Wordpress security by Stefan Esser
Interview with Stefan Esser on Wordpress security. Very interesting read, and Stefan has some very valid points in regard to how issues are being adressed.
I would like to highlight two of the key points made in the interview:
If I recall correctly, the phpBB guys at one point used their collected money and payed a security company to audit the software. I strongly suggest that the WordPress guys do the same. I am quite sure that there are still several vulnearabilities in WordPress. The free audits that they get from people releasing advisories will never cover the whole code base.
One should think that given the success of wordpress.com, doing external revisions like this should be within reach for the Wordpress codebase as well. Of course, this would not extend to third party plugins and themes, but having someone not associated with the product review the core code for security issues would be a very good idea (tm).
I am very glad that Gallery 2 hires third party security experts to do code reviews for each of the major releases. It really does make me sleep a little bit better at night, and the Gallery 2 security track record has been very good due to this and it's great developers.
I would actually do two things: 1. Switch off the SQL error messages, because they give far too much information to potential attackers. 2. Ensure that the default SQL tableprefix is not chosen during installation.
This also makes a lot of sense. Not showing error messages to random browsers should be a priority. Error messages often display more information than any user should need to see, and having error messages shown is often a way for attackers to figure out a way to break into the system. Randomizing the SQL tableprefix would indeed make it a bit harder to try and inject data, but at the same time it wouldn't stop anyone from inserting data into the database if they have access to the installation. After all, the prefix needs to be stored somewhere and in such a manner that the application knows about it.
Post metadata
Published June 30, 2007 01:19
3 comments
Tagged with audits, blogging, featured, Gallery, gallery2, security and Wordpress
3 Responses to Wordpress security by Stefan Esser :
0 Pingbacks to Wordpress security by Stefan Esser :
- There are currently no pingbacks.
2007-07-06 18:07:10
Hey, you have a great blog here! I’m definitely going to bookmark you !
And I have A http://www.klamaraby.com/vb
Come and check it out if you get time
Thanks alot
2007-07-08 17:56:46
I am surprised to see this. Given the success of wordpress, it is strange that wordpress was never audited by a third party.
This should been at the top of the minds who are driving the development and deciding the fate of this wonderful blogging platform.
2007-07-24 01:47:52
Wordpress is a good platform. Because of its popularity, it seems that a lot of people know it’s shortcomings and take advantage of it.
Interesting story. Have a nice day : - )