WordPress, PHP, is it secure?? (8 posts)

  1. nickb34
    Posted 9 years ago #

    Hey everyone,

    I know someone who wishes to implement a wordpress system for a corporate blog for the firm he works at.

    It is a large firm, and he is worried about how secure wordpress and php are (as they currently dont have either set up, and want to know this before they start).

    Sites such as:http://contentious.com/archives/2006/06/12/the-downside-of-wordpress-php-and-crackers

    are showing that it may not be as secure as they would like for the company.

    I have posted this because i would just like some of your thoughts with WordPress and how secure it really is.

    Are there any major issues? Should they go through with it on a corporate level? Maybe not? Whats the scoop?

    Thanks a lot

  2. WordPress is reasonably secure *if* you keep it up to date. The problem is that most people don't do that. On that page you linked to, it mentions that he was running WordPress version 1.2 as of last December. That's a bit out of date.

    It's like any software package in that respect. When security problems are found and fixed, you have to apply those fixes to be secure.

  3. nickb34
    Posted 9 years ago #

    Is there a list of fixes and patches on this site?

  4. There's no patch system, it's just a matter of downloading the latest version and upgrading.

  5. wyrd33
    Posted 9 years ago #

    There's no such thing as "secure" for any piece of software.

  6. nickb34
    Posted 9 years ago #

    I realize that, but are there any major vulnerabilities that should be brought to the point before implementing the blog?

  7. Samuel B
    Posted 9 years ago #

    All issues were addressed with the 2.0.3 release.
    Mainly they involved if you let people register on your site. They were fixed.
    I suppose you could look in the previous releases to see what was upgraded.

  8. yosemite
    Posted 9 years ago #

    Does your friends firm have experience hosting a site? Do they co-locate or use shared hosting? Do they have an experienced IT staff?

    These are some of the key questions. ANY system they use will be compromised under the right conditions so the question becomes how will it be maintained and updated. And frankly, the exact same issues apply to any web site that would apply to a WordPress based blog.

    The article you linked is a wonderful example of how not to run a site. WP 1.2 is relatively ancient, and it makes me wonder how old the version of PHP on his server was (he self-maintained his own server), how well it was configured, whether ANY attention was paid to 'hardening', etc., etc.

    Short answer: If it's hosted with a reputable host (they will make sure the Apache/PHP is pretty secure because they have personnel doing it day-in and day-out) and installed/updated by someone familiar with site security issues it is very secure.

Topic Closed

This topic has been closed to new replies.

About this Topic