undefined | Better HN

0 pointsunity10013y ago0 comments

> Windows has significantly improved since its early days - the Windows you're talking about would be at best unpatched Windows XP.

Same for WordPress.

> the exploits are of the same kind over and over again?

There is nothing that anyone can do for websites that people put up and abandon. They are not updated, and they would naturally get compromised.

> Disagreed. Find me any tech service anywhere similar to WP's scale that can be compromised in a fully automated manner

Find me any totally customizable service or software that is under your own total control, which you can just set up anywhere on the Internet as your OWN property and abandon it if you would just feel like it...

> I'm not sure anyone is singling out WP? Every stupid data breach gets called out

There are multitudes of comments that specifically single out WP in the post's comment thread. Including this very thread that you are on.

> The problem with WP is that it's prone to the same kinds of vulnerabilities over and over again

That's just flat out false.

> outdated, bad development practices/standards that make writing secure code difficult and a language/runtime that is itself flawed

Ah, its not just WordPress animosity, its also PHP animosity. Which, runs 80% of all websites on the planet in turn. And with hollow arguments of 'good practices'.

There absolutely isnt one single software that gets THIS widely used without noticeable amount of security cases. This includes 'good practice' software.

And again, I said this before and Im saying it again: WHERE is that objective study that compares WordPress with other software in regard to vulnerabilities, taking into account 'good practices' and use cases? Like taking into account Windows computers that are scarcely connected to the Internet or taking into account how the majority of Linux servers are run by sysadmins and not end users?

Nowhere.

There is one universal, dumb concept of 'security vulnerability' and it applies universally without taking into account anything. As a result, the random website that a site owner has abandoned getting compromised by an NON-UPDATED plugin is the same with a freaking internet-wide used web server software getting hacked or a major tech service leaking millions of users' data out.

Totally un-objective.

> (uploading a malicious file is a non-issue in every non-PHP application because your app server doesn't automatically execute said file - except in PHP where if the file ends in .php and is in the web root your server will happily execute it).

No it doesnt. Dont make up falsities. PHP executes files how you configure it to. Another case of configurability and total customizability. If you give the users to customize something, there will be those who customize it in bad ways. Its as simple as that.

> A significant chunk of people smoke tobacco, doesn't necessary mean it's good for you

Unintelligible comparison. Totally absurd.

> if the drawbacks of WP mostly impact other peopl

They dont. You are literally projecting your subjective opinions that are totally free of any objective, data-backed comparison.

> those drawbacks won't be priced in and thus if WP appears cheaper it will be popular.

That doesnt even make sense. All the legal liabilities of site owners, ecommerce site operators, any kind of business person are on them. They dont go away because some software is open source. And if all of those people are still on WordPress, it means that there is no such 'drawback to be priced in' as you so baselessly claim.

...

It just ended up as another string of uninformed, personal & subjective opinions posing as truisms. No data backed comparison, no self-contained, coherent logic, just bashing on what's popular. You even proposed things PHP doing certain things because people CONFIGURE it so as 'bad things'.

I'll just remind you that the case of WordPres is the same with any case in which you give people total control and total customizability - some people will f*ck up some segment of it whereas multidudes more people use it properly. It wouldn't be any different if you gave people totally customizable cars.

Ill leave you to your subjective biases at this point. Baseless arguments actually only backed by elitism and hate of what has become popular...

0 comments

Nextgrid3y ago

> Same for WordPress.

Not as much - WP favours backwards compatibility (or is it laziness?) even when doing so impacts security.

Another problem is that the environments Wordpress targets are inherently vulnerable - while it's not WP's fault directly, they do nothing to warn people against using them nor outright stop supporting broken, insecure configurations.

> There are multitudes of comments that specifically single out WP in the post's comment thread. Including this very thread that you are on.

I was talking about publicized data breaches in general. But if we specifically talk about CMSes, I'm not sure anything else beats Wordpress and similar PHP-based CMSes of that era when it comes to not just the amount of vulnerabilities, but especially the nature of them - the same, dumb, basic problems resolved in every other language (including modern PHP with a framework such as Laravel) repeated over and over again.

> WHERE is that objective study that compares WordPress with other software in regard to vulnerabilities

Someone posted the following excerpt of the Wordpress codebase: https://github.com/WordPress/WordPress/blob/master/wp-includ... which appears to be some custom attempt at simulating SQL query parameterization instead of using the actual, database-driver-provided function. If this is indeed the purpose of that function and it is indeed used, then I'm not sure there is any valid excuse for this in today's day and age.

Someone else mentioned password hashing still relying on MD5 - if that is actually true, I'm not sure that is excusable either? I haven't done PHP for many years now, but surely even if the native functions aren't available, couldn't they use a "polyfill" such as https://github.com/ircmaxell/password_compat ?

I'm sure there are many other issues but frankly the first one should be enough for any competent developer to run away.

> No it doesnt. Dont make up falsities. PHP executes files how you configure it to.

I was with you until this, but now I think you're arguing in bad faith.

Yes, if you want to be pedantic, PHP and your web server execute files like how you configure them to. In practice, the environment where the vast majority of Wordpress sites are deployed (your typical shared hosting environment) will execute anything that ends with .php and is in the web root.

This is inherently a legacy PHP problem (which WP encourages by supporting it) - no other language that I know of does this by default. If I accidentally store a malicious file in Python, Ruby, Node.js, etc applications, the worst that will happen is that I serve it back. At no point what so ever the server itself will execute that file.

Yet in the PHP environments Wordpress targets, this is a massive issue which means every single feature handling file uploads (both in WP core and any plugins) should anticipate your server's misconfiguration (maybe it's not limited to .php files, but .html files too?) and try to protect against it, eventually failing and then you get yet another Wordpress vulnerability.

j / k navigate · click thread line to collapse