User: Password:
Subscribe / Log in / New account

Attacks against WordPress installations

Attacks against WordPress installations

Posted Sep 11, 2009 12:17 UTC (Fri) by job (guest, #670)
Parent article: Attacks against WordPress installations

Also, Wordpress could help the situation by not being in a constant state of suck.

Wordpress, Drupal and Joomla should be the poster boys of the free software revolution. They do real work for real people and they do it better than software for tens of thousands of dollars does. So why do they have to so dreadfully riddled with security problems?

Part of the problem is PHP. I've had the misfortune of using the common web mail frontends in the language and they've all had critical holes in them as well. So why do so few other languages, with the exception of Perl which has some excellent blogging and mailing software, reach the critical mass of developers?

Is the situation beyond repair? Will it plague the web forever?

(Log in to post comments)

Attacks against WordPress installations

Posted Sep 14, 2009 8:28 UTC (Mon) by yodermk (subscriber, #3803) [Link]

Agree completely. PHP can be made somewhat secure (by disabling stuff like register_globals and allow_url_fopen, and making sure that no directories are writable by Apache) but other languages seem much more secure.

Java (with Tomcat, Glassfish, etc) does seem to be gaining. That should help a lot.

Same with Python, with Django & such. And of course Rails.

I work in a managed web server environment, and I see PHP cracks all the time. I don't recall personally seeing any of the alternatives cracked.

Another idea that I think makes tons of sense for this kind of thing is privilege separation at the database level. Why does the application's DB user have full rights to the database? The answer is simple -- so it can integrate the admin interface and upgrade features, etc. But that is stupid. IMHO the user-facing Apache's DB user should have as few privileges as possible. Admin should be done another way, with a dedicated DB user for that, maybe connecting from a desktop application at the client's end (with appropriate firewalls in place to be sure no one else can attempt to connect). Maybe less convenient but MUCH more secure.

Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds