Hacker News new | past | comments | ask | show | jobs | submit login

Wordpress hosted on my linode vps seems just fine. Switching from godaddy to linode was more than worth the price increase.



Agreed. Also, making small changes to some of the config helps too. This is why I laugh at people who know nothing about hosting, permissions, or php in general deciding that they know WP, put it on a shared box without doing the proper setup, and then blame wordpress when it gets hacked.


Most of the Wordpress breakins have been the fault of Wordpress' code, not admin incompetence.


Can you please point out some reasons why you think WordPress code is faulty?


Note that you could tell me that Wordpress has changed drastically for the better since I stopped paying attention to it. I would concede that you might be right, but wouldn't change my recommendation at all. It's simply not worth arguing about. Here goes:

* It's written in PHP, a platform on which "remote file inclusion" vulnerabilities --- where attackers can source code to run on the server from MySpace --- continue to be found. I hesitate to bring this up, since (for instance) the last public vBulletin flaw that would have cost you your site goes back to 2008.

* It has an authentication design that uses the same database tables to track administrators who can run code on the site and anonymous Internet commenters.

* It has a template language that allows graphic designers to write templates that run code on your server.

* It hand-codes SQL statements largely out of concatenated queries.

* It is internationalized but has no coherent strategy for dealing with character sets and input filtering, on which it relies heavily, resulting in relatively recent vulnerabilities enabled by for instance UTF-7 inputs.

* It includes in the admin interface an editor for site templates that amounts to a remote login to the server, since, again, templates can run code.

* It has a vibrant community of plugins implemented by people who know exactly enough PHP to get their code working, which means every one of these flaws is repeated for every plugin developer.


Also: it's impossible to move or rename the admin directory in Wordpress without modifying a bunch of its code. This IMO is grievously stupid, because attackers can (and do) throw injection attempts all day long at the admin bits of Wordpress sites.


I was referencing that correct file permissions, on a dedicated server, with a well-selected user (NOT admin) will do a LONG way in making it safer. Also, putting in the time to shore up the main holes is 100% worth it. Sure, there are holes in it, just like ANY framework. Simply setting it up right helps a ton. My comment is directed to people who just unzip, dump it on a shared GoDaddy server, and wonder why it gets hacked.


No, it won't.

Everything that you just mentioned, at best, protects the server environment from Wordpress vulnerabilities -- and that's assuming that a novice could set up a dedicated server as tightly as good hosting companies set up shared hosts.

None of your recommendations do anything to make Wordpress itself any safer, and if the Wordpress db gets compromised (which happened recently to a lot of folks), then you still don't have much of a site left.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: