ModSecurity and WordPress

Comments

1. David Kierznowski (2 comments.) says:

   11/1/2007 at 7:48 am

   Although I have never thought of WordPress’ security to be as weak as the BlogSecurity folks have claimed it to be.

   Your kidding me right?
2. Daniel (1 comments.) says:

   11/1/2007 at 9:07 am

   With regards to the security of the pdf, i’m a little confused here. If it was source code we could have offered the usual methods of signing, but I have written many papers in my lifetime and never come across this request. If you want I can add a md5sum of the paper?

   WordPress isn’t secure. The developers have constantly shown a lack of regard, and understanding, of the Secure Development Life Cycle, which is why every new release includes various security issues.
3. Mark Ghosh (386 comments.) says:

   11/1/2007 at 9:35 am

   Daniel: You are offering up code inside the PDF for people to use. If that PDF is copied to another blog/server and the contents modified to suit nefarious purposes, or if the transmission is modified in transit, it could prove to be a security risk on its own since your goodwill will still be associated with it. Your confusion concerns me.

   As for your concern about the WordPress developers’ lack of regard, I whole heartedly disagree. I cannot speak for them but my observation is that the best possible solution(s) is(are) chosen from the list of available resources and options for code. Security is one of the major concerns of the developers and it is taken as seriously as possible. I have always encouraged people with an interest in WordPress to roll up their sleeves and dive into the code as and when they can help. It is not a one way street. If there was one point of code development and only one source control (such as WordPress.com) then security could be better cordoned off. If a whole bunch of people can inject code into the source (such as freely available plugins and themes), controlling their outcome becomes even more difficult. However, this is not an excuse but a predictor of further work that needs to be done.

   Also, assailing the developers of being callous is probably not very productive nor is it very effective in getting results since complaining only makes people ignore you and real code and real solutions are more welcomed. You are doing good work with good intentions. I suggest that you do not taint it with negativity.
4. David Kierznowski (2 comments.) says:

   11/1/2007 at 10:40 am

   Mark, as Daniel mentioned we could offer an MD5 or SHA1 checksum with the PDF its fairly easy to do. I guess this is only really useful if the PDF is distributed and accessed on other web sites – this often applies to tools rather then papers.

   Getting back to the to avoid ambiguity: implementing these rules will definitely add an awesome layer of security to a WordPress blog! Daniel, as I have said before, kick ass work my man!
5. Mark Ghosh (386 comments.) says:

   11/1/2007 at 11:49 am

   David/Daniel: SHA1 checksum should work just fine. Thank you!

Trackbacks/Pingbacks

1. Securing Linux Wordpress with Modsecurity | Aufklarung Personal JOURNAL says:

   11/1/2007 at 3:54 pm

   […] read a paper on Blogsecurity, posted also on wordpress planet a few minutes ago about excellent way to securing the WordPress blog with Modsecurity. The writer […]