WordPress.org

Support

Support » Requests and Feedback » Security Review Process

Security Review Process

  • As a mod for the WordPress forum at Webmaster World I started a thread about WordPress security – or the lack there of. Largely because I’m tired of the beating WP takes and I wanted to see if anyone could actually prove there were security issues. What has come out of the thread so far is lot of accusations about how there is no dedicated security team or process for handing issues. SO I’m here to ask, what is there for a security team or security review process/protocol for code and issues when they’re uncovered?

Viewing 15 replies - 16 through 30 (of 31 total)
  • It’s not about proving WordPress is secure. The issue is a public perception.

    Imagine a website developer selling a site based on WordPress to a client. It could just as easily be anyone thinking about using WordPress. The client may have heard rumors that WordPress isn’t secure and challenges the developer to prove it is secure. The developer has to do what I’ve been doing – piece together the evidence.

    It would be much easier if there was a single page, under the WordPress.org site, to go to answer the question clearly and concisely. Highlight the existence of a security team, their objectives, the work they do proactively and reactively. No need to mention names or specifics.

    Moderator Andrew Nevins

    @anevins

    Forum moderator

    But how would you get people to read that resource?

    That’s a good question. But having it is better than not having it and I know there will be people like me referring people to it – especially when people are spreading rumors and lies.

    It could be linked to or even a part of the Security Category Archive on the blog: http://wordpress.org/news/category/security/

    leejosepho

    @leejosepho

    …users like convenient, easy to understand packages of information. That they have to visit several pages to get the answers isn’t working and leads to misunderstanding.

    In my own opinion, that is the crux of this entire matter…and I continue here without complaining…

    For security at my own site (and I now handle security at four), and while knowing nothing at all just a year ago, I did begin at the often-mentioned “Hardening WordPress” page. However, achieving the level of security I know today has required great amounts of time and effort in searching, sifting and sorting through all kinds of things discovered and learned by doing Google searches (and occasionally landing back here at these forums) along with trying various suggestions and settings made available in different security plugins. Looking back, I would want to never again have to do all of that, and in looking ahead, I think it is time to lessen the level of that challenge for others getting started.

    Edit: As an aside, consider the different between not having to deal with security at all (as far as I know) at a WordPress.com-hosted site and having to “do it all for yourself”, so to speak, at a self-hosted site. Folks who move their sites from one to the other so they can have more flexibility should be made clearly-aware of at least some initial security (such as “Hardening WordPress”) needing to be a priority ahead of the reason behind the move, and then the information they need should be readily-available. Apart from that, the shock of a mis-perceived “lack of security” can only continue to hit people who had no way to know, understand or address the need.

    esmi

    @esmi

    Forum Moderator

    The developer has to do what I’ve been doing – piece together the evidence.

    In this scenario, wouldn’t an independent resource be more credible – such as http://blog.sucuri.net/2012/03/wordpress-understanding-its-true-vulnerability.html

    That certainly helps but something coming from the WordPress team itself provides clear evidence of a commitment by the team to security – rather than implying it by having others speak about how secure WordPress is. Sort of like guessing if Hillary Clinton will run for president or not. She hasn’t said but everyone seems to think she will – there’s that bit of doubt that nags at people. Why not erase it? A simple one pager as I described shouldn’t be all that difficult to create.

    BTW – the Hillary reference was just for an example and not my endorsement. 😉

    esmi

    @esmi

    Forum Moderator

    So a security mission statement, yes? Perhaps this could be pitched via http://wordpress.org/ideas/

    leejosepho

    @leejosepho

    The developer has to do what I’ve been doing – piece together the evidence.

    It would be much easier if there was a single page, under the WordPress.org site, to go to answer the question clearly and concisely.

    Finding a reasonable balance there will/could be quite a challenge, and especially while considering the blogger who does not even know what “self-hosted” means — no technical expertise at all — and also has yet to even learn to blog…

    …and I knew all along that Hillary was just a plant to help the show along!

    Whatever it’s called it needs to:

    • Acknowledge there IS a security team
    • Identify the team’s objectives
    • Identify Proactive tasks
    • Identify Reactive process/tasks
    leejosepho

    @leejosepho

    Whatever it’s called it needs to:

    Acknowledge there IS a security team
    Identify the team’s objectives
    Identify Proactive tasks
    Identify Reactive process/tasks

    Since downloads at WordPress.org are simply made available, never marketed, the WordPress.org “community”, as such, has no actual obligation along that line other than possibly that of the morality of willingly sustaining the fiber behind its continuing to do as always:
    http://wpengine.com/2013/05/08/wordpress-core-is-secure-stop-telling-people-otherwise/
    ** tips hat to Jan **

    Past anecdotal evidence of any circumstantial “lack of security” (as actually experienced simultaneously by anyone at all with a computer) in relation to WordPress proves nothing other than “its” past and the many challenges its “community” has since overcome…and anyone who gives WordPress a fair shot while accepting the personal responsibility of at least “Hardening WordPress”, as suggested, will soon learn for himself or herself of its present-day security. And for those who either want or need an already-gotcha-covered-so-you-can-just-turn-it-on-and-hit-the-accelerator site, the same can be discovered at WordPress.com.

    Moderator Andrew Nevins

    @anevins

    Forum moderator

    Btw I had no idea that this was an issue for WordPress, that people think it’s insecure. How big of an issue is this?

    leejosepho

    @leejosepho

    The client may have heard rumors that WordPress isn’t secure and challenges the developer to prove it is secure.

    How big of an issue is this?

    Helen Hou-Sandi

    @helen

    WordPress Dev

    Linked for information; am not expressing any opinion on what could or should be written where: http://www.slideshare.net/govloop/word-press-as-anopen-source-projectwp-as-an-open-source-project-nacin (in particular, slides 16 and 17).

    >> How big of an issue is this?

    I have no hard data to offer on this. What I have is anecdotal and largely comes from the discussions I have offline at conferences, meetings, and informal gatherings. My peers are the most vocal about this topic. Some clients occasionally mention it. People that I have no connection with are the 2nd most vocal about it.

    @helen – thank you for the link.

Viewing 15 replies - 16 through 30 (of 31 total)
  • The topic ‘Security Review Process’ is closed to new replies.
Skip to toolbar