Is Word Press considered a not so or unsecure web hosting platform? ..if so

What other platforms are not so secure? Which ones are considered secure?

Wordpress itself is secure, its app ecosystem is the one having security and privacy issues.

5 Likes

I wouldn’t go that far, they have plenty of bugs and vulnerabilities in core WP.
Just check out release notes, almost every release has security fixes.

They even say so themselves:

Vulnerabilities in WordPress

Like many modern software packages, WordPress is updated regularly to address new security issues that may arise. Improving software security is always an ongoing concern, and to that end you should always keep up to date with the latest version of WordPress. Older versions of WordPress are not maintained with security updates.

Minimizing your attack surface and keeping up to date is probably the best way to go. If you have a small business with 10 page website - do you really need WordPress or some other CMS or you can get away with a static site?

There may will be other vulnerabilities that will be used against you, for example if a server is running other services such as ssh, mail, DNS… whatever.

If you use shared hosting there is plenty of other users that may be vulnerable and lead to you being compromised.

Basically it’s a clusterfuck.

6 Likes

Is there a better, more secure, “easy” alternative? If one were to desire a simple, under 20 page site, no shopify/integrations?

1 Like

That’s why we have static site generators like jekyll, ghost, or hugo. If you don’t have to cater to the needs of the normies I’d go with one of those any day over using wordpress.

7 Likes

Yup, much harder to hack plain http server serving static content than dynamic modern rube-goldbertg machine.

Still, there are plenty of alternatives to wordpress, you just have to have specific use case in mind.

WP can be bent and squeezed into so many sane and not so sane usecases, that its plainly impossible to have equivalent alternative.

Write down what end functionality do you need, then use it as jumping point.

Also there is no secure software, just varying levels of insecurity.

4 Likes

A testament to the robustness of http.

Here is the very first website. Still works just fine many years later.

https://info.cern.ch/

2 Likes

Wild. Reminds of my youth and dial-up days where there are dialer malware for some reason.

Wordpress really is a remarkable piece of work. PHP is not really a secure language, at all, but Wordpress has a nice “lower level” bit of work they did and wrote on top of pretty much from the start to make it so they can write reasonably clean, maintainable, and secure code out of a language that isn’t really designed for any of those.

WordPress plugins will increase your exposure…
But if it gets the job done and u can secure your shit… why not…

Not sure why you think PHP is more insecure than other programming languages these days. I think thats just no longer the case for quite a long time now.

PHP is memory safe, has garbage collection, supports modern constructs such as classes, lambda functions, etc.

Vulnerable features such as register globals and magic quotes have been gone for over a decade now, and features such as executing code from a preg_* has been removed.

It would seem you’re statement is based on decades old assumptions about the language.

Wordpress has some of the worst written code I have seen, largely due to design decisions made many years ago that they are now stuck with. The usage of global everwhere, and the plugin functionallity are perfect examples of this.

The database design is terrible also leaving MUCH to be desired. Encouraging developers to store all options in the wp_options table, including transient temporary values is a joke. The excessive and lazy use of serialised data as stored values is also laughable.

When it comes to third party plugins, most are written by 1st year programmers that do idiotic things and then sell off their code as “production ready” to the masses, ie:

Ref: https://codecanyon.net/item/ads-pro-plugin-multipurpose-wordpress-advertising-manager/10275010

image

image

(For those that are not familiar with the language, this is a SQL Injection vulnerability due to the developer not following best practices by using parameterised queries)

Also often seen is plugins that use CURL to fetch resources from third party services/resources without any notion of caching the result, resulting in 100s of requests to some server that if it’s down or slow, causes 30s+ timeouts while waiting for the resource.

As for the “well supported” more major plugins, like WooCommerce, are an absolute joke. This plugin causes Wordpress to come to an absolute crawl no matter how many resources you throw at it.

To try to fix these issues people end up installing “caching” plugins into Wordpress that themselves are slow and a security risk, also causing issues with serving static/stale data. Making matters worse, these plugins are still running in the context of PHP and do not work with the HTTP server to leverage features like FastCGI caching of content.

A common tweak plugins perform, or people are told to do is increase the PHP memory limit and/or the maximum execution time to crazy values, opening you up to DoS attacks through resource exhaustion. Instead of fixing their code to use a cron job to perform some large processing job in the background, they try to do it live when a visitor is viewing the website.

Many themes use the timthumb.php resize script, which there are several versions floating around with major vulnerabilities in, and still distributed as part of themes to this day. Even if this script was 100% secure, it causes excessive server load because it creates a HTTP connection to the server to fetch the image to resize instead of reading the image directly from the disk.

So while i do not consider the core of Wordpress to be insecure, I do consider the entire Wordpress ecosystem to be insecure and should be thrown out for something new.

Edit: Note this is based on decades of supporting and developing for PHP, and fixing mitigating Wordpress issues for clients after they have run into these issues, or had their entire site defaced by Iranian hacking groups due to some vulnerable plugin they were running.

4 Likes

that’s kinda cool :nerd_face: the very first one!
i might only have about 5% of all yall skills and knowledge but i can now tell people i have been to the very first website ever they might not care but i do!!!

2 Likes

I’m glad you liked it :]

Curious if you used the terminal emulator option? That would be more 1:1 of what the early web felt like.

1 Like

As with any popular software there will be more people trying to hack it. If I’d had to use Wordpress I’d put it in a container (in a VM (on a dedicated computer (in a different room))) to be on the safe(er) side. But as long as you make sure it’s updated it’s pretty alright. Most of the problem are really people who leave their sites running old versions. A computer running Windows isn’t that unsecure, but it is if you’re still running XP SP1.

haha no, i just went to the link natively, so not as authenic an experience but still get to make the claim!

back hen i watched L1T pod cast i remember Wendell and Ryan on multiple, multiple occasions talking about what a problem word-press was and how much they disliked dealing with it and it’s vulnerabilities.