Comments on: Which is more secure: WordPress vs WordPress MU

By: BlogSecurity » Blog Archive » Live from the wire: BlogSec News

BlogSecurity » Blog Archive » Live from the wire: BlogSec News — Wed, 31 Oct 2007 11:06:51 +0000

[...] team were able to release some personalised posts to answer questions (see Which is more secure: WP verse WPMU and the less-technical Should you display a subscriber [...]

By: David Kierznowski

David Kierznowski — Thu, 25 Oct 2007 09:54:24 +0000

Donncha, it really depends on the vulnerability in question. Database separation is more for input validation type vulnerabilities, such as SQL Injection.

By having the data and users separated, we can now focus on database and database user permissions and security.

However, all previous comments (including mine) are actually irrelevant.

The scope of the original question was PCI compliance. From a security threat model, a shared database scheme and setup of WP MU hosting critical information shared with other non-critical data stores is really not the way forward.

By: Donncha O Caoimh

Donncha O Caoimh — Thu, 25 Oct 2007 08:52:58 +0000

But even if you use multiple dbs, the username and passwords used to access them has to be stored somewhere. If someone exploits your server then all bets are off and he gets access to everything..

By: David Kierznowski

David Kierznowski — Thu, 25 Oct 2007 06:31:36 +0000

I can imagine 100,000 bloggers knocking at my door when every single one of them have been hacked because one plugin that one blog used shared the same database.

By: demonicume

demonicume — Wed, 24 Oct 2007 00:30:05 +0000

bro, i can only imagine creating a separate DB for 100,000+ blogs. plugins would all have to be rewritten.