Home Forum Advertise Contact Me About WPTavern WPWeekly Show Info

Go Back   WordPress Tavern Forum » WordPress » General WordPress

General WordPress Talk about news, share great posts and more

Reply
 
Share LinkBack (2) Thread Tools Display Modes
  2 links from elsewhere to this Post. Click to view. post #1 (permalink)  
Old 09-06-2009, 08:09 AM
Here For The Peanuts
 
About
Join Date: Jan 2009
Posts: 195
Default WordPress Security is About More than WordPress

Something I've wanted to get off my chest for ages is that having a secure WordPress site isn't just about running the latest version. In fact, the glib assertion that the latest WordPress is secure is so utterly false, it scares me.

If you think about it, almost every version of WordPress (and there are a lot of them) in the past has had a security hole. And that means that on that trend every future version will too.

So you need to run your server in a secure way. Have secure habits, and do some extra work to harden your site.

I've written more up than is healthy to post in a forum over at http://www.interconnectit.com/679/a-...curity-primer/ but really, the point is that you mustn't, ever, assume that your secure just because your WordPress is up to date.

You're not.

Just like I worked out how to make my house more secure should a burglar get past my front door by fitting an alarm system, so you need to find ways to secure your WP site beyond WordPress itself.
Reply With Quote
  post #2 (permalink)  
Old 09-06-2009, 09:29 AM
Ryan's Avatar
WPTavern Forum Moderator
 
About
Join Date: Jan 2009
Location: New Zealand
Posts: 1,773
Default

I'm guessing you just read Matt M's latest post ... http://wordpress.org/development/200...dpress-secure/
Reply With Quote
  post #3 (permalink)  
Old 09-06-2009, 10:10 AM
JohnM's Avatar
Big Tipper
 
About
Join Date: Feb 2009
Location: Norway
Posts: 314
Default

I believe security is the biggest threat for anyone making money making WP sites for customers.

One day someone will make a really stealth worm compromising zillions of WordPress installls, damaging the WP consultant market.

I`d like to see a canonical security plugin maintained with commitment from Automattics devs. A plugin which does whatever is possible to check security, and recommend changes and installation of other security plugins.

If theres critical mass of exploitable WordPress installs around, there will be a growing community hacking WP, with blackhat economical motivation driving exploit development.

WP security is more important than features at this point, and I`d like to see security enhancements in 2.9, even if that means 2.9 will have to wait a bit.

John Myrstad
Reply With Quote
  post #4 (permalink)  
Old 09-06-2009, 11:04 AM
andrea_r's Avatar
WPTavern Forum Moderator
 
About
Join Date: Jan 2009
Location: Eastern Canada
Posts: 905
Default

I thought your post was quite excellent, myself. Although I do feel the need to add that it's still not entirely up to WP. The same could be said about Windows (actually, worse could probably be said), or maybe it's the huge downside to open source.

If the hackers can see how they may potentially get in, then yes, they will try. The platform doesn't really matter. Well - the more popular a platform is, the more they'll try...

Anyway - your post says a lot I wish more people would pay attention to. It's not just WP. I tell clients things over and over again many of those things.

"but I only want to have to remember one password. Isn't it your job to make sure everything is secure?"

*headdesk*
Reply With Quote
  post #5 (permalink)  
Old 09-06-2009, 12:57 PM
Rarst's Avatar
Tavern Regular
 
About
Join Date: Jul 2009
Posts: 201
Default

Excellent post, will be going through list properly later. I have a lot of such lists to go through after getting hacked recently. :)

I had also posted about that hack in relevant thread at official WP forum and read few more threads. It was very unpleasant to see there constant remarks that if you got hacked it's your fault for getting virus/trojan/losing password/etc.

Running latest WP version is necessary to be secure, but as practice showed me - has little to do with actually being secure.

Rarst.net - cynical thoughts on software and web (and sometimes WP) | @Rarst
Reply With Quote
  post #6 (permalink)  
Old 09-06-2009, 02:39 PM
Jeffro's Avatar
WPTavern Forum Admin
 
About
Join Date: Jan 2009
Location: Ohio
Posts: 1,702
Send a message via AIM to Jeffro Send a message via Skype™ to Jeffro
Default

Boy, after reading all the responses to the attacks these past few days, my blood pressure has skyrocketed by the lack of common sense people seem to have.

For starters, Dave makes a good point in that it's not just about WordPress, but about everything that is involved to make WordPress tick. PHP, MySQL, etc. However, one of the easiest things that people can do to help keep their site secure is to keep current on the latest versions of the software. If people can't even do that much, than I have no hope for them.

Call me lucky or whatever but I've been using WordPress since 2007 around the 2.3 days. I don't use any fancy WordPress security plugins. I have removed the admin account, turned user registration off, and use a complex password to login. That is pretty much it. I haven't had any problems so far. Considering the simple security measures I have taken, why have I not been attacked? Why hasn't any of my WordPress powered sites turned into a hidden spam farm? Is my password that complex that it just hasn't been brute forced yet? Is it my webhosting account that's pretty good?

I see all these people recommending WP Anti Virus and security scanner and this, that and the other but I don't feel the need to use a single one of those. What is going on here?
Reply With Quote
  post #7 (permalink)  
Old 09-06-2009, 02:52 PM
Here For The Peanuts
 
About
Join Date: Jan 2009
Posts: 195
Default

Well, it's a bit like how I generally don't run anti-virus on my PCs and yet, after all these years, have remained infection free.

No obscure OS, no obscure set up - just an awareness of what is and is not dangerous. I used to have a honeytrap folder on my old laptop. If it changed, something was trying to get in, as a rule. Hooking into many Wi-Fi spots and networks was the riskiest behaviour and, sure enough, you could get infected on some networks (Hong Kong airport four years or so back, for example) within about 30s.

Same goes for WP. You can run WP 2.0 perfectly safely, and I do. And you can run 2.8.4 very dangerously.

Part is common sense - don't install plugins you can't trust, don't use the cheapest hosting you can find from an unknown company, don't use obvious passwords and so on. The other part is also down to luck, a little. We don't chance on hosts any more, but we got lucky with Namesco when we were first setting - we just happened to find a very reliable host with good security practices. Lucky us.
Reply With Quote
  post #8 (permalink)  
Old 09-06-2009, 02:59 PM
Here For The Peanuts
 
About
Join Date: Jan 2009
Posts: 195
Default

@Ryan - not really inspired by Matt's post, but in all the 'official' posts I was irritated by the lack of detail on the vectors used. It wasn't made clear what one could do to protect, if at all, an older site. Being told to upgrade wasn't helpful for everyone, and was also repeating the mantra that a new install of WP is always secure. I call BS, basically :-)

@JohnM - I'm not sure that it's feasible for Automattic to get that involved. Obviously they're careful about what goes on WordPress.com, but WordPress.org is an open playground. You get involved with self-hosted WP and you need to know what you're doing. Hosts can help too, by setting things up in a secure way - but that will make installation and configuration of WP trickier for some.

@Andrea_r damn right, and yes - some users think that for low fees we'll also provide all support and security. Akin to getting cross with your mechanic because your car got stolen - which, actually, I suspect happens to garages quite often!

@Rarst - I think you're learning the painful way. We had one site hacked, which helped teach us a few lessons - it's often difficult to explain the problem to clients, although generally we find our clients to be understanding when things go wrong.
Reply With Quote
  post #9 (permalink)  
Old 09-06-2009, 03:53 PM
JohnM's Avatar
Big Tipper
 
About
Join Date: Feb 2009
Location: Norway
Posts: 314
Default

Quote:
I'm not sure that it's feasible for Automattic to get that involved. Obviously they're careful about what goes on WordPress.com, but WordPress.org is an open playground. You get involved with self-hosted WP and you need to know what you're doing
Lets say Matt then. If you make an easy-to-setup CMS with a famous 5-minute-install and have 100.000 or more users installing and running it, without having a clue about servers or security then you also have some responsibility towards these 100.000 + users.

If not, Wordpress` success will be individual users failure.

If I understand Matts "philosophy" correct, WordPress is more than a cms tool, it a free communication tool for the masses. Freedom to speak, freedom to blog. An altruistic project.

If this leads to lot of people beeing exploited, theres a responsibility to address this problem.

btw; I`m sure theres a commercial opportunity for someone too in bringing more sequrity to WP installs. It would fit nice in with Akismet and other Automattic products.

John Myrstad
Reply With Quote
Old 09-06-2009, 05:03 PM
Here For The Peanuts
 
About
Join Date: May 2009
Location: Toronto, Canada
Posts: 103
Default

You know, I was going to do this thread but went to sleep.

You know what I say to the people who have WP 2.0-2.3? YOU GOT WHAT YOU DESERVE.

Here are some rules I go by:
  1. I keep my WP installations up to date - Isn't that what a administrator/webmaster/CTO does?
  2. I do not use 0.x plugins
  3. I do not use plugins that have not been updated in a year or more
  4. If the last time it was updated within a few months, depending on version issues with WP, I might use it
  5. I delete the admin accounts
  6. In sites with forums, I make sure accounts don't have PASSWORD as the password (I can't believe so many people use that)
  7. BACK UP BACK UP BACK UP
There is more but I don't have the chart right now.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On


LinkBacks (?)
LinkBack to this Thread: http://www.wptavern.com/forum/general-wordpress/835-wordpress-security-about-more-than-wordpress.html
Posted By For Type Date
WordPress › Blog How to Keep WordPress Secure This thread Refback 09-13-2009 12:47 PM
How to Improve WordPress Security | Interconnect IT - WordPress Consultants, Web Development and Web Design This thread Pingback 09-06-2009 02:02 PM


All times are GMT -5. The time now is 08:08 PM.