Comments on: WordPress Insecure by Design?

By: DK

DK — Thu, 12 Feb 2009 12:07:31 +0000

Milan, WordPress has come a far way since Jan/08 (when this post was released). They still have a fair way to go but they have implemented some great security features in recent version.

I like to think BlogSecurity had something to do with this.

By: Milan

Milan — Tue, 10 Feb 2009 21:50:02 +0000

As a relatively unsophisticated WordPress user, I find this worrisome. Hopefully, it is something they will prioritize for the next version, rather than tinkering with the look of admin pages again.

Is this the kind of thing where a good fix could be ‘dropped in,’ or would it require a great deal of coding and testing?

By: I want my WordPress! «

I want my WordPress! « — Wed, 04 Feb 2009 01:58:18 +0000

[...] this a technical impossibility? Are there good reasons (security reasons, maybe?) For anyone who has been blogging for the Observer, are you okay with the current [...]

By: DK

DK — Sun, 16 Mar 2008 22:56:53 +0000

We’ll take your ‘objective blog’ as a compliment, thanks.

If you want something more detailed, attend my OWASP presentation in London, planned in April :)

By: xentek

xentek — Thu, 13 Mar 2008 14:23:32 +0000

mysql_escape_string()? Is that it? I figured an objective blog like this could spend a little more time going deeper than that.

And I would argue, having done multiple projects with both platforms, that Drupal is not more secure. It has more published exploits than WP, and some of its most popular modules don’t conform to either their published coding standards or security practices. Some of them don’t even use the published API and are littered with plain SQL through out the source.

Also its interesting that you say this, yet are using WP to publish this very blog.

By: Halil

Halil — Tue, 26 Feb 2008 14:28:58 +0000

@Ryan Boren

I dont wanna be rude but I really find the excuse to be funny.

Drop the very old version support of mySQL and PHP, raise the minumum required versions if it is needed.

I dont understand how this can be an excuse of bad/in-efficient/in-secure etc. design.

By: Fredrik Wärnsberg

Fredrik Wärnsberg — Mon, 18 Feb 2008 20:54:33 +0000

I dug through the WP source code briefly a couple of days ago and I was also left puzzled as to why they weren’t using mysql_real_escape string. In my experience that’s standard practice.

On the other hand, that shouldn’t be too hard for them to fix.

I also have to agree with Leonid’s point on PHP ;)

By: » Tăng cường bảo mật cho wordpress VNIT™ - VNITWEB » Tăng cường bảo mật cho wordpress: Chuyên Trang Chia Sẻ, Công Nghệ Thông Tin Và Giải Trí Tổng Hợp VN

Thu, 07 Feb 2008 17:05:54 +0000

[...] http://blogsecurity.net/wordpress/wordpress-insecure-by-design/ [...]

By: Ryan Boren

Ryan Boren — Wed, 06 Feb 2008 17:45:38 +0000

Given the old versions of PHP and MySQL we support and the peculiar DB setups we encounter, we've had troubles with simply using mysql_real_escape_string(). The Drupal method of enforcing UTF-8 is appealing, but we're stuck with what we have for now. If anyone has insight on how to get mysql_real_escape_string() and friends to behave across all of the environments WP supports, please share on this bug report.

By: Is WordPress’ security vulnerable at its core? | WordPressGarage.com

Is WordPress’ security vulnerable at its core? | WordPressGarage.com — Wed, 06 Feb 2008 09:04:39 +0000

[...] seems to be the latter, and BlogSecurity.net addressed the general issue of WordPress security recently: We have seen alot of critical vulnerabilities being discovered in WordPress core and its [...]