Quote:
Originally Posted by DangerX !!!
|
QFT. The Wordpress developers in general don't understand basic security concepts even
when I explain it to them. I pointed out a significant security flaw repeatedly for over a year and
none of the Wordpress devs could even understand that there was a problem until thousands
of sites were hacked.
Secure, as much as possible, PHP itself. Make sure it's up to date, as PHP has recently started
to such a lot less in terms of security. If you have a version that's a couple years old you may as
well post your FTP password on your front page. One example is "register globals", which is
tied with "running suexec on a dedicated serer" for the stupidest, most damaging thing anyone
has ever done on a web server.
Once it's up to date, make sure the settings are right for reasonable security. fopen_url, for
example, show be off be default, but make sure it is. Disabling a few functions including eval,
exec, and popen will stop most crack scripts, but some legitimate scripts may need to be
adjusted to work in that case. Similarly for an egress firewall, but now we're getting more
into general server security and away from Wordpress.