security as default
I wish wordpress would include better security:
CSP
DNSSEC checks
X-XSS-Protection
Referrer-Policy
X-Content-Type
it really is not that hard to fold into the core
A pair of widely used WordPress plugins need to be patched on more than 320,000 websites to close down vulnerabilities that can be exploited to gain admin control of the web publishing software. The team at WebArx, a security firm specializing in WordPress and other CRM and publishing platforms, took credit for discovering and …
I think it just atracks the sort of people that shouldn't be coding, based on my dealings with "Word Press Web Designers".
The ones that ask me how to get access to their CSS, I point to the file, and they have no idea what I'm talking about. CSS doesn't go into a _file_. Its _in_ the website.
“ an entire flood of "web developers" who really mean "I pick a nice template/theme then it's just next-next-next-fill in text boxes-next-done.”
Nothing wrong with that at all. It’s essentially no different to You writing a letter using a word processor made by MS, LibreOffice, etc, rather than you coding your own word processor from scratch!
Wrong comparison. It's like using all fill-in defaults - that only speak to default questions, vs learning to structure and write English paragraphs correctly - or how to tell a story, or how to communicate a concept, not compared to writing your own set of ignorant defaults.
Not at all, Drupal has some quite awful vulnerabilities in it produced by developers who've stopped maintaining the modules despite lots of users still having them active, but it doesn't get the same coverage because of it's pitiful market share. The sector I work in believes Drupal to be all singing, all dancing, lord of all - whereas i'd quite like to drop it's use into the Marianas Trench.
...WordPress is an extremely popular target for attackers...
Very true. If I only got money for every time...
2020-01-15,08:09:14,137.74.176.165,404,GET,/wp-admin/install.php
2020-01-15,08:09:37,137.74.176.165,404,GET,/blog/wp-admin/install.php
2020-01-15,08:09:55,137.74.176.165,404,GET,/wp/wp-admin/install.php
2020-01-15,08:10:08,137.74.176.165,404,GET,/wordpress/wp-admin/install.php
2020-01-15,08:10:21,137.74.176.165,404,GET,/new/wp-admin/install.php
2020-01-15,08:10:39,137.74.176.165,404,GET,/old/wp-admin/install.php
2020-01-15,08:11:20,137.74.176.165,404,GET,/test/wp-admin/install.php
2020-01-15,08:11:59,137.74.176.165,404,GET,/main/wp-admin/install.php
2020-01-15,08:12:12,137.74.176.165,404,GET,/site/wp-admin/install.php
2020-01-15,08:12:26,137.74.176.165,404,GET,/backup/wp-admin/install.php
2020-01-15,08:12:39,137.74.176.165,404,GET,/demo/wp-admin/install.php
2020-01-15,08:12:59,137.74.176.165,404,GET,/home/wp-admin/install.php
2020-01-15,08:13:16,137.74.176.165,404,GET,/tmp/wp-admin/install.php
2020-01-15,08:13:36,137.74.176.165,404,GET,/cms/wp-admin/install.php
2020-01-15,08:13:54,137.74.176.165,404,GET,/dev/wp-admin/install.php
2020-01-15,08:14:09,137.74.176.165,404,GET,/portal/wp-admin/install.php
2020-01-15,08:14:27,137.74.176.165,404,GET,/web/wp-admin/install.php
2020-01-15,08:14:50,137.74.176.165,404,GET,/assets/wp-admin/install.php
2020-01-15,08:15:09,137.74.176.165,404,GET,/temp/wp-admin/install.php
2020-01-15,08:15:28,137.74.176.165,404,GET,/2018/wp-admin/install.php
2020-01-15,08:15:47,137.74.176.165,404,GET,/2019/wp-admin/install.php
2020-01-15,08:16:06,137.74.176.165,404,GET,/bk/wp-admin/install.php
2020-01-15,08:16:29,137.74.176.165,404,GET,/wp1/wp-admin/install.php
2020-01-15,08:16:50,137.74.176.165,404,GET,/wp2/wp-admin/install.php
2020-01-15,08:17:08,137.74.176.165,404,GET,/v1/wp-admin/install.php
2020-01-15,08:17:26,137.74.176.165,404,GET,/v2/wp-admin/install.php
^ this.
But if anyone needs it, here's my current list of OVH banned IPs (it's _always_ OVH that keep hammering away):
iptables -A badbot-ovh -s 5.135.0.0/16 -j DROP
iptables -A badbot-ovh -s 5.196.0.0/16 -j DROP
iptables -A badbot-ovh -s 37.187.0.0/16 -j DROP
iptables -A badbot-ovh -s 46.105.0.0/16 -j DROP
iptables -A badbot-ovh -s 51.38.0.0/16 -j DROP
iptables -A badbot-ovh -s 51.68.0.0/16 -j DROP
iptables -A badbot-ovh -s 51.75.0.0/16 -j DROP
iptables -A badbot-ovh -s 51.77.0.0/16 -j DROP
iptables -A badbot-ovh -s 51.83.0.0/16 -j DROP
iptables -A badbot-ovh -s 51.89.0.0/16 -j DROP
iptables -A badbot-ovh -s 51.91.0.0/16 -j DROP
iptables -A badbot-ovh -s 51.161.0.0/16 -j DROP
iptables -A badbot-ovh -s 51.178.0.0/16 -j DROP
iptables -A badbot-ovh -s 51.195.0.0/16 -j DROP
iptables -A badbot-ovh -s 51.210.0.0/16 -j DROP
iptables -A badbot-ovh -s 51.222.0.0/16 -j DROP
iptables -A badbot-ovh -s 51.254.0.0/15 -j DROP
iptables -A badbot-ovh -s 54.36.0.0/15 -j DROP
iptables -A badbot-ovh -s 54.37.0.0/16 -j DROP
iptables -A badbot-ovh -s 54.38.0.0/16 -j DROP
iptables -A badbot-ovh -s 54.39.0.0/16 -j DROP
iptables -A badbot-ovh -s 66.70.128.0/17 -j DROP
iptables -A badbot-ovh -s 79.137.0.0/17 -j DROP
iptables -A badbot-ovh -s 87.98.128.0/17 -j DROP
iptables -A badbot-ovh -s 91.121.0.0/16 -j DROP
iptables -A badbot-ovh -s 91.134.0.0/16 -j DROP
iptables -A badbot-ovh -s 92.222.0.0/16 -j DROP
iptables -A badbot-ovh -s 94.23.0.0/16 -j DROP
iptables -A badbot-ovh -s 139.99.0.0/16 -j DROP
iptables -A badbot-ovh -s 142.44.160.0/22 -j DROP
iptables -A badbot-ovh -s 144.217.0.0/16 -j DROP
iptables -A badbot-ovh -s 145.239.0.0/16 -j DROP
iptables -A badbot-ovh -s 147.135.0.0/17 -j DROP
iptables -A badbot-ovh -s 147.135.128.0/17 -j DROP
iptables -A badbot-ovh -s 149.56.0.0/16 -j DROP
iptables -A badbot-ovh -s 151.80.0.0/16 -j DROP
iptables -A badbot-ovh -s 158.69.0.0/16 -j DROP
iptables -A badbot-ovh -s 164.132.0.0/16 -j DROP
iptables -A badbot-ovh -s 167.114.0.0/16 -j DROP
iptables -A badbot-ovh -s 176.31.0.0/16 -j DROP
iptables -A badbot-ovh -s 178.32.0.0/15 -j DROP
iptables -A badbot-ovh -s 188.165.0.0/16 -j DROP
iptables -A badbot-ovh -s 192.99.0.0/16 -j DROP
iptables -A badbot-ovh -s 193.70.0.0/17 -j DROP
iptables -A badbot-ovh -s 198.27.64.0/18 -j DROP
iptables -A badbot-ovh -s 198.100.144.0/20 -j DROP
iptables -A badbot-ovh -s 198.245.48.0/20 -j DROP
iptables -A badbot-ovh -s 213.32.0.0/17 -j DROP
iptables -A badbot-ovh -s 217.182.0.0/16 -j DROP
That's a bit overkill, say what you like about OVH - Not ALL of their network is full of spamming morons.
We have a fair chunk of stuff on there and if you accidentally spin up a bog-standard Server 2016 (I may or may not have done this recently, whilst distracted) instance on a public facing IP, in it's vanilla format it'll spew out DNS amplification attacks. OVH auto-nuked the instance within the hour, so they are actually quite pro-active with spammy stuff and we're a legitimate partner - Let alone a rogue individual spinning up VPS's solely for scanning/hacking.
I used to have a background script running that would poll the logs for just such a value and then block the ip address.
Always found it to be very helpful towards my stress levels since I could check the firewall logs and smirk at the legions of IPs I was blocking.
Basic but considering my server had no WordPress (or even php) any such attempts at visiting those urls must be naughty and thus deserving of a smiting.
... it gives me such a lovely honeypot for my fail2ban rules!
% cat filter.d/nginx-php.conf
# There are no PHP sites here, so all .php requests are from hackers only
[Definition]
failregex = ^<HOST> -.*"(PUT|GET|POST|HEAD|PATCH|DELETE).*\.php([^a-z0-9 ][^ ]*)? HTTP.*"
ignoreregex =
My own shuttered WordPress site will eventually be converted to either a flat html or some other platform.
Mostly because of their filthy motto, the fascist 'Decisions, Not Options', which translates as 'Developers Decide, Little User', and is really the most offensive decision on the Web. Plus the lunatic upgrade frequency which rivals Firefox for stupidity, and the worst parts of PHP as a language.
But in this instance, because all outside extensions and add-ons are bound to be unmaintained and die eventually as either do their creators or their creators' interest.
Which means in effect, if it wasn't for their dumb command conceit, had they wrapped useful conceptions from add-on creators into Core, easy to be included or modified or turned off, as in the Linux Kernel --- by Users, as Options there would be far, far less of a problem.
Their ultimate control would even be enhanced by having everything under their roof: but that would mean letting Users make Decisions and not themselves. And they can't stand that.
For a full flat HTML I recommend Hugo - a really simple and fast static website generator, with lots of themes to choose from. Be prepared for frequent updates, though (to make it simpler I created build-hugo )