undefined | Better HN

0 pointsepochwolf16y ago0 comments

First off, thanks for giving out instructions for securing wordpress.

> Maybe you should tell them to secure their wordpress install instead

Hence the ":P", my comment was mostly in jest.

> 3. Create an empty wp-content/plugins/index.html file - otherwise you leak information on which plug-ins you run

It's better to just disable indexes on the entire site. That prevents anyone from poking around.

    Options -Indexes FollowSymLinks

> This is a lot more efficient than boycotting wordpress altogether.

Wordpress has a history of being extremely vulnerable. I don't know how much of it is user error and how much of it is related to the way php is normally configured and used.

PHP invites uploading malicious scripts. Something like Ruby on Rails (or Django) has the code for the application loaded into ram. Static files are served out of the public folder, away from any code. This makes uploading malicious scripts useless, provided someone hasn't turned on php or cgi for the public folder. (Which you should never do) Every php application I've seen or worked on has mixed code with static files and the webserver had write permissions to every folder in the application. Additionally, anyone that doesn't abstract from the database with a query generator or an ORM is asking for sql injection.

That is why I don't care for wordpress. :)

(Am I bitter? Oh yes, most definitely. :P)

0 comments

1 comments · 1 top-level

rumpelstiltskin16y ago

I can understand your bitterness, one of my earliest wordpress sites got hacked. I just feel that the benefits of wordpress (ease, flexibility, SEO etc) far outweigh the risk of getting hacked.

j / k navigate · click thread line to collapse