Is Wordpress becoming too much of a target

[UKSBD]

Yet another Wordpress critical update yesterday resulting in a couple of hours updating numerous websites.

Has Wordpress become too much of a hackers target to make it usable by anyone other than webmasters?

Will we get to a stage where hosts become stricter on allowing Wordpress installs and cancelling hosting packages on people who don't keep up to date?

 

[Cromulent]

Yet another Wordpress critical update yesterday resulting in a couple of hours updating numerous websites.

Has Wordpress become too much of a hackers target to make it usable by anyone other than webmasters?

Will we get to a stage where hosts become stricter on allowing Wordpress installs and cancelling hosting packages on people who don't keep up to date?

Wordpress releasing lots of security updates is a good thing. I always worry when software vendors do not release regular updates. Just because one vendor does not update its software does not mean there are no security holes in it, just that there are no known security holes to the development team.

Anyway the same argument could be made for lots of different types of software (Microsoft Windows and Microsoft Office spring immediately to mind and they have far greater market penetration than Wordpress does in their particular market segments).

If a webhost is poor enough that a compromised install of Wordpress on one hosting account is allowed to affect the accounts of other users then one would have to question their own abilities. Of course if the hacker gains access and then exploits an unknown or unpatched exploit in other software installed globally on the server then that is another matter. This is good argument for using VPS's really, or FreeBSD jails.

 

[akirk]

I can tell you now - we are already restrictive in the hosting we offer on wordpress / Joomla / etc. and I only see that becoming more common - any package where code is opened up to allow anyone to write plugins, esp. OpenSource software presents the vulnarabilities on a plate to hackers - they are a liability from a hosting perspective...

Not sure that one always needs to go as far as cancelling hosting - hosting should be sufficiently virtualised to protect against most things - but some issues will bring the server down in which case the first action is to remove the site, then sort it out on a build server, then put it back.

Those who have these sites need to be aware that they could end up with liability for bringing down a server - keeping them up to date is essential...

the upside is that generally fixes are out fast...

Alasdair

 

[UKSBD]

Wordpress releasing lots of security updates is a good thing. I always worry when software vendors do not release regular updates. Just because one vendor does not update its software does not mean there are no security holes in it, just that there are no known security holes to the development team.

Yes, that's all a good thing for webmasters and people who act on the updates, but should Wordpress only be used by this type of person now?

Is it now too insecure to just be used by the hobby type website builder?

 

[Cromulent]

I can tell you now - we are already restrictive in the hosting we offer on wordpress / Joomla / etc. and I only see that becoming more common - any package where code is opened up to allow anyone to write plugins, esp. OpenSource software presents the vulnarabilities on a plate to hackers - they are a liability from a hosting perspective...

Not really. Propriety software offers no real increase in security other than the false sense of security you get from knowing that a 'company' is maintaining it. You just have to look at the number of known vulnerability in software like Microsoft Windows that Microsoft still have not patched. If it were open source you could fix it yourself (if you had the skill) instead you have to wait an indeterminate length of time for Microsoft to release a fix when it falls within their release cycle. That is if they even decide to fix the problem. Adobe are particularly bad in this regard.

 

[Cromulent]

Yes, that's all a good thing for webmasters and people who act on the updates, but should Wordpress only be used by this type of person now?

Is it now too insecure to just be used by the hobby type website builder?

Assuming they got Wordpress installed correctly clicking the automatic upgrade button in the admin panel does not seem too difficult to me.

 

[UKSBD]

Assuming they got Wordpress installed correctly clicking the automatic upgrade button in the admin panel does not seem too difficult to me.

And I wouldn't mind betting there are thousands of Wordpress sites out there still running on 2.7, 2.8 etc.

 

[akirk]

Not really. Propriety software offers no real increase in security other than the false sense of security you get from knowing that a 'company' is maintaining it. You just have to look at the number of known vulnerability in software like Microsoft Windows that Microsoft still have not patched. If it were open source you could fix it yourself (if you had the skill) instead you have to wait an indeterminate length of time for Microsoft to release a fix when it falls within their release cycle. That is if they even decide to fix the problem. Adobe are particularly bad in this regard.

There is a difference between the remote proprietary author such as Microsoft and the company you pay to write you a bespoke website where you can specify the security level you want... There is an assumption by users that wordpress et al are secure because they are somehow official which combined with the ease of targeting widely used / vulnerability-known software is a more risky prospect than options where you can get your supplier to set it up properly...

Alasdair

 

[sidera]

Interesting discussion.
WordPress is obviously making great efforts in making their software more secure.
Have you watched the interview with Matt on "The Big Web Show"?

It is however true that there are many sites out there that are not being maintained, and are outdated and have big security holes.

How many people use the default database prefix? How many people secure their wp-config.php file? the list goes on.

should WordPress force the update? maybe. I've seen government sites running on outdated versions vulnerable to the pharma hack.

Also, hosts who encourage the Fantastico install are making it easier for hackers, by using default parameters for the user name, database tables, etc. It takes longer to secure a Fantastico install than to install manually from scratch.

If you want to harden your WordPress security, I've written an article on my blog: http://sideradesign.com/2010/12/06/wordpress-security/

 

[awebapart.com]

any package where code is opened up to allow anyone to write plugins, esp. OpenSource software presents the vulnarabilities on a plate to hackers - they are a liability from a hosting perspective...

... and a risk/liability from a website ownership perspective too.

It isn't just Wordpress plug-ins that allow server-side code to be executed. The Wordpress architecture of having themes or layout files (yes layout which is supposed to be separate from function) that are in fact php files which can execute code on the server, is not IMO an ideal starting point for a website architecture.

 

[Cromulent]

There is a difference between the remote proprietary author such as Microsoft and the company you pay to write you a bespoke website where you can specify the security level you want... There is an assumption by users that wordpress et al are secure because they are somehow official which combined with the ease of targeting widely used / vulnerability-known software is a more risky prospect than options where you can get your supplier to set it up properly...

Alasdair

True, although with custom bespoke software you usually end up paying more in the long term with maintenance contracts than you do for the initial price of the software. It is unlikely that a company will be willing to do the kind of proactive security monitoring of their software that is required to truly claim that their software is secure for free.

Plus no matter how secure the actual web application is if you fail to keep your copy of Apache / MySQL / PHP / whatever updated then you could be leaving yourself open on that front.

The problem with security is that very few people really understand the nature and scale of the problem. You can't just release an application and leave it, you need to constantly maintain it. If your application does not use SSL for user logins then I would consider it insecure even if you do use Javascript to hash passwords before they are sent to the server. Most web apps (that do not deal with credit cards or other currency issues) do not make use of SSL and this is a big problem IMO. Website owners and developers should start considering them mandatory for anything serious.

Couple this with the fact that most websites make use of numerous frameworks that always have associated bugs found over time then you can clearly see that the need to constantly update the application and the environment that it runs in is paramount.

 

[DesignerNick]

To Joe Bloggs who wants their own website then the above really isn't viable as the costs will be massive for constant updating etc.

Maybe for banks, huge chains etc.

 

[Cromulent]

To Joe Bloggs who wants their own website then the above really isn't viable as the costs will be massive for constant updating etc.

Maybe for banks, huge chains etc.

This is exactly the point.

Because Wordpress is open source you get that for free. They are pretty good on security releases, better I have to say than most proprietary firms. The fact that you can fix bugs in the software yourself if you find a critical issues is of immense importance.

With open source software you get the advantage (when it comes to large and popular projects like Wordpress) of having essentially 100+ developers working for you for free. Companies just can not compete with the experience and technical skill that most open source projects have at their disposal for no cost.

The idea that security is enhanced in some way by not being able to see the source code is the age old security through obscurity argument and has been shown time and again that it just does not work out. Just look at what happened to Gawker Medias websites that were based on a proprietary platform earlier this month. Total chaos.