|
|
|
|
|
|
by hluska
3062 days ago
|
|
|
I'm not OP, but I've worked with Wordpress quite a bit in my day. To answer your question, it's a bit of column A and a bit of column B. Over the last few years, Wordpress core had gotten quite a bit better (to the point that I have gone back to Wordpress for my personal site). But previously, the core was victim to some embarrassing security issues. In Wordpress' defence, I can't think of a single PHP application as old or as large as Wordpress that did not suffer from similar problems. Plugins are often an unmitigated security clusterfuck. I've seen things in popular Wordpress extensions that have made me want to trade in my laptop for an abacus and go full luddite. (I've also seen some really wonderful code.) The big problem I see is that a plugin has to be extremely popular before anyone with much of a background in writing relatively secure code will ever read the code. And by that time, it's so popular that it keeps getting hundreds of installs no matter what kind of flaw you find. Some plugin developers/maintainers are incredibly diligent and helpful, but I've also been threatened with legal action (more than once) when I've disclosed some really amateur security issues. |
|
|
But, due to how the GP seemed to conflate Wordpress, and "everything else" I wondered what was the basis for his comment. I'm pretty clear on the security of WP itself.
> Some plugin developers/maintainers are incredibly diligent and helpful, but I've also been threatened with legal action (more than once) when I've disclosed some really amateur security issues.
Most WP plugins are terrible from a security perspective, and I've found the quickest method to resolution is to send a patch to the devs, solving the problem for them and me.