[wp-forums] Security again

Podz podz at tamba2.org.uk
Sat Mar 4 11:01:33 GMT 2006


I note my post - again read by a lot of people - has not been refuted in
any way whatsoever:
http://wordpress.org/support/topic/56569?replies=20#post-335543

From: http://codex.wordpress.org/Hardening_WordPress
"Do not advertise the WordPress version you are running:"
and yet even in 2.0.1 we have
"<meta name="generator" content="WordPress <?php bloginfo('version');
?>" /> <!-- leave this for stats please -->"
So Codex says one thing, yet the code says another and adds to LEAVE IT.
One thing or the other please. (My money says Codex gets edited)

Same page:
"All files should be owned by your user account, and should be writable
by you. Any file that needs write access from WordPress should be
group-owned by the user account used by the webserver."
Means what to the average user. Answer: Nothing.
If a product is aimed at a target group then information on safe usage
should use language that is clear and understandable by that group. That
whole codex page fails.

Same page:
"If a weak point in your installation is found by a malicious person,
your system should be configured to minimize the amount of damage that
can be done once inside your system."
Throw DreamHost off the hosting page. Apart from many many complaints
about them anyway, they repeatedly fail this. A user should not be
expected to do this. If you DO expect them to do it, say so clearly.
And that statement still means sod all to the average user.

I couldn't give a flying one about the flames and pokes at WP because
for the average user - as in my post above - it isn't secure (neither is
it inherently insecure I suppose) but I DO mind that many users get
worried. And that annoyance of mine is magnified many times when I know
that few words on one blog will kill the subject dead for all but the
ones that want to carry on.

I look forward to every point in this post being torn apart.

P.


More information about the wp-forums mailing list