Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Worpress security warning
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
mocsokmike
Tux's lil' helper
Tux's lil' helper


Joined: 04 Aug 2005
Posts: 116
Location: Budapest, Hungary

PostPosted: Mon Oct 01, 2018 11:03 am    Post subject: Worpress security warning Reply with quote

Hi,

for a user request I installed a wordpress on our corporate webserver. The package itself was in testing (~amd64 keyword), and after installing I ran webapp-config, which gave me this message:
Quote:
!!!!!!!!! SECURITY WARNING !!!!!!!!!!!

Wordpress has had a history of serious security flaws. Any application
with less widespread use but the same amount of security issues would
have been removed from the tree.

After a short period of being in the unstable tree we once again decided
that we hard mask the package.

THIS MEANS THAT THERE IS NO GUARANTEE WHATSOEVER THAT THE PACKAGE WILL
GET UPGRADED WITHIN A REASONABLE AMOUNT OF TIME EVEN IN THE CASE OF
SEVERE SECURITY ISSUES.

We consider installing this package a severe risk to your system and
you should keep a close eye on the common security trackers so
that you are able to fix problems with your installation yourself if
required.

It is not live yet. I want to investigate this warning message further.

The hard mask part is not true, so I was wondering if leaving this in webapp-config was not intentional?
Or should I stop using WP in our company?
I am new to WP, and not aware of its history of security issues. Please let me know your opinion about this webapp.

The version I installed is: www-apps/wordpress-4.9.8
_________________
format c:
emerge system
Back to top
View user's profile Send private message
bunder
Bodhisattva
Bodhisattva


Joined: 10 Apr 2004
Posts: 5803

PostPosted: Mon Oct 01, 2018 12:02 pm    Post subject: Reply with quote

All it means is that it might take a couple days for an updated ebuild when wordpress needs to push out a new version (which happens somewhat regularly) to fix security issues. Since wordpress is one of the biggest CMS packages, it's a common target for bots exploiting security holes. Wordpress internally tracks for new versions on the dashboard, so if they put out a new version and you don't have an ebuild yet, you might want to consider setting up an overlay where you can temporarily bump the packages yourself until the main portage tree catches up.
_________________
overlay | patches
Neddyseagoon wrote:
The problem with leaving is that you can only do it once and it reduces your influence.
Back to top
View user's profile Send private message
mocsokmike
Tux's lil' helper
Tux's lil' helper


Joined: 04 Aug 2005
Posts: 116
Location: Budapest, Hungary

PostPosted: Mon Oct 01, 2018 1:15 pm    Post subject: Reply with quote

Oh, that's OK. I will keep an eye on it.
Still, it is easier to use portage to update it automatically.
Thanks for the explanation!
_________________
format c:
emerge system
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 13512

PostPosted: Tue Oct 02, 2018 1:52 am    Post subject: Reply with quote

In my opinion, it is extremely dangerous to run a Wordpress install that is accessible over the network to anyone to whom you would not entrust a local shell. If the blog is run solely internally, it might be an acceptable risk. (Remember that you must worry about every employee, and every bit of malware that might ride in on an employee's device.) If the blog is exposed to the world, I would not do it.
Back to top
View user's profile Send private message
mocsokmike
Tux's lil' helper
Tux's lil' helper


Joined: 04 Aug 2005
Posts: 116
Location: Budapest, Hungary

PostPosted: Tue Oct 02, 2018 3:27 pm    Post subject: Reply with quote

@Hu, can you elaborate? In our case, this site would be accessible from the Internet.
_________________
format c:
emerge system
Back to top
View user's profile Send private message
hdcg
n00b
n00b


Joined: 07 Apr 2013
Posts: 56

PostPosted: Tue Oct 02, 2018 3:55 pm    Post subject: Reply with quote

Hi mocsokmike,

to give you an idea:

https://www.wordfence.com/blog/2017/04/march-2017-wordpress-attack-report/
https://sucuri.net/reports/2017-hacked-website-report
https://wpplugins.tips/wordpress-security-statistics/

Due to the wide use of Wordpress it is the number one any attacker's list and attacks are well supported.
Wordpress "supports" this by it's overhelming funcationality and a huge number of not always well maintained plugins.

I did once run a Wordpress site and the continous attack attempts made me switch to a more simple file based CMS.

My insights from this experienca are:
  • Prepare for continous support/monitoring of the site
  • Use a setup capable of performing self-updates (to be prepared for zero-day-exploits); I do not know whether the ebuild based setup supports this
  • Avoid plugins (at least ones of poor quality)
  • Look out for more security related Wordpress tipps


Best Regards,
Holger
Back to top
View user's profile Send private message
mocsokmike
Tux's lil' helper
Tux's lil' helper


Joined: 04 Aug 2005
Posts: 116
Location: Budapest, Hungary

PostPosted: Tue Oct 02, 2018 4:13 pm    Post subject: Reply with quote

Thank you, Holger. This really made me think about using something else instead of WP.
I don't prefer being in the spotlight of hackers.
_________________
format c:
emerge system
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 13512

PostPosted: Wed Oct 03, 2018 1:58 am    Post subject: Reply with quote

Wordpress has a history of severe security problems, including allowing remote users to obtain code execution on the system running the Wordpress install. If your use case is exposing the content to the Internet, I would not trust Wordpress to do the job safely.
Back to top
View user's profile Send private message
Muso
l33t
l33t


Joined: 22 Oct 2002
Posts: 968
Location: The Holy city of Honolulu

PostPosted: Fri Oct 05, 2018 12:36 am    Post subject: Reply with quote

There are 1,107 Wordpress exploits on the ExploitDB. There are guaranteed some being sold on the deepweb as well.
_________________
Time is a great teacher, but unfortunately it kills all its pupils.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum