Put it in a chroot jail on a dedicated server with SELinux, GRSec, and AppArmor all running at the same time, behind at least four layers of firewalls. Store the server in a lead-lined room with no net connection, and a good sturdy lock on the door whose opening requires a smart card, fingerprint and iris scans, and presidential orders filed in triplicate. Erase the smart card, spread acid on your fingertips, gouge your eyes out, and impeach the president. Pass HTTP correspondence in and out on floppy disks doused in holy water. Keep the server powered off at all times.
One aspect of VPS's and (eugh) cloud computing, is the additional security. I don't think this aspect gets trumpeted enough.
Instead of having a single big kick ass dedicated server running everything, you can have maybe 10 VPS's each doing a different thing. You can group things together in terms of risk - put wordpress on its own vps, put your customer db on another, etc etc.
At least then, if someone hacks into wordpress, it doesn't really matter that much - they only get wordpress, nothing else, and you just clean off that machine from backups.
(Obviously have completely different login credentials for each VPS, and only grant access from one VPS to another when really necessary, and restrict it).
"You are absolutely deluded, if not stupid, if you think that a worldwide collection of software engineers who can't write operating systems or applications without security holes, can then turn around and suddenly write virtualization layers without security holes." - Theo De Raadt
But yes, you are right for the most part. However, just throwing apps in VPS doesn't automatically solve your security issues.
Having 2 completely separate VPSs, in different data centers, secured with different passwords, seems pretty much more secure than having a single server to me.
Yes, there could theoretically be a way to punch through from an insecure VPS into a secure VPS on the same host, but I think the chances are pretty slim there.
It's wonderful for redundancy as well. I recently migrated our DNS from two dedicated servers in the same data centre, to three $20/month VPSs all on different continents. I don't need power or bandwidth, what I need is super-redundancy. These new VPS deals just hand it to me on an ultra-cheap platter. Couldn't be happier.
Except that Wordpress is written in PHP and designed without security as a goal. True, security is all about probability, but Wordpress' odds are not that good.
Windows was originally built without security as a major focus, but has been improved vastly. So has WordPress. Except for a few rare cases where security was a primary goal, such as OpenBSD, most software will be discovered to have vulnerabilities at some point in time.
So it's a good example of software built with security as a primary focus that still has vulnerabilities. I can think of few examples of software that has never had vulnerabilities discovered. OpenSSH maybe?
Yes, however, perusing the history of vulnerability disclosures in popular software demonstrates that the degree of likelihood of a new issue being found varies to a considerable degree based on the software in question.
Given that, software with an exceedingly low historical defect rate could reasonably be considered 'secure'.
I felt the same, but after searching for a few minutes I wasn't able to find anything to contradict it. It looks like their hosted option may actually be significantly more secure than installing your own.
This is the way they advertise for their wordpress.com version obviously. Stick with us or you get compromised. Bad style. They rather should fix their buggy software.
They prefer new features over security. Have you noticed how with each major upgrade there are new holes in it?
WordPress is like Swiss cheese, full of holes. I'd prefer Swiss banks or watches instead.
Let me just rephrase that first paragraph a little. "When a WordPress security problem is found, they release a new version with the problem fixed and say everyone should upgrade to it. That's bad. Instead, they should release a new version with the problem fixed." Doesn't something about that seem a little ... odd ... to you?
WP 2.8, WP 2.7, WP 2.5 etc. each were compromised almost immediately and each time several security updates have been issued in the matter of days and weeks.
Nobody can keep up with it so no wonder WordPress blogs get hacked.
Why don't they just release stable and secure versions?
Why? Because security is hard to do unless you (1) build it in right from the start and (2) are good at it, and neither of those things appears to be true in the case of WordPress.
You appear to be suggesting -- I can't tell how seriously -- that WordPress is deliberately made insecure so that when Automattic (ugh, I hate that name) want people to upgrade they always have a security issue they can use to scare people into doing so. Sorry, but that's absolutely nuts.
(In case it isn't clear: I am not, in the least, defending WP's security record. I am pointing out that the things you're saying here are crazy.)
"You appear to be suggesting -- I can't tell how seriously -- that WordPress is deliberately made insecure so that when Automattic (ugh, I hate that name) want people to upgrade they always have a security issue they can use to scare people into doing so. Sorry, but that's absolutely nuts"
No, YOU said that. I just said they don't care enough for security. Otherwise they wouldn't spit out new versions with holes so often.
So there is no reason to insult me.
Also the WordPress people pointing out all the time how wordpress.com hasn't been hacked is just obvious advertising for their hosted services.
OK, so we're at cross purposes. It looks to me like (1) I misunderstood something you said but (2) it still (2a) doesn't make sense and (2b) is distinctly more than "I just said they don't care enough for security".
Specifically: you said "This is the way they advertise for their wordpress.com version obviously. Stick with us or you get compromised." So, my mistake: I interpreted "their wordpress.com version" as "the latest version" rather than "hosting your blog on wordpress.com". That was dumb of me; sorry.
On the other hand, even after fixing my brain in that respect, I still can't see any way to read that as just saying that "they don't care enough for security".
If in fact it's true that wordpress.com consistently gets updated immediately when a new version comes out that fixes a security problem, and that people hosting their own WordPress blogs tend to be sluggish about upgrading, then I don't see why one of the things they say when a compromise happens is "you'd be in much less danger on wordpress.com". Because, y'know, it's true. What would be improper would be if (1) they are deliberately putting out insecure code to make their hosted version more appealing, or (2) the only thing they say when a security problem comes up is "come and use our hosted version". #1 is what it still looks to me like you were saying, but seems immensely improbable, not least because I find it very hard to believe that their net gain in paying customers from an incident like this one is positive. #2 would be bad. indeed; is it true?
WP.com, to my knowledge, has never had a code or security breach.
There are communities (like Club Penguin) where they are quite promiscuous with their passwords and share login details with each other regularly, and then "hack" each others blogs.
I did the same search. In each of those cases it seems like being "hacked" means adding another admin and having them screw you over or having your password guessed. Though I'm no Wordpress fan, blaming them for things like that is rather absurd.
They should try to figure out why people don't upgrade. Maybe there need to be clearer reminders, or separation between features and security. The same goes for why people aren't making backups. I would imagine it would be quite easy just to diff the releases and exploit whatever got fixed anyways.
There are pretty clear reminders. If you log into the Wordpress control panel, there's a bar that says "The latest version is x. Click here to upgrade." And they also built an automated update script that downloads, unpacks and installs it all for you.
My guess is that people don't update because they fear potentially breaking their styles or something.
If you make a small change to the style you're using, it gets overwritten on each update as long as it's a built-in style. The workaround is obvious (rename your changed style) but, as an example, I have always been too lazy to do this and I'm always behind the latest version.
You should check out "child theme" functionality, which allows you to make lazy changes to the style without modifying any core files, which is highly recommended against.
You're probably right, but if Wordpress checked out "automatically branching a child theme every time I use the interface Wordpress itself provides me with to modify core files" functionality, it would be more usable.
I was very lazy about upgrading my WP installations. I was lucky to never have been a victim of a vulnerability. For some reason, I thought the process would be a PITA, when, in fact, it took me about 15 minutes to upgrade three installations to the latest release.
That said, I don't use any plugins, so I didn't have to worry about compatibility issues.
People don't upgrade because they break some plugin compatibility with virtually every release, sometimes even cookie compatibility with every other release (seriously).
The upgrade process may be simplified but who wants to spend hours trying to fix compatibility every time they discover a bug they introduced with the last patch because they've broken backwards compatibility yet again.
What they should be doing is a general upgrade release for non-technical users and a technical bulletin about what exactly was wrong so technical users can manage older versions as desired. Instead you have to dig for an hour in trac notes to find what the heck they changed and why.
I have version 2.3 & 2.5 installs running safe because I've manually patched them and locked down the server. Delete any XMLRPC interface which is where half the bugs are introduced. The other half is the open ended admin interface which even regular users are allowed into to escalate privileges, which is asinine - you can even run PHPINFO through the admin panel as a regular member on many WP installs.
Exactly. I was running a much older version of WP and it took 6 hours to upgrade, including making sure all the plugins worked correctly.
I immediately got the "white screen of death" afterwards and had to do a binary search to figure out which plugin(s) were the culprit (and then try to track down newer versions or alternatives).
Some API changes are not backwards-compatible, so your themes have to be upgraded also (for example, the "show comments" api will by default say "comments off" on every page that doesn't allow them, which it didn't before). I'm sure there's other such changes I haven't yet noticed.
I'm glad I upgraded, but it was a major hassle and nearly a full day's work in my case.
An approach I really like is to run your blog software of choice locally, then rsync the generated flat files to a server. If you want comments, you'll need to maintain some dynamic component on the server, but it still massively reduces your exposure.
I've started using Jekyll + Disqus for simple things (see http://narwhaljs.org for an example).
Much less hassle than setting up a database, installing Wordpress (as easy as it is) and most of all remembering to update Wordpress every few weeks, as long as you don't need in-browser editing and such.
This post just shows how desperate these guys are. They don't even address their own responsibility. They assume that having worms is perfectly natural.
They rather blame other people for suggesting the wrong solutions.
There is no other software out there that demands upgrades so often to no avail getting infected again and again nonetheless.
Why not use another blogging platform then? It's not a Windows case of near-monopoly. There are plenty of blogging platforms. If WP is crap, why not switch to another one?
Unfortunately, the options are very constrained if you require both features and security. The only platform I know of with a strong security history and a decent feature-set is Apache Roller: http://roller.apache.org/
Yeah, good question. I almost switched to the more secure MovableType when they went open source but MT still does not support pingback, that is you can add a plugin which enables receiving pingbacks but you can not send them.
This makes your blog a dead end. Pingbacks are crucial to spread the message througout the blogosphere.
Another issue is the backend interface plus the frontend templates/themes. MT has a decent backend but you barely get any templates you can use.
The same problem arises with S9Y. Is just installed it and both the default templates like the remaining choices are awful. So basically you have to design and code everything yourself.
I think the single best thing you can do with wordpress is to run an SVN install. They're usually pretty good about tagging updates, so for example the update to 2.8.4 consisted of this:
