their two month old site needs some major work to be done to work on 2.9 and that there may also need to be a spot of downtime. Oh, and this can't be scheduled - needs to be done NOW!

We've patched 2.7 installs to clear up the vulnerabilities, but I feel that there should be some way of central maintenance of legacy WP. Alternatively, somebody else may do this. It's occurred to me that someone could possibly make money here by offering patched, older versions of WordPress.

With most systems you don't have to have the latest version of the latest version.... you can stay secure with XP, you can stay secure with Hardy Heron. When Karmic Koala or Windows 7 come out, you won't be forced to upgrade in order to not be hacked.

Imagine if Microsoft techies said to XP users "HAH! You got hacked! Serves you right for not upgrading to Vista, dumbnut."

[JohnM]

If you look at the showcased WP sites many of them run older versions. Even large company's having hi-profile sites have problems keeping up-to-date with releases. I`m sure they got thight servers and custom patches with Verio running 2.7, and Vancouver Convention Center running 2.7.1.

The real competence in WP security is found within Automattic, running 1000 servers, and the responsibility to share this competence in a user-friendly way is shared between Matt ( the lead developer and King of everything ), Automattic, the leading opensource devs, and the WP.org "staff" ( I`m never sure if they are considered Automattics or not )

With the new handbooks in development, there should also be a new security handbook, and an accomplishing canonical plugin, with a nag to ask for activation upon installation. The installation is not finished after the famous 5 minute install, theres also an hour in setting up security, and I believe the only way to make masses do this, is by incorporating a core distributed canonical plugin you have to opt out, if you dont want to secure your installation.

It's occurred to me that someone could possibly make money here by offering patched, older versions of WordPress.

Im sure there is a big market for WP security. Offering patches for money instead of releasing openly wouldnt be good spirit though, and since these patches are GPL, there will be large scale and quick redistribution of patches, so probably not the best business.

A commercial security plugin, with an online scanner, and access to documentation and paid services together with recommended safe hosting could be a business model.

It probably wouldnt make it any safer than following openly published recommendations, but it would be a time saver and it will make you and clients feel safer, and I think people would pay for that feeling.

[Ryan]

I can't see how supporting old versions serves any purpose whatsoever. If people aren't upgrading, then adding new versions for each point release isn't going to help anything.

99.99% of people who won't upgrade are either stupid, ignorant or have a very peculiar blog setup which can't upgrade easily.

[davecoveney]

But Ryan - what's peculiar, isn't all that rare.

Why not have a secure 2.7? What's the problem with that? It can be done, so it can be.

Now, John suggests that it would be in bad spirit to charge for security updated versions of older WordPress versions, but they would still be GPL. They'd have to be.

My worry, however, is whether it would make for a viable business. And then there's all the bitching if you didn't offer free downloads. But that doesn't make for a viable business - I can confirm that with Spectacu.la where we decided to go entirely free to download. In fact, the biggest motivator for people to join is the rebrandable, higher quality user guide.

[JohnM]

2.6.5: http://www.wordpresssecured.com/wpsecurity/

If someone is able to put together a suite of products and services that makes customers feel safe and sleep well at night, it might have some nice ROI as a business project.

10.000 customers x 1$ monthly fee = serious business.

or

1000 customers x 10$ monthly fee = serious business.

Throw in some restoring consulting and a nice rebate with money back-guarantee for members if they get hacked after all, and customers will feel its a good deal even if they get unlucky, and the business brand may keep its brand equity even if x customers get hacked.

A non-hacked customer is happy cause he feels safe and isnt hacked.
A hacked customer knows where to turn for quick help and gets a rebate if he needs to buy consulting.

[Jeffro]

I was reminded of this thread when I saw Xconomy putting the call out for a PHP, WordPress, Linux, Apache Guru.

http://www.xconomy.com/national/2009...s-with-pagers/

[davecoveney]

Heh - yeah...

But that's just too many skills. We know a bit about Linux and Apache, but really we stick with PHP and WordPress. We have other people who know the rest.

I think sometimes people expect a little too much about developers. You find a point and you can learn everything on both sides, plus a bit from things two points away. Essentially, by the time you get to Linux you're three steps away from WordPress and can't be expected to have deep skills there.

One of the things I see too much in the web business is people spreading themselves too thinly.

PS. Thanks for the Weblogtools mention and quote. Feel famous now :-)

[Otto]

Now, think about how this looks to a client who's just invested in a large scale, sophisticated theme. It's gone live early in 2010 on 2.8.6. Two months later, 2.9 is released and...

... and that's when the client discovers that they got ripped off. All web sites need maintenance.

Allow me to repeat that.

ALL web sites NEED maintenance.

This is not an option. If you have a client and they say "build me a website" and you don't instantly say "where's your support structure for this website?", then you are intentionally and knowingly ripping off your client.

There is no such thing as a website that will not need somebody *constantly* caring for it. A website is interactive, dynamic, changing. No piece of software is static, and internet software is even less static than desktop stuff. And a website is one of the most constantly changing pieces, because it's continuously interacting with customers, changing with new content, adjusting in response to feedback. It's public facing, it's open to the world, and it's a continuous security target.

You cannot develop a website and then say "it's done", because no website is ever "done". This is a myth at best, and an outright lie at worst.

And if you don't explain this to your client, then you are misleading them.

(Note, I'm speaking of modern websites here, not the absolute simplest of cases, a static site that merely provides information and offers nothing in the way of interactivity. Which may be fine for some clients, I know many restaurant sites that have nothing more than a few pretty pages and their menu and directions/phone number, etc. These are essentially just static sites, not "modern" ones like we're discussing here.)