[wp-hackers] Making WP more secure the evolutionary way

Peter Westwood peter.westwood at ftwr.co.uk
Wed Jan 28 08:59:24 GMT 2009


On 27 Jan 2009, at 10:06, Florian Thiel wrote:

> On Tue, Jan 27, 2009 at 1:12 AM, g30rg3_x <g30rg3x at gmail.com> wrote:
>> Hi *,
>>
>> x2 to Jacob Santos...
>>
>> The original proposal of Florian Thiel (if i understand his point
>> well) is making "WP more secure" truth and a DB Abstracted layer.
>> IMHO: If we are just applying the abstraction layer just for  
>> "security
>> reasons" it would only lead us (sooner or later) to fail.
>
> You're right. My motivation is to make WP more robust against
> filtering omissions. Can you elaborate on why you think WP would fail
> if it did something like that "just" for security reasons? I think WP
> users really care about security so unless it has adverse effects on
> other parts of the system (or does not improve security at all),
> where's the failure?


The real issue is that the core WordPress code already has the right  
level of functionality available to write secure queries.

This functionality is already used heavily although there are  
someplaces where queries may still need converting.

The big security issue with WordPress is the lack of security  
awareness in the large plugin developer community.

Plugin developers like to code simply and quickly.

However, much API we give them to access the data in the database  
they will quite often just write there own SQL at the moment.

So adding a different db abstraction layer will not help unless it  
forbids you from using raw SQL.

This then brings us back to the issue that this is adding an extra  
burden to our development process which we don't need.

westi
-- 
Peter Westwood
http://blog.ftwr.co.uk | http://westi.wordpress.com
C53C F8FC 8796 8508 88D6 C950 54F4 5DCD A834 01C5



More information about the wp-hackers mailing list