WordPress Security

[gno]

Hi CSS-tricksters,

As this site seems to be the home for quite a few WordPress enthusiasts I thought that this would be a good place to start this discussion.

I’m a long time PHP developer and I would, at any given time, prefer to do anything and everything by myself – not using any kind of CMS’s. Though I have received quite a few request on WordPress sites recently. So I decided to pick up the “Digging into WordPress” pdf-version, to take a look at it, and decide wether I should go with WordPress or convince my customers that my hand coded solutions are much better than a “one-size-fits-all”.

I must admit, that I have high hopes for the book – especially after reading the closing paragraph of the introduction; “If you are buying this because your boss is making you design a site around WordPress and you are none too happy about it… Bummer. But hopefully by the end we can turn your frown upside down and bring you into the light.” It made me smile :-)

What really bothers me is the advice given when the writers are talking about installation. What they are saying is that you should hide the WordPress files in a folder in your public root directory, so bots cannot find your admin interface logon page… More specific – have all files in a subfolder and moving index.php and .htaccess out of that one – and fixing a little pathing in index.php aswell.

But I do not see how this is actually a security improvement at all. It would not take anyone more than a few seconds to figure out if you are using wordpress or not – and even less time to figure out how to get to those files that you are trying to hide.

Now you’re thinking: “How would I do it differently?” Thanks! I thought that you would never ask…

My approach to this has always been the same. If you look at my all the websites that I have made, there is one common thing that never changes – the folder structure. Or at least – the concept of the folder structure. In the root folder I have a folder called public, where I store images, css and a bootstrap file called index.php, and a few other folders containing the needed php files. Besides the folders theres a .htaccess file redirecting all requests to the public directory. One additional .htaccess file in the public folder makes all request which are not for files (css stylesheets, images, js files and other common ressources) go to the index.php file. From that point I start whatever action is needed (depending on the query string of course).

This means, that no one else than me have access to the php files – except the simple bootstrapping file.

I cannot see why you would not take the same approach when using wordpress. I do not know alot about wordpress – but as far as I can see, the only files that one would need access to would be the index.php file from the wordpress root and the admin logon page (which could easily be hidden using mod_rewrite without need for silly changes of the folder structure ;-))

I would love to hear your thoughts on this, possibly some reasoning behind the design choice made by the wordpress crew and maybe even a comment from Chris Coyier himself as to why you recommend this stuff in the book :-)

I apologize in advance if my post is offending anyone. It is not my intention! English is not my native language, so please, bear with me. :-)

Gustav

[clokey2k]

Strangely, the moment you enable ‘Pretty Permalinks’ feature the .htaccess is updated to the same as you suggest. ALL queries that are not to actual files are redirected to ‘index.php’.

It would be very easy to find any WordPress installation by checking image URLs, showing route to the themes folder. BUT most of the files require WordPress core functions, so unless you open the RIGHT file you won’t get any valid output.

Not sure how secure the WordPress login pages are, but I am making the assumption that it is a key area of concern for the WordPress team and there are regular updates. You’ll also read about the security strings in wp-config, which add a little more randomness.

I will end with a question: When loading a theme in WordPress files are included by PHP, would a mod_rewrite intefer with internal page calls?

*EDIT* Also, I have used WordPress alot recently – as my PHP is a little rough at times, but have recently been introduced to CodeIgniter. CI appears to be really easy to pick up, but I will still be using WordPress for a little longer :-p

[gno]

I know that WordPress rewriting works the same way. But I’m just unable to understand why people want files that visitors do not need access to lying around in a public folder. (This was the TLDR-version of my way too long OP). No visitors need access to the wp-config.php file – then why is it accessible at all? It is really simple to store php files outside the public folders and that is one of the most basic and most efficient things you can do, when you are trying to make a website more secure. You can solve the issue in other ways (like defining a constant in your index.php and only execute the other files if that constant is defined – “disabling direct access by code”) but why would you? It is another place where hard-to-catch-security flaws can pop up…

The answer to your question is simple; No. It will not interfere as the php file references is not requested via URLs on the internet, but requested as files on the server running the php script…

CI, PHPCake and such are not worth the time in my opinion. PHP is essentially a framework, making CI a framework build on a framework. Maybe someone will be able to make code faster in such frameworks, but it comes with a cost – decreased performance and just loads of unnecessary bs.

I recommend this article written by the creator of PHP – a good example of how you can make clean simplistic and efficient code, fast, with PHP as-is. http://toys.lerdorf.com/archives/38-The-no-framework-PHP-MVC-framework.html

[clokey2k]

Now that is one big post – i’ll read it over the next few days, see where that takes me. I think I am being very lazy in my learning style – starting with frameworks and working back to raw script. There was a good discussion on abstraction here on CSS-Tricks not long ago.

Also I have yet to purchase any related book material related to web technologies (although I have compiled a bit of a recommended reading list for purchase :-) ); I’m a quick learner mostly, hopefully will be ‘weened off’ frameworks – but it would be a long jump to get away from WordPress. Thanks for the link @gno.

[gno]

To quote Rasmus Lerdorf – no matter what tools you use, nothing is going to build your website for you ;-)

Learning to use a framework first is a waste of time – you might as well take the plunge now!

[Author]

Posts