What's the deal with WordPress Security?
-
Just wondering what the main reason for WordPress having so many more security vulnerabilities vs. other systems is? My assumptions would be 1. because it is so widely used, it's a much bigger target 2. because it allows for the plugins like it does, this could also open up php security holes galore from improperly tested plugins/inexperienced plugin authors 3. php tends to be a "jump right in" type of language, with coders not fully understanding all of the implications of what they are doing. This is not to say it is PHP's fault, but there certainly seems to be a "get coding quick" type of philosophy with PHP out there moreso than with other languages. Did WordPress start out with a lousy PHP foundation and then it's kinda sorta been all hacked together since then? Or is it truly just because it's the biggest target thanks to so many websites operating on it? About 10 years ago, my first website used WordPress and a few months after I made it, it was attacked and destroyed by what I now know is SQL Injection. It seems that ASP.NET MVC/Entity Framework doesn't really suffer from these vulnerabilities and in fact, when I searched for exploits, I found very few for ASP.NET MVC and a zillion for WordPress. So what's the deal?
-
Just wondering what the main reason for WordPress having so many more security vulnerabilities vs. other systems is? My assumptions would be 1. because it is so widely used, it's a much bigger target 2. because it allows for the plugins like it does, this could also open up php security holes galore from improperly tested plugins/inexperienced plugin authors 3. php tends to be a "jump right in" type of language, with coders not fully understanding all of the implications of what they are doing. This is not to say it is PHP's fault, but there certainly seems to be a "get coding quick" type of philosophy with PHP out there moreso than with other languages. Did WordPress start out with a lousy PHP foundation and then it's kinda sorta been all hacked together since then? Or is it truly just because it's the biggest target thanks to so many websites operating on it? About 10 years ago, my first website used WordPress and a few months after I made it, it was attacked and destroyed by what I now know is SQL Injection. It seems that ASP.NET MVC/Entity Framework doesn't really suffer from these vulnerabilities and in fact, when I searched for exploits, I found very few for ASP.NET MVC and a zillion for WordPress. So what's the deal?
It's pretty much a combination of all of the points you mentioned. Part of it is due to the popularity of Wordpress, as you mentioned. The large number of sites running Wordpress results in a high ROI for attackers who work to compromise it. Plugins are a huge attack vector. Although the Wordpress core code has become much more professionally built and more secure, there are still lots of horribly written plugins out there. PHP was also a much worse language when Wordpress first got started than it is now. It has since gained features that help in the creation of well engineered software. It now has namespaces and (optional) static typing for function parameters and return types. The barrier to entry is still low, though, which is why we'll continue to see lots of really insecure plugins out there. My girlfriend did a college program that mostly taught web design, but also taught just enough PHP for the students to be dangerous. I suspect that a lot of the bad plugins are a result of situations like that; people are able to hack together something that works, but they don't entirely understand why or how the it works, or how it interoperates with the rest of Wordpress. That's not to say that all designers who learn to code do it badly, but there are a subset who do.
-
It's pretty much a combination of all of the points you mentioned. Part of it is due to the popularity of Wordpress, as you mentioned. The large number of sites running Wordpress results in a high ROI for attackers who work to compromise it. Plugins are a huge attack vector. Although the Wordpress core code has become much more professionally built and more secure, there are still lots of horribly written plugins out there. PHP was also a much worse language when Wordpress first got started than it is now. It has since gained features that help in the creation of well engineered software. It now has namespaces and (optional) static typing for function parameters and return types. The barrier to entry is still low, though, which is why we'll continue to see lots of really insecure plugins out there. My girlfriend did a college program that mostly taught web design, but also taught just enough PHP for the students to be dangerous. I suspect that a lot of the bad plugins are a result of situations like that; people are able to hack together something that works, but they don't entirely understand why or how the it works, or how it interoperates with the rest of Wordpress. That's not to say that all designers who learn to code do it badly, but there are a subset who do.
You miss out a lot outdated plugin that is not fixed because no long support