Stop being a LURKER - join our dealer community and get involved. Sign up and start a conversation.

Reply to thread

Message

I can tell you definitively, Wordpress is not an ideal platform for many reasons.
insecure plugin architecture
insecure file system management
terribly low quality codebase (I've worked on it personally)
insecure backwards compatability (ie: any password can be overwritten with a basic MD5 hash and it allows login with that password, no salt needed)
many easy to get site scanners will identify hundreds of wordpress sites with vulnerabilities. Every plugin is a potential liability.
no quality control on the plugin repository - there are hundreds of plugins in there today that are incredibly insecure
plenty of core code is susceptible to injection attacks, CSRF attacks, etc
fundamentally, I can get the source code of your website for the right price. $59 on ThemeForest (https://themeforest.net/item/marble-flat-responsive-creative-wordpress-theme/5896650) and I have all your themes files and can check them line by line for the inevitable vulnerabilities, then exploit them on your live site.
Don't take it from me, take it from the guy who founded Wordpress and hired a CEO to address the fact that "the technological foundations of the past decade weren’t strong enough for the demands of next one."

Or take it from Joost (the man who made the famous Yoast SEO plugin):
"I figured out that both the [Wordpress] Codex and the developer documentation on WordPress.org for these functions were missing the fact that you had to escape their output. In fact, the examples in them when copied would create exploitable code straight away."

Or take it from the list of 222 vulnerabilities that are public - http://www.cvedetails.com/vulnerability-list/vendor_id-2337/product_id-4096/
Or the catalogue of 4885 vulnerabilities here: https://wpvulndb.com/ - only 6 new ones last month
or from ars technica pointing out millions of sites were at risk due to vulnerabilities 2 months ago - http://arstechnica.com/security/2015/05/actively-exploited-wordpress-bug-puts-millions-of-sites-at-risk/

https://www.quora.com/Is-Wordpress-really-written-that-bad

I've been working with Wordpress longer than most people knew what it was.
It's a disaster. Can it be fixed? Sure.
Lots of vendors use it properly by locking everything down, changing the folder structure, removing the version indicators, hardening the password function and use custom table names.

<blockquote data-quote="craigh" data-source="post: 42945" data-attributes="member: 3505">I can tell you definitively, Wordpress is not an ideal platform for many reasons.<ul>
<li data-xf-list-type="ul">insecure plugin architecture</li>
<li data-xf-list-type="ul">insecure file system management</li>
<li data-xf-list-type="ul">terribly low quality codebase (I've worked on it personally)</li>
<li data-xf-list-type="ul">insecure backwards compatability (ie: any password can be overwritten with a basic MD5 hash and it allows login with that password, no salt needed)</li>
<li data-xf-list-type="ul">many easy to get site scanners will identify hundreds of wordpress sites with vulnerabilities. Every plugin is a potential liability.</li>
<li data-xf-list-type="ul">no quality control on the plugin repository - there are hundreds of plugins in there today that are incredibly insecure</li>
<li data-xf-list-type="ul">plenty of core code is susceptible to injection attacks, CSRF attacks, etc</li>
<li data-xf-list-type="ul">fundamentally, I can get the source code of your website for the right price. $59 on ThemeForest (<a href="https://themeforest.net/item/marble-flat-responsive-creative-wordpress-theme/5896650" target="_blank">https://themeforest.net/item/marble-flat-responsive-creative-wordpress-theme/5896650</a>) and I have all your themes files and can check them line by line for the inevitable vulnerabilities, then exploit them on your live site.</li>
</ul>Don't take it from me, take it from the guy who founded Wordpress and hired a CEO to address the fact that &quot;the technological foundations of the past decade weren’t strong enough for the demands of next one.&quot;Or take it from Joost (the man who made the famous Yoast SEO plugin):&quot;I figured out that both the [Wordpress] Codex and the developer documentation on WordPress.org for these functions were missing the fact that you had to escape their output. In fact, the examples in them when copied would create exploitable code straight away.&quot;Or take it from the list of 222 vulnerabilities that are public - <a href="http://www.cvedetails.com/vulnerability-list/vendor_id-2337/product_id-4096/" target="_blank">http://www.cvedetails.com/vulnerability-list/vendor_id-2337/product_id-4096/</a>Or the catalogue of 4885 vulnerabilities here: <a href="https://wpvulndb.com/" target="_blank">https://wpvulndb.com/</a> - only 6 new ones last month <img src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7" class="smilie smilie--sprite smilie--sprite108" alt=":)" title="Smile&nbsp; &nbsp; :)" loading="lazy" data-shortname=":)" />or from ars technica pointing out millions of sites were at risk due to vulnerabilities 2 months ago - <a href="http://arstechnica.com/security/2015/05/actively-exploited-wordpress-bug-puts-millions-of-sites-at-risk/" target="_blank">http://arstechnica.com/security/2015/05/actively-exploited-wordpress-bug-puts-millions-of-sites-at-risk/</a><a href="https://www.quora.com/Is-Wordpress-really-written-that-bad" target="_blank">https://www.quora.com/Is-Wordpress-really-written-that-bad</a> I've been working with Wordpress longer than most people knew what it was.It's a disaster. Can it be fixed? Sure.Lots of vendors use it properly by locking everything down, changing the folder structure, removing the version indicators, hardening the password function and use custom table names.</blockquote>

[QUOTE="craigh, post: 42945, member: 3505"] I can tell you definitively, Wordpress is not an ideal platform for many reasons. [LIST] [*]insecure plugin architecture [*]insecure file system management [*]terribly low quality codebase (I've worked on it personally) [*]insecure backwards compatability (ie: any password can be overwritten with a basic MD5 hash and it allows login with that password, no salt needed) [*]many easy to get site scanners will identify hundreds of wordpress sites with vulnerabilities. Every plugin is a potential liability. [*]no quality control on the plugin repository - there are hundreds of plugins in there today that are incredibly insecure [*]plenty of [B]core[/B] code is susceptible to injection attacks, CSRF attacks, etc [*]fundamentally, I can get the source code of your website for the right price. $59 on ThemeForest ([URL]https://themeforest.net/item/marble-flat-responsive-creative-wordpress-theme/5896650[/URL]) and I have all your themes files and can check them line by line for the inevitable vulnerabilities, then exploit them on your live site. [/LIST] Don't take it from me, take it from the guy who founded Wordpress and hired a CEO to address the fact that "the technological foundations of the past decade [B]weren’t strong enough[/B] for the demands of next one." Or take it from Joost (the man who made the famous Yoast SEO plugin): "I figured out that both the [Wordpress] Codex and the developer documentation on WordPress.org for these functions were missing the fact that you had to escape their output. In fact, the examples in them when copied would create exploitable code straight away." Or take it from the list of 222 vulnerabilities that are public - [URL]http://www.cvedetails.com/vulnerability-list/vendor_id-2337/product_id-4096/[/URL] Or the catalogue of 4885 vulnerabilities here: [URL]https://wpvulndb.com/[/URL] - only 6 new ones last month :) or from ars technica pointing out millions of sites were at risk due to vulnerabilities 2 months ago - [URL]http://arstechnica.com/security/2015/05/actively-exploited-wordpress-bug-puts-millions-of-sites-at-risk/[/URL] [URL]https://www.quora.com/Is-Wordpress-really-written-that-bad[/URL] I've been working with Wordpress longer than most people knew what it was. It's a disaster. Can it be fixed? Sure. Lots of vendors use it properly by locking everything down, changing the folder structure, removing the version indicators, hardening the password function and use custom table names. [/QUOTE]

Verification

Top Bottom

Back

Search

Search

Reply to thread