Which is more secure: WordPress vs WordPress MU

Posted by DK
October 24, 2007

A couple of weeks ago Adam Warner suggested we have do a security comparison between WordPress and WordPress MU. In particular, he was interested to know which was more likely to pass PCI accreditation.

I contacted Doncha, lead developer of WordPress MU for some feedback. Interestingly, we both shared similar sentiments and it made this question fairly simple to address.

As WordPress MU shares most of the same code as WordPress, there were only three points I wanted to raise:

  1. Same code – WordPress and WordPress MU share around 90-95% of the WordPress core code. However, that 5-10% may make a difference.
  2. File editing functions – Before you set your mind on point 1, consider that WP MU has removed some of the WP file editing capabilities. This may put them back at tie.
  3. Same database weakness – The only concern I had was that WordPress MU by default suggests using the same database (just different table names) for blogs. From a PCI accreditation perspective you’ll certainly want to use its other feature and seperate both the tables and databases.

So to summarise: I feel WordPress by default may be a better option for PCI accreditation. It encourages a seperation mentality. Seperate blog, seperate database etc; However, from a realistic risk analyses, they are more or less the same in my opinion.

Articles, WordPress

Random Posts

If you enjoyed this post, please leave a comment or subscribe to the feed and get future articles delivered to your feed reader.

Comments
Comment by demonicume on October 24, 2007 @ 1:30 am

bro, i can only imagine creating a separate DB for 100,000+ blogs. plugins would all have to be rewritten.

Comment by David Kierznowski on October 25, 2007 @ 7:31 am

I can imagine 100,000 bloggers knocking at my door when every single one of them have been hacked because one plugin that one blog used shared the same database.

Comment by Donncha O Caoimh on October 25, 2007 @ 9:52 am

But even if you use multiple dbs, the username and passwords used to access them has to be stored somewhere. If someone exploits your server then all bets are off and he gets access to everything..

Comment by David Kierznowski on October 25, 2007 @ 10:54 am

Donncha, it really depends on the vulnerability in question. Database separation is more for input validation type vulnerabilities, such as SQL Injection.

By having the data and users separated, we can now focus on database and database user permissions and security.

However, all previous comments (including mine) are actually irrelevant.

The scope of the original question was PCI compliance. From a security threat model, a shared database scheme and setup of WP MU hosting critical information shared with other non-critical data stores is really not the way forward.

Pingback by BlogSecurity » Blog Archive » Live from the wire: BlogSec News on October 31, 2007 @ 12:06 pm

[...] team were able to release some personalised posts to answer questions (see Which is more secure: WP verse WPMU and the less-technical Should you display a subscriber [...]

Leave a comment

(required)

(required)