[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
On 30/12/12 18:23, Martijn Grooten wrote: > On Sun, Dec 30, 2012 at 5:00 PM, Simon Avery wrote: >> How many were caused by poor passwords, zero core security or bad plugins? > Poor passwords aren't a significant problem. That is, I'm sure many > people use pure passwords for WordPress, but unless you use something > plain stupid as '123456', that's unlikely to lead to account > compromises. > > Most compromises are caused by vulnerabilities in the WordPress core > and in plugins. Though arguably the real cause is people being either > unwilling or unable to update their installation. (Inability could be > caused by a plugin not being compatible with the latest security > update; hence Gordon's suggestion to only use well-maintained plugins > is a very good one.) > > Especially because WordPress is so popular, vulnerabilities are very > actively hunted for. That's not going to stop any time soon. But I > think it's a poor reason to avoid WordPress. > > And: > >> so what if it does get compromised? > is a very good point. > > I'm not saying you shouldn't worry about compromises. But you should > worry about them anyway, regardless of what CMS you use (even if that > 'CMS' is sftp). It's all about mitigation. > > Updating whenever new updates are available is one important thing to > do, backing up regularly another. Depending on how you're going to use > the site, you may be able to add some more security by locking down > your installation a bit (for instance by not making directories > writable for the web server; the downside of this is that you won't be > able to upload files from the web interface). Security-by-obscurity > (e.g. putting the admin files in a directory not called /wp-admin) may > help a bit as well. > > And ultimately, if your site isn't critical to your organisation > (which the LUG's site isn't), you should be willing to take it all > down and replace it with a single "sorry, we're fixing things" page. > (There are commercial WordPress installations available that take care > of most of the security; I've never used them, but they seem to do a > good job. I feel obliged to mention them here, as they may be more > suitable for business-critical sites.) > > One important thing to keep in mind: it's not always obvious when your > site is compromised. Usually, it won't affect the site itself, instead > some new pages are being added that host or redirect to bad stuff. > Even if it does affect the site itself, it may be only for those > visitors who visit your website via Google. > > Martijn. > Ok so what do we need for a lug website 1. Who we are 2. What we do 3. Join info 4. Meeting info 5. perhaps some useful articles on current topics e.g raspberry Pi, hardware, (pc, ardino, PIC etc) software 6. explanation as to what free software is etc 7. irc channel information 8 Links to related topics / groups and member services Something, as I said before, simple and appealing. Basically what I have up up thus far on the wordpress site We should not need that many plugins for all different features, just enough to make any visitors think we are worth joining or getting in touch with to ask for help or discuss things. Paul -- -- http://drupal.zleap.net skype : psutton111 http://www.linkedin.com/pub/paul-sutton/36/595/911 http://www.raspberrypi.org http://www.ubuntu.com -- The Mailing List for the Devon & Cornwall LUG http://mailman.dclug.org.uk/listinfo/list FAQ: http://www.dcglug.org.uk/listfaq