View previous topic :: View next topic |
Author |
Message |
mocsokmike Tux's lil' helper
Joined: 04 Aug 2005 Posts: 120 Location: Budapest, Hungary
|
Posted: Mon Oct 01, 2018 11:03 am Post subject: Worpress security warning |
|
|
Hi,
for a user request I installed a wordpress on our corporate webserver. The package itself was in testing (~amd64 keyword), and after installing I ran webapp-config, which gave me this message:
Quote: | !!!!!!!!! SECURITY WARNING !!!!!!!!!!!
Wordpress has had a history of serious security flaws. Any application
with less widespread use but the same amount of security issues would
have been removed from the tree.
After a short period of being in the unstable tree we once again decided
that we hard mask the package.
THIS MEANS THAT THERE IS NO GUARANTEE WHATSOEVER THAT THE PACKAGE WILL
GET UPGRADED WITHIN A REASONABLE AMOUNT OF TIME EVEN IN THE CASE OF
SEVERE SECURITY ISSUES.
We consider installing this package a severe risk to your system and
you should keep a close eye on the common security trackers so
that you are able to fix problems with your installation yourself if
required. |
It is not live yet. I want to investigate this warning message further.
The hard mask part is not true, so I was wondering if leaving this in webapp-config was not intentional?
Or should I stop using WP in our company?
I am new to WP, and not aware of its history of security issues. Please let me know your opinion about this webapp.
The version I installed is: www-apps/wordpress-4.9.8 _________________ format c:
emerge system |
|
Back to top |
|
|
bunder Bodhisattva
Joined: 10 Apr 2004 Posts: 5934
|
Posted: Mon Oct 01, 2018 12:02 pm Post subject: |
|
|
All it means is that it might take a couple days for an updated ebuild when wordpress needs to push out a new version (which happens somewhat regularly) to fix security issues. Since wordpress is one of the biggest CMS packages, it's a common target for bots exploiting security holes. Wordpress internally tracks for new versions on the dashboard, so if they put out a new version and you don't have an ebuild yet, you might want to consider setting up an overlay where you can temporarily bump the packages yourself until the main portage tree catches up. _________________
Neddyseagoon wrote: | The problem with leaving is that you can only do it once and it reduces your influence. |
banned from #gentoo since sept 2017 |
|
Back to top |
|
|
mocsokmike Tux's lil' helper
Joined: 04 Aug 2005 Posts: 120 Location: Budapest, Hungary
|
Posted: Mon Oct 01, 2018 1:15 pm Post subject: |
|
|
Oh, that's OK. I will keep an eye on it.
Still, it is easier to use portage to update it automatically.
Thanks for the explanation! _________________ format c:
emerge system |
|
Back to top |
|
|
Hu Moderator
Joined: 06 Mar 2007 Posts: 21595
|
Posted: Tue Oct 02, 2018 1:52 am Post subject: |
|
|
In my opinion, it is extremely dangerous to run a Wordpress install that is accessible over the network to anyone to whom you would not entrust a local shell. If the blog is run solely internally, it might be an acceptable risk. (Remember that you must worry about every employee, and every bit of malware that might ride in on an employee's device.) If the blog is exposed to the world, I would not do it. |
|
Back to top |
|
|
mocsokmike Tux's lil' helper
Joined: 04 Aug 2005 Posts: 120 Location: Budapest, Hungary
|
Posted: Tue Oct 02, 2018 3:27 pm Post subject: |
|
|
@Hu, can you elaborate? In our case, this site would be accessible from the Internet. _________________ format c:
emerge system |
|
Back to top |
|
|
hdcg Tux's lil' helper
Joined: 07 Apr 2013 Posts: 120
|
Posted: Tue Oct 02, 2018 3:55 pm Post subject: |
|
|
Hi mocsokmike,
to give you an idea:
https://www.wordfence.com/blog/2017/04/march-2017-wordpress-attack-report/
https://sucuri.net/reports/2017-hacked-website-report
https://wpplugins.tips/wordpress-security-statistics/
Due to the wide use of Wordpress it is the number one any attacker's list and attacks are well supported.
Wordpress "supports" this by it's overhelming funcationality and a huge number of not always well maintained plugins.
I did once run a Wordpress site and the continous attack attempts made me switch to a more simple file based CMS.
My insights from this experienca are:
- Prepare for continous support/monitoring of the site
- Use a setup capable of performing self-updates (to be prepared for zero-day-exploits); I do not know whether the ebuild based setup supports this
- Avoid plugins (at least ones of poor quality)
- Look out for more security related Wordpress tipps
Best Regards,
Holger |
|
Back to top |
|
|
mocsokmike Tux's lil' helper
Joined: 04 Aug 2005 Posts: 120 Location: Budapest, Hungary
|
Posted: Tue Oct 02, 2018 4:13 pm Post subject: |
|
|
Thank you, Holger. This really made me think about using something else instead of WP.
I don't prefer being in the spotlight of hackers. _________________ format c:
emerge system |
|
Back to top |
|
|
Hu Moderator
Joined: 06 Mar 2007 Posts: 21595
|
Posted: Wed Oct 03, 2018 1:58 am Post subject: |
|
|
Wordpress has a history of severe security problems, including allowing remote users to obtain code execution on the system running the Wordpress install. If your use case is exposing the content to the Internet, I would not trust Wordpress to do the job safely. |
|
Back to top |
|
|
Muso Veteran
Joined: 22 Oct 2002 Posts: 1052 Location: The Holy city of Honolulu
|
Posted: Fri Oct 05, 2018 12:36 am Post subject: |
|
|
There are 1,107 Wordpress exploits on the ExploitDB. There are guaranteed some being sold on the deepweb as well. _________________ "You can lead a horticulture but you can't make her think" ~ Dorothy Parker
2021 is the year of the Linux Desktop! |
|
Back to top |
|
|
|