A couple months ago at WordCamp Chicago 2009, Matt Mullenweg had been asked by Dan Schulz on how to make WordPress more secure. Finally what he has said has been written in more detail at WordPress.org in the article How to Keep WordPress Secure.
From the getgo, I had known that the primary way was to keep your WordPress version up-to-date. As a small webhost with Host Solutions, I had seen time and time again hacked versions of WordPress and normal installations. I found that more hacked versions were easily being infiltrated by spammers and the resources used were much higher.
Of course, you could always adjust your .htacess file and “harden” your WordPress installation, but having an up-to-date version allows you to replace any bugs that were found in previous versions right away. I have also found that some users who have hacked their WordPress version so badly have a bit of a hard time tweaking their WordPress to try to upgrade their version.
I did this when I started out using b2. When I went to switchover to WordPress, I had a rough time and had to rely on a fresh Fantastico install of it instead. My version was not only so badly altered, but I was doing more harm to my server.
Like Matt Mullenweg said:
“Upgrading is a known quantity of work, and one that the WordPress community has tried its darndest to make as easy as possible with one-click upgrades. Fixing a hacked blog, on the other hand, is quite hard. Upgrading is taking your vitamins; fixing a hack is open heart surgery. (This is true of cost, as well.)”
If you use a hacked version, carefully follow the upgrade notations made to make sure you do not miss any important areas that could leave your website exposed. A lot of the upgrade notations can be found in the developer documents section of the WordPress Codex or even more specifically the WordPress Trac.
Is your WordPress up-to-date on its version? Do you have a manual install or an automatic install like Fantastico? If you have a hacked version of WordPress, have you ran into any problems?
Hi Nile,
My question wasn’t so much as to how people can make WordPress more secure as it was what the developers were going to do to improve the Web application’s security.
The main problem I have with WordPress is the fact that there are so many files making calls to each other (Whiskey Tango Foxtrot? What’s the deal? Does EVERY file that’s seemingly more than 10 lines longer need to call another file? Over?) that they’re just ASKING to be bent over the table and given the Hitler Special in the movie “Little Nicky”.
Let’s think about this for a second. ANY script you can get to execute within WordPress can instantly create its own database login separate from the mechanism/library that WordPress uses since the system declares its connection information as DEFINES. Using a secure method and not having so many files calling each other via includes and various needless function calls can eliminate this. Using PDO (PHP Data Objects) can prevent this — and should be used instead of the nonsense that’s infested the WP core like the cancer it really is.
I mean come on, there’s a REASON why WordPress won last year’s Pwnie for Mass 0wnage: http://pwnie-awards.org/2008/awards.html#mass0wnage — the underlying PHP code is so fundamentally flawed that they NEED to throw it out and start all over again from scratch. Otherwise WordPress will remain the Firefox of open source publishing systems — and I don’t mean that as a compliment.
This is a Web app that managed to beat phpBB as the most insecure Web script on the Internet — and that took a LOT of work. Don’t get me wrong. I love WordPress. I use it – a lot. Not just on my own sites but also my clients’ sites as well. But the WordPress developers need to really brush up on their security skills, throw out the current vomited train wreck of PHP code that makes up WordPress, and start over from scratch. The developers of phpBB did it, why can’t we?
(And please, don’t give me any of the “well it’s open source” nonsense — so is phpBB3. Didn’t stop them.)
I do not even touch phpBB products… it is like asking me to design for someone using Greymatter or CuteNews. That is not happening at all. Still not impressed and have seen some pretty hair raising infiltrations from the backend side of my server.
There will be flaws in any platform out there. However, yes WordPress is open source and my suggestion is to keep pressing any fixes to the code to Automattic to look over. It is great that you want to see the product improved, and I always do myself. The outcome could be the next WordPress if everything is done well.
I would not mind seeing that project and would find a way to beta that baby on one of my websites (I have too many…lol)
Even if WordPress is put back on the revamp table and redone from top to bottom, you will still eventually run into security issues. I do agree first there should be some coding revamp for this so we do not have to run into a lot of security based patches. How many have we run into for 2009 – 2 or 3 between the official version releases?
Does anyone know what the process is to ensure that any new plugins or modules are free from vulnerabilities? Is this something that WordPress would check? You would think, how about plugins developed outside of WordPress?
WordPress Security Straight From Matt is very emprotent
Well, i think donation is a good idea, in that case earning is depend on your work, if you work hard then you earn best….