[wp-trac] [WordPress Trac] #39309: Secure WordPress Against Infrastructure Attacks

WordPress Trac noreply at wordpress.org
Wed Dec 25 03:50:42 UTC 2019


#39309: Secure WordPress Against Infrastructure Attacks
------------------------------------------+-----------------------------
 Reporter:  paragoninitiativeenterprises  |       Owner:  pento
     Type:  task (blessed)                |      Status:  reopened
 Priority:  normal                        |   Milestone:  Future Release
Component:  Upgrade/Install               |     Version:  4.8
 Severity:  critical                      |  Resolution:
 Keywords:  has-patch                     |     Focuses:
------------------------------------------+-----------------------------

Comment (by mohsin1996):

 Thanks for the information.
 Make sure to check this same WordPress installed site [techstuffsarena]
 http://techstuffsarena.com/2018/12/25/movie4k/which covers information
 like this.
 Replying to [comment:37 aaroncampbell]:
 > First of all, thank you @ericmann for [comment:35 your input here]. It's
 super helpful.
 >
 > Replying to [comment:36 pcarvalho]:
 > >its just me thinking its crazy wp isn't coming forward to sponsor the
 audit themselves?
 > The cost isn't a small ask, but it's not just the audit that is holding
 things up. More on this below.
 > >does all the libs that gets included have this requirement? like any js
 lib that got included so far?
 > Not all libs are required to have a heavy security audit before being
 used (although we audit them internally), but those libs also wouldn't be
 a bedrock piece of our security strategy.
 >
 > Almost a year ago, Matt wrote [https://medium.com/@photomatt/wordpress-
 and-update-signing-51501213e1 WordPress and Update Signing] on Medium. I
 think it still represents where we're at pretty accurately. That's not to
 say that no progress has been made in a year. Overall, WordPress has made
 a lot of progress in the last year – including on the security front and
 even on the infrastructure front. Just not on this specific issue. It’s on
 the list, but it’s far enough down that in a year we didn’t make it to it.
 >
 > The library itself seems to be in a much better place now than it was a
 year ago. It's seeing some use, it has some peer review (thank you
 @ericmann for [comment:35 your input here], it's super helpful), and it's
 had numerous improvements to performance, etc. Yes, I would still like to
 see it get an audit, but it's not like that's the only hurdle. As Matt
 said in that article, there is a significant amount of work required on
 the systems side and it needs to be prioritized in with all the other
 projects that also need to be done.
 >
 > I hope that helps.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/39309#comment:104>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform


More information about the wp-trac mailing list