Keith C. Perry on 10 Nov 2015 12:26:45 -0800


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Blogging platform

The fact that WP powers some "large sites" does not mean it should get special treatment.  WP is a security issue because PHP is a security issue so I'm not just going to endorse it without 1) making sure WP is the right product for the task.  Far too many people use WP as a CMS instead of as a blogging platform which is  part of the issue and 2) making sure someone using WP is going to be committed to keeping the system up to date as much as they want to get their content up to date.

Also, since history has been a theme these last couple of days.  It's important to note that once upon a time even the PHP Group said that Wordpress was doing things that were outside of best practices and could lead to security issues.  I couldn't find the article about that but I'll acknowledge it's been at least 5 years.  Sure its better now (see http://www.cvedetails.com/vendor/2337/Wordpress.html) but the reason the 3rd party plugins are an issue is because the framework itself (PHP and Wordpress) is an issue- Joolma actually has a worse CVSS score over the last 5 years.

PHP :  http://www.cvedetails.com/cvss-score-charts.php?fromform=1&vendor_id=74&product_id=&startdate=2010-01-01&enddate=2015-11-10
Wordpress : http://www.cvedetails.com/cvss-score-charts.php?fromform=1&vendor_id=2337&product_id=&startdate=2010-01-01&enddate=2015-11-10
Joomla : http://www.cvedetails.com/cvss-score-charts.php?fromform=1&vendor_id=3496&product_id=&startdate=2010-01-01&enddate=2015-11-10

With all the hyperlinking that people like to do make sure their content gets picked up, XSS (cross site scripting) issues are more of an issue these days but system security issues are always going to be a concern.  I simply do not have any trust in the security of these frameworks when used together.   Try getting a WP deployment locked down using POSIX ACLs- in the past that was not fun.  Maybe it's better now.

Getting back to the point of JP's post though...  What I like about the Troy Hunt article was that 2 other things, GitHub Pages and Ghost, were mentioned as alternatives to Wordpress and that is good thing so that people have choices.

~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Keith C. Perry, MS E.E.
Owner, DAO Technologies LLC
(O) +1.215.525.4165 x2033
(M) +1.215.432.5167
www.daotechnologies.com

From: "Doug Stewart" <zamoose@gmail.com>
To: "Philadelphia Linux User's Group Discussion List" <plug@lists.phillylinux.org>
Sent: Tuesday, November 10, 2015 1:42:37 PM
Subject: Re: [PLUG] Blogging platform

JP, et al:
Not to stick up for the platform that makes me my bread and butter, but 
a) Many of the WordPress security issues *are* related to third-party plugins and themes
b) Core issues tend to be handled with expediency and delicacy (see, e.g., The Trojan Emoji: https://poststatus.com/the-trojan-emoji/)
c) At > 25% of the Web, WP is obviously the biggest target out there
d) If you're interested in talking about it in person, the inaugural WordCamp US is being held here in Philly, Dec. 4-6. $40 for three days and a complimentary t-shirt (https://2015.us.wordcamp.org/tickets) I'll be there. *grin*

Is WP security perfect? Nope. Can you show me a CMS that has perfect security? Also Nope.

I'd really love to see my open source brothers and sisters in arms help out. Looking down your noses at an open source platform powering a huge swath of the web, including some *very* large sites, is counter-productive IMHO.

On Tue, Nov 10, 2015 at 1:26 PM, JP Vossen <jp@jpsdomain.org> wrote:
I seem to recall a recent question about blogging platforms, but I can't
find it, so it was probably a round-table discussion at a recent meeting.

Anyway, I just ran across this interesting article on a very interesting
blog ("Observations, musings and conjecture about the world of software
and technology" with lots on security and Windows):
http://www.troyhunt.com/2015/10/creating-blog-for-your-non-techie.html

Other neat things from that blog:
https://haveibeenpwned.com/
http://plaintextoffenders.com/
http://www.troyhunt.com/2015/09/troys-ultimate-list-of-security-links.html

Later,
JP
----------------------------|:::======|-------------------------------
JP Vossen, CISSP            |:::======|      http://bashcookbook.com/
My Account, My Opinions     |=========|      http://www.jpsdomain.org/
----------------------------|=========|-------------------------------
"Microsoft Tax" = the additional hardware & yearly fees for the add-on
software required to protect Windows from its own poorly designed and
implemented self, while the overhead incidentally flattens Moore's Law.
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug



--
-Doug



___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug