[wp-trac] [WordPress Trac] #39309: Secure WordPress Against Infrastructure Attacks

WordPress Trac noreply at wordpress.org
Thu Feb 8 16:49:46 UTC 2018 

#39309: Secure WordPress Against Infrastructure Attacks
------------------------------------------+-----------------------
 Reporter:  paragoninitiativeenterprises  |       Owner:
     Type:  enhancement                   |      Status:  reopened
 Priority:  normal                        |   Milestone:
Component:  Upgrade/Install               |     Version:  4.8
 Severity:  critical                      |  Resolution:
 Keywords:  has-patch                     |     Focuses:
------------------------------------------+-----------------------

Comment (by aaroncampbell):

 First of all, thank you @ericmann for [comment:35 your input here]. It's
 super helpful.

 Replying to [comment:36 pcarvalho]:
 >its just me thinking its crazy wp isn't coming forward to sponsor the
 audit themselves?
 The cost isn't a small ask, but it's not just the audit that is holding
 things up. More on this below.
 >does all the libs that gets included have this requirement? like any js
 lib that got included so far?
 Not all libs are required to have a heavy security audit before being used
 (although we audit them internally), but those libs also wouldn't be a
 bedrock piece of our security strategy.

 Almost a year ago, Matt wrote [https://medium.com/@photomatt/wordpress-
 and-update-signing-51501213e1 WordPress and Update Signing] on Medium. I
 think it still represents where we're at pretty accurately. That's not to
 say that no progress has been made in a year. Overall, WordPress has made
 a lot of progress in the last year – including on the security front and
 even on the infrastructure front. Just not on this specific issue. It’s on
 the list, but it’s far enough down that in a year we didn’t make it to it.

 The library itself seems to be in a much better place now than it was a
 year ago. It's seeing some use, it has some peer review (thank you
 @ericmann for [comment:35 your input here], it's super helpful), and it's
 had numerous improvements to performance, etc. Yes, I would still like to
 see it get an audit, but it's not like that's the only hurdle. As Matt
 said in that article, there is a significant amount of work required on
 the systems side and it needs to be prioritized in with all the other
 projects that also need to be done.

 I hope that helps.

--
Ticket URL: <https://core.trac.wordpress.org/ticket/39309#comment:37>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list