Forums

The forums ran from 2008-2020 and are now closed and viewable here as an archive.

Home Forums Other WordPress Security Reply To: WordPress Security

May 23, 2014 at 2:39 pm #170967
__
Participant

“security through obscurity” …that’s just simply not true. It’s a false sense of security.

Very true. However, WP does suffer because of its popularity.

Its bigger downfall, however, is not its popularity or its power. It’s because of how much effort is put into making it user-friendly.

PHP has a bad rep in the security world because of the lengths it goes to to keep going no matter what. Where other programming languages have the philosophy of “whup, something’s wrong, let’s stop until it’s fixed,” PHP has the philosophy “whup, something’s wrong, let’s assume we’re supposed to do this… and that… whatever, just keep going until it’s completely unsolvable.”

Both PHP and WP take this approach because it seems very “forgiving” to newcomers. You can screw up your script a lot, and it still (mostly…apparently?) works like you intended.

This not only opens up security holes, it makes them very difficult to close because, for every serious “bug,” there are hundreds of people that rely on it as a “feature.” You can’t fix it, in the name of backwards compatibility.

(I can’t tell you how many times I try to help someone fix an error in their code, and they insist that it’s not the problem because it “works perfectly on the other page, with no errors at all.” Well, no; the error is still there. You just turned of error reporting and called it solved.)

Because PHP and WP are both so attractive to “newbies,” they have a disproportionately large percentage of “newbie” users. Many people who write plugins for WP -very popular and successful plugins- simply don’t know how to write code. (I’ve spoken to WP developers who don’t even realize that WP and PHP are different things.) This is why so many of WP’s vulnerabilities come from plugins.

“Drupal is better because it is more secure”, it’s really not that simple and each have their vulnerabilities.

True; it’s not that simple. Drupal and Joomla are both written in PHP, and so share PHP’s weaknesses. However, Drupal is orders-of-magnitude better written and more secure that WP. whitehouse.gov runs on drupal.

The catch is the Drupal is a “not really a CMS” type of CMS. There’s a lot more you have to do to be ready to launch a site, and it has a much steeper learning curve as well.

(…and don’t bother with joomla.)

I planed on using all of the options above along with additional server side security options …

Most of the “options” you list aren’t really “options.” You can’t just flip a switch, or install them, or something like that. “Server Hardening,” for example: what does that mean? It’s not an answer. It’s not even a topic, really, it’s a whole field of study.

We are looking at a dedicated server, we want something fully managed so we don’t have to worry about things like updating PHP and MySQL.

Honestly, there are two approaches I would suggest:

  • Hire a sysadmin.

Not someone who can manage a server; someone who’s career is managing servers and has a good track record of doing so. Someone who can contribute to the security side of you website as well. Someone who has actually cleaned up after attacks. It’ll take interviewing, and a reasonable (depending on your point of view) salary. But it will be worth it.

  • Roll your own.

Buying a managed server kinda leaves you in the same boat you’re in already. You’re leaving things in the hands of others (probably salesmen), just like on a shared server.

(BTW, a true “dedicated server” is probably not what you want. Think long and hard before buying hardware, because you inherit complete responsibility with it. You might like the idea of living on a private island, but remember: if you fall down the stairs, you’ll be waiting a day and a half for the paramedics. And then you have to pay for their helicopter. A VPS instance (like digital ocean or linode, as Joe_Temp suggested) is more forgiving to set up, has no maintenance costs, and has much better redundancy.)

Yes, a fully managed server might be more than suitable for what you need. And it is certainly better than shared hosting! But if you feel the need to “harden” your server, then doing it via a CP, and being separated from tasks like updating PHP or MySQL, is going to be more of a hindrance than a help.

If you need that, get a barebones VPS instance and install everything yourself. Working with your server on a lower level will help you understand how it actually works, and that is the one thing you actually need if you want security.