[LINK] WordPress

Karl Auer kauer at biplane.com.au
Tue Oct 13 10:58:51 AEDT 2020


On Tue, 2020-10-13 at 10:18 +1100, David Lochrin wrote:
> I'd like to ask Linkers whether anyone has recent experience of
> WordPress, especially regarding security, and possibly privacy?
> 
> I believe it's written in PHP which has a terrible record of security
> issues over the years, possibly because it's so easy to write bad
> code.  (I taught myself PHP because it was so popular with students!)

I have a lot of experience with WordPress. It is not so terribly
insecure in itself, but it has a very large plugins ecosystem, and the
quality of plugins varies very widely. To keep it secure, you do need
to be running things like WordFence to detect and block malicious
access, use something to enforce password complexity, use MFA on logins
(or at very least on administrator logins), preferably lock admin usage
down to particular sources and so on. These sorts of steps are not
really unique to WordPress though.

As with any site that gathers information, if you are storing anything
in the WordPress database, you need to secure it well. Don't store
things in plain text, get details off the site and into safety as soon
as you can, don't have the database on the site instances, don't store
database passwords on site instances and so on.

WordPress was never designed for the big time. It's quite tricky to run
at scale. People tend to scale vertically as far as they can before
they bite the bullet and scale horizontally. The solutions required for
horizontal scaling can themselves cause security issues if not chosen
and implemented carefully. For example, where do new instances get
their database passwords from?

Regards, K.

 
-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Karl Auer (kauer at biplane.com.au)
http://www.biplane.com.au/kauer

GPG fingerprint: 2561 E9EC D868 E73C 8AF1 49CF EE50 4B1D CCA1 5170
Old fingerprint: 8D08 9CAA 649A AFEF E862 062A 2E97 42D4 A2A0 616D






More information about the Link mailing list