Daniel Cuthbert has written a paper on ModSecurity and WordPress. While I praise the work and the effort, I am not sure why they did not find it in themselves to protect the PDF document that they are distributing using some sort of an SHA1 checksum or the like to ensure the integrity of the download. Now I know that these guys know what they are doing but I have a problem with security related papers, help documents, scripts and other items when they cannot be verified with the source and the source itself cannot be verified with the original author of the product.
I have always been a big proponent of mod_security and I think it provides a comprehensive layer of web security without as much overhead. Although I have never thought of WordPress’ security to be as weak as the BlogSecurity folks have claimed it to be. mod_security requires various rules to be put in place for it to filter out malicious activity. This paper goes through some of those generic PHP rules and some specific WordPress based rules for webmasters to add to their mod_security filters.
Your kidding me right? 🙂
With regards to the security of the pdf, i’m a little confused here. If it was source code we could have offered the usual methods of signing, but I have written many papers in my lifetime and never come across this request. If you want I can add a md5sum of the paper?
WordPress isn’t secure. The developers have constantly shown a lack of regard, and understanding, of the Secure Development Life Cycle, which is why every new release includes various security issues.
Daniel: You are offering up code inside the PDF for people to use. If that PDF is copied to another blog/server and the contents modified to suit nefarious purposes, or if the transmission is modified in transit, it could prove to be a security risk on its own since your goodwill will still be associated with it. Your confusion concerns me.
As for your concern about the WordPress developers’ lack of regard, I whole heartedly disagree. I cannot speak for them but my observation is that the best possible solution(s) is(are) chosen from the list of available resources and options for code. Security is one of the major concerns of the developers and it is taken as seriously as possible. I have always encouraged people with an interest in WordPress to roll up their sleeves and dive into the code as and when they can help. It is not a one way street. If there was one point of code development and only one source control (such as WordPress.com) then security could be better cordoned off. If a whole bunch of people can inject code into the source (such as freely available plugins and themes), controlling their outcome becomes even more difficult. However, this is not an excuse but a predictor of further work that needs to be done.
Also, assailing the developers of being callous is probably not very productive nor is it very effective in getting results since complaining only makes people ignore you and real code and real solutions are more welcomed. You are doing good work with good intentions. I suggest that you do not taint it with negativity.
Mark, as Daniel mentioned we could offer an MD5 or SHA1 checksum with the PDF its fairly easy to do. I guess this is only really useful if the PDF is distributed and accessed on other web sites – this often applies to tools rather then papers.
Getting back to the to avoid ambiguity: implementing these rules will definitely add an awesome layer of security to a WordPress blog! Daniel, as I have said before, kick ass work my man!
David/Daniel: SHA1 checksum should work just fine. Thank you!