[wp-hackers] Security. Forum post - 2.0.1 has holes

Robert Deaton false.hopes at gmail.com
Fri Mar 3 09:11:24 GMT 2006

On 3/3/06, Roy Schestowitz <r at schestowitz.com> wrote:
> There is also a negative impact when one posts an item titled "Don't worry,
> WordPress is safe". It shows doubt. If Mark fears is concerned the privacy
> of his poison (plug-ins), then he should toss a blank index in the plug-ins
> directory. If you accept his argument and post clarifications about this
> so-called 'vulnerability', what will be next?

The vulnerabilities published are much worse than this, and of all
this needs the least clarification. What needs clarification is that
there is no XSS, nobody can remotely take down your blog or change
your pages, potentially steal your login information with malicious
javascript, etc.

> People could start a commotion over other aspects which are consiered more
> serious 'vulnerabilities'. Users could argue about serious matters like the
> reluctance to lock WordPress after a particular number of failed logins
> (still?) or the disclusion of 'out of the box' DDOS attack protection.

DDOS protection comes at a level much earlier than WordPress, and in
order for WordPress itself to know that it may be coming under DDOS,
WordPress has to store additional data in the database or on the
filesystem. Each write is more harmful than the last, and really
trying to stop DDOS attacks is opening yourself up to more.

DDOS at this level is targetting the hardware and the underlying
components of a website, the HTTP server, the network stack, the
bandwidth limits of your PCI buses, not the software, and anyone who
argues that WordPress needs builtin DDOS protection is a fool imho.

--Robert Deaton

More information about the wp-hackers mailing list