Re: Backend in JS!?
>Wordpress accounts for 80% of hacks BECAUSE it is the majority player,
I am not convinced, having in a former (apparently cursed) life, been a web admin for a 100% wordpress webhost, I can assure you that beneath the shiny CMS frontend, wordpress is a horrid insecure mess.
The amount of times I see wordpress do things like "exec($random_byte_string)", or "include $dynamic_path.php" in the code is frightening. It looks like it was programmed by 1st year undergrads as a "learning php" project.
The two things above, coupled with a buggy file_upload.php, most likely results in 99.9% of the hacks on wordpress.
I have seen it, where attackers use a page to send a random php byte string to the underlying exec() function (With no checks or sanitation on wordpresses part), resulting in a compromise.
The other method I have seen them use is to exploit the file_upload.php to upload their own php file, which they then execute by including their PHP in another file with a dynamic include function.
One thing I eventually did was disable exec() in php, which broke wordpress of course. I then went through all of the wordpress code, and rewrote the chunks that depended on exec to make it more secure.
The second thing I then did was make the wordpress web folders read-only to the web browser. This stopped the file_upload compromise. After that we had virtually no problems at all with security.
However, it also meant that (a) you could not install any plugins/themes once set RO, nor upload any files, and (b) some plugins/themes had to themselves be rewritten in order to work without exec.
I maintained this private branch for the company while I worked there, and there were no more compromises (but a lot of moaning from clients for why $free_plugin_X does not work on "our wordpress", and "Why can't I just upload files myself").
The content itself was held in a mysql DB, so once a wordpress site was configured with a theme and media uploaded, the text could be changed by the end user as normal.
So a "secure wordpress" can be done, but it requires a higher skilled developer to do, which is lacking in most of the wordpress ecosystem (especially in the "free themes/plugins" area).
Fact is, even if WP was 10% of the web market, it would still get exploited like now, because their security mistakes are so basic, your average script kiddie can compromise your site.