On Tue, 2020-10-13 at 10:18 +1100, David Lochrin wrote: > I'd like to ask Linkers whether anyone has recent experience of > WordPress, especially regarding security, and possibly privacy? > > I believe it's written in PHP which has a terrible record of security > issues over the years, possibly because it's so easy to write bad > code. (I taught myself PHP because it was so popular with students!)
I have a lot of experience with WordPress. It is not so terribly insecure in itself, but it has a very large plugins ecosystem, and the quality of plugins varies very widely. To keep it secure, you do need to be running things like WordFence to detect and block malicious access, use something to enforce password complexity, use MFA on logins (or at very least on administrator logins), preferably lock admin usage down to particular sources and so on. These sorts of steps are not really unique to WordPress though. As with any site that gathers information, if you are storing anything in the WordPress database, you need to secure it well. Don't store things in plain text, get details off the site and into safety as soon as you can, don't have the database on the site instances, don't store database passwords on site instances and so on. WordPress was never designed for the big time. It's quite tricky to run at scale. People tend to scale vertically as far as they can before they bite the bullet and scale horizontally. The solutions required for horizontal scaling can themselves cause security issues if not chosen and implemented carefully. For example, where do new instances get their database passwords from? Regards, K. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer ([email protected]) http://www.biplane.com.au/kauer GPG fingerprint: 2561 E9EC D868 E73C 8AF1 49CF EE50 4B1D CCA1 5170 Old fingerprint: 8D08 9CAA 649A AFEF E862 062A 2E97 42D4 A2A0 616D _______________________________________________ Link mailing list [email protected] http://mailman.anu.edu.au/mailman/listinfo/link
