Mike McGrath wrote:
On Wed, 20 Feb 2008, seth vidal wrote:
> On Wed, 2008-02-20 at 19:32 -0700, Stephen John Smoogen wrote:
>
>> Ok one thing to find out on this.. is what is the security aspects of
>> using wordpress. I am probably not the person to mention this as I
>> partially flamed a Red Hat employee earlier this month about their
>> views on WordPress.. but it would be good to make sure that it isnt
>> going to be a problem security wise.
>>
> wordpress is actively maintained and widely used. It has a security
> track record of all php programs but it also has a good record of quick
> turn around times for issues.
>
Additionally, mod_security will help is deal with 0day exploits and some
other things. I think wordpress has an ok security record but thats by
reputation, not research, anyone have a moment to look and post to the
list?
This is a highly inaccurate measure of security but it's something to
look at. I wonder if lkundrak and the security team have a preference
for blogging/news software :-)
Number of CVEs listed on
http://nvd.nist.gov/nvd.cfm
wordpress drupal mediawiki zope plone
2008 30 17 1 0 0
2007 64 37 7 2 1
2006 21 39 4 1 3
These numbers show a big difference between mediawiki and drupal or
wordpress. The questions are just how valid the numbers are and whether
we're confident that the combination of SELinux (which we will then
depend on; no more turning it off if we can't figure out a problem) and
mod_security will keep our servers and users of the sites safe from the
exploits that will appear.
-Toshio