[AmericanChopper]

Wordpress core has very secure coding practices, and if you can find an 0-day in it, then you've done very, very well.

The problems with Wordpress are mostly:

1. WP installations are often not properly configured or maintained.

2. The plugin ecosystem is a mess of vulnerable and/or malicious code, or simply dead code that isn't maintained yet still deployed in the wild.

[SahAssar]

It took more than 7 months to fix https://blog.ripstech.com/2018/wordpress-file-delete-to-code... and at the time rips went public with it (after waiting for 7 months) it still was not fixed.

That a POST param even was used to as the path to a file to delete without sanitizing it is not usually indicative of "secure coding practices".

[stephenr]

Writing your own userland implementation of prameterised queries is what you consider “very secure”?

I’d hate to see what you think is terrible then.

[AmericanChopper]

What exactly is your criticism here? Do you know of some issue with prepare()? The quality of the core Wordpress code is quite high. You could argue that the plugin system is a footgun, but it’s kinda an essential element if you want extensibility.

[stephenr]

Parameterised queries done properly are sent to the database server specifically as a query with placeholders and values - the values are never evaluated as sql, there is no chance for a userland bug/attack to perform sql injection using them.

What wordpress does is basically glorified printf, substituting values into a string.

If you can’t see how this is a danger, you’re in no position to comment on the quality of the code.

[AmericanChopper]

Right, so you actually have absolutely nothing to say about the quality of wpdb.

My point stands. The worst problems in Wordpress are the plugin ecosystem and poorly maintained instances.

[stephenr]

Just because you choose to ignore valid criticism, that doesnt mean there is no criticism.

Go read https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb...

A couple of little snippets to highlight the point I'm trying to make:

> The current system is insecure-by-design. That doesn’t mean it’s always hackable, but it means you have to actively work to make it not attackable. It’s better to switch to a design that’s secure-by-default and make the insecure the exceptional case.

> The best path forward would be to switch to PDO/MySQLi and use real prepared statements and not emulate them in PHP land. That’s the best path forward.

But given that the core wordpress team basically ignore this type of suggestion from PHP core contributors, why would I expect you to believe me about it here?