Which is more secure: WordPress vs WordPress MU
Filed Under (Articles, WordPress) by DK on 24 October 2007

A couple of weeks ago Adam Warner suggested we have do a security comparison between WordPress and WordPress MU. In particular, he was interested to know which was more likely to pass PCI accreditation.

I contacted Doncha, lead developer of WordPress MU for some feedback. Interestingly, we both shared similar sentiments and it made this question fairly simple to address.

As WordPress MU shares most of the same code as WordPress, there were only three points I wanted to raise:

  1. Same code - WordPress and WordPress MU share around 90-95% of the WordPress core code. However, that 5-10% may make a difference.
  2. File editing functions - Before you set your mind on point 1, consider that WP MU has removed some of the WP file editing capabilities. This may put them back at tie.
  3. Same database weakness - The only concern I had was that WordPress MU by default suggests using the same database (just different table names) for blogs. From a PCI accreditation perspective you’ll certainly want to use its other feature and seperate both the tables and databases.

So to summarise: I feel WordPress by default may be a better option for PCI accreditation. It encourages a seperation mentality. Seperate blog, seperate database etc; However, from a realistic risk analyses, they are more or less the same in my opinion.

   
Enjoy the article? Please take a second to: Digg it! | StumbleUpon it!

Read and Contribute to BlogSec News!

Comments

demonicume on 24 October, 2007 at 1:30 am #

bro, i can only imagine creating a separate DB for 100,000+ blogs. plugins would all have to be rewritten.


David Kierznowski on 25 October, 2007 at 7:31 am #

I can imagine 100,000 bloggers knocking at my door when every single one of them have been hacked because one plugin that one blog used shared the same database.


Donncha O Caoimh on 25 October, 2007 at 9:52 am #

But even if you use multiple dbs, the username and passwords used to access them has to be stored somewhere. If someone exploits your server then all bets are off and he gets access to everything..


David Kierznowski on 25 October, 2007 at 10:54 am #

Donncha, it really depends on the vulnerability in question. Database separation is more for input validation type vulnerabilities, such as SQL Injection.

By having the data and users separated, we can now focus on database and database user permissions and security.

However, all previous comments (including mine) are actually irrelevant.

The scope of the original question was PCI compliance. From a security threat model, a shared database scheme and setup of WP MU hosting critical information shared with other non-critical data stores is really not the way forward.


BlogSecurity » Blog Archive » Live from the wire: BlogSec News on 31 October, 2007 at 12:06 pm #

[…] team were able to release some personalised posts to answer questions (see Which is more secure: WP verse WPMU and the less-technical Should you display a subscriber […]


Comment
Name:
Email:
Website:
Message: