WordPress 2.6 Security Improvements?
WordPress 2.6 plans to have a number of security improvements. A number of XMLRPC features will be deactivated by default. I doubt they will remove functions such as pingbacks and trackbacks, however, it is something to keep an eye on.
So will this really help secure WordPress in the future?
WordPress have been becoming more security focused. They surpressed database errors in version 2.3.2 and added salted passwords & cookie security in 2.5. Although some of the initial releases caused more harm then good, we think WordPress are generally trying to do the right thing.
Minimising XMLRPC functions is certainly a good way to mitigate the attack surface. In fact, BlogSec have been thinking about coding a plugin to do this. However, WordPress really need to get a dedicated security team together that will provide quality security standards and procedures around development, infrastrucure and design. Commenting on this, David Kierznowski had this to say:
I don’t believe they have achieved a golden security standard as yet, when considering the security implications in the initial WordPress 2.5 release, but they are certainly on the right track.
Random Posts
If you enjoyed this post, please leave a comment or subscribe to the feed and get future articles delivered to your feed reader.
Comments
i usually disable xmlrpc on my sites where i dont need it, and it has been working alright for me.
disabling a necessary feature is not an option, thank you for pointing that out… again.
.~.
[quote]A number of XMLRPC features will be deactivated by default. I doubt they will remove functions such as pingbacks and trackbacks, however, it is something to keep an eye on.[quote]
Many users do not need comment, pingbacks and trackbacks so it would be very useful to produce a guide to disabling these features in older versions of WordPress.
[...] Re: Wordpress Vs Blogger On and off topic I have ran a self hosted Wordpress blog for awhile and I agree with everyone that is rocks. But with reports of security issues with wordpress I’m not sure if I’m going to say with it. Wordpress being open source and as widely used, it has become a hackers magnet. Wordpress also does not have anyone dedicated to security that I know of. So with this in mind what other blogger software is as good as Wordpress to be honest I’m not sure can anyone help me out there? or give your thoughts on these issues. Other comments on wordpress issues. [...]
Since the xml/rpc stuff is what makes wordpress so kickass in the search engines, turning this stuff off is not exactly going to win friends and influence people. It would be better to find a way to make it secure for those who wish to use the features and develop a method to turn them off for those who don’t need them.
And it is about time that Matt Mullenweig started paying attention to security. I’ve heard backroom rumors that his dev team has been screaming for this for years.
switching off some features is not “security improvements”. Why not just separate the whole features from being download in the first place. I think they should improve their code and hardcoded it instead of turning it off.
anyway there is others alternative like openid & oauth to make it more secure..
[...] 2.6 is now available. We have mentioned from of the security improvements in an earlier post. The latest version promises a number of security enhancements as [...]
Now, if just anybody would care to explain how disabling a feature would reduce attack surface for those who need said feature and thus switch it on?
Is it any safer when all the other blogs don’t use it? Hm, not in my book at least.
Otherwise, how would you judge the hypothetical attempt of Microsoft to disable internet access in the next release of Windows as it has proved to be a very vulnerable attack surface in the past versions?