[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]

[LUG] WordPress security (was: website)

To: list@xxxxxxxxxxxxx
Subject: [LUG] WordPress security (was: website)
From: Martijn Grooten <sweetwatergeek@xxxxxxxxx>
Date: Sun, 30 Dec 2012 18:23:35 +0000
Delivered-to: dclug@xxxxxxxxxxxxxxxxxxxxx
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:from:date:message-id:subject:to:content-type; bh=PJJvsYFOfP8oUM6Mdqce2QjzmPUSAH8okkWwC9Yhy8g=; b=mk8xkvoqMNp8yL3XJHvBIdqjW92dfWE02/9sctNuyNGbmM5TqYYomTyLN991Xp2MS3 f/vzWkXfIeW0aNdf3OnEPxWS7kj0DZ+rTBO63F9L94QTeg4v0J3bCZc1jHpPBQF4Xj6J 0w3H6FYDc4i4VGjSHGiAnQs94kVCXC7KKbmplUYJeOXtOV+eDt48x07j9IJ6uqQ2lmA8 Y3o7Jb+202UwyZBBhFkO4KP4LzgvoxlTCdKm93ttZ3HOrrUcKa/6evN5C0cK1opE8i5u LIjOHXh592wIm32eDL3FHS/0rhs5+hS5Cn6xFtzb/nrnZmTIWNx/aR34/0/e+hw0Apu8 YJWg==

On Sun, Dec 30, 2012 at 5:00 PM, Simon Avery wrote:
> How many were caused by poor passwords, zero core security or bad plugins?

Poor passwords aren't a significant problem. That is, I'm sure many
people use pure passwords for WordPress, but unless you use something
plain stupid as '123456', that's unlikely to lead to account
compromises.

Most compromises are caused by vulnerabilities in the WordPress core
and in plugins. Though arguably the real cause is people being either
unwilling or unable to update their installation. (Inability could be
caused by a plugin not being compatible with the latest security
update; hence Gordon's suggestion to only use well-maintained plugins
is a very good one.)

Especially because WordPress is so popular, vulnerabilities are very
actively hunted for. That's not going to stop any time soon. But I
think it's a poor reason to avoid WordPress.

And:

> so what if it does get compromised?

is a very good point.

I'm not saying you shouldn't worry about compromises. But you should
worry about them anyway, regardless of what CMS you use (even if that
'CMS' is sftp). It's all about mitigation.

Updating whenever new updates are available is one important thing to
do, backing up regularly another. Depending on how you're going to use
the site, you may be able to add some more security by locking down
your installation a bit (for instance by not making directories
writable for the web server; the downside of this is that you won't be
able to upload files from the web interface). Security-by-obscurity
(e.g. putting the admin files in a directory not called /wp-admin) may
help a bit as well.

And ultimately, if your site isn't critical to your organisation
(which the LUG's site isn't), you should be willing to take it all
down and replace it with a single "sorry, we're fixing things" page.
(There are commercial WordPress installations available that take care
of most of the security; I've never used them, but they seem to do a
good job. I feel obliged to mention them here, as they may be more
suitable for business-critical sites.)

One important thing to keep in mind: it's not always obvious when your
site is compromised. Usually, it won't affect the site itself, instead
some new pages are being added that host or redirect to bad stuff.
Even if it does affect the site itself, it may be only for those
visitors who visit your website via Google.

Martijn.

-- 
The Mailing List for the Devon & Cornwall LUG
http://mailman.dclug.org.uk/listinfo/list
FAQ: http://www.dcglug.org.uk/listfaq

Follow-up: Re: [LUG] WordPress security (was: website)
- From: paul sutton

Prev by Date: Re: [LUG] The mp3 player thing ...
Next by Date: Re: [LUG] WordPress security (was: website)
Previous by thread: Re: [LUG] Fortunes
Next by thread: Re: [LUG] WordPress security (was: website)
Index(es):
- Date
- Thread