Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In with OpenID
Advertise on LowEndTalk.com

In this Discussion

Wordpress for company website?

Wordpress for company website?

twaintwain Member
edited August 2011 in General

Good idea? Any thoughts on what to keep in mind security-wise? Would be using Keith2's lowendscript for Squeeze. Also, billing part of the website will be on same server likely a subdomain; Will probably try to use Netenberg's Accountlabplus; not sure if anyone ever has used this or how it might integrate with Wordpress.

Comments

  • DeorDeor Member

    Plenty of people use wordpress for company sites, ive rarely used it so cant comment on security sorry.

  • Being at the top of the heap, it's a target. You can use it but remember that you'll have to sit on it security wise, both for the main software as well as any plugins you install.

    Think of it as the IE of the blogging world.

  • ztecztec Member
    edited August 2011

    Drmike, what would you suggest as alternative, Drupal? I know lots of people in my line of work who build their whole company on wordpress.

  • I'm really not in a position to judge without seeing the site. For blogging, we moved folks over to a forked version of Serendipity a few years back.

  • On the topic of security, since WordPress is such a big target, Automattic would also be working very hard getting all the bugs ironed out. A lot of times it's the lazy guy behind the keyboard who forgot to upgrade, or some 3rd party plugin that got exploited.

    Blog at LowEndBox.com.

  • I disagree with that. One of the last security problems was known for well over year. It was just ignored.

    I'll provide links later on.

  • LowEndAdmin said: A lot of times it's the lazy guy behind the keyboard who forgot to upgrade

    I am the lazy guy xD

    There is something to notify you about updates? A kind of plugin+cronjob?

  • InfinityInfinity Retired Staff

    AFAIK, it already tells you when updates are availible.

    我是一个巨魔 (;

  • I've been using Wordpress for everything lately. It's great.

    Preetam @ Bitcable

  • I want to see Wordpress running on SQLite. For most of my cases MySQL is just a waste of ressources. But if you're fine with MySQL I guess Wordpress might be the best choice in terms of usability and stability.

  • I'm still not feeling good so I'm going home in a second. We discussed the security issue in the comments in this thread:

    http://wank.wordpress.com/2009/09/06/windowspress/

    @skagerrak please give this a read and see if that helps: http://pdp7.org/blog/?p=75

    Google'ing pulls up lots though: http://www.google.com/search?q=wordpress+SQLite

  • skagerrakskagerrak Member
    edited August 2011

    @drmike: Thanks for the link. I tried that plugin aready but it causes more problems than winnings. Most other plugins from WP do not rely on the Wordpress-interaction with the DB but hard-code mysql*-commands. And Wordpress itself gets pretty slowish with the SQLite-plugin. Sadly.

    You're perfectly right with the security issues though. But in my comparison WP is still better to handle than Joomla or Drupal was. However, I was never such a big friend of this ''I-can-do-everything'-solutions. I always end up hacking my own little script. Takes some time but does the job quite fine in the end.

  • Wrodpress works fine as long as you have a professional and great-looking template :)

    LoomHosts VPS Servers - Dallas VPS | Reliable, Affordable, Solid
  • A template isn't going to save your ass from a hacker.

  • edited August 2011

    @drmike: Yeah, seems like Wordpress haven't beefed up the security in their script since... how long. But you can still secure it yourself pretty much since it's pretty easy to edit the functions in there.

    LoomHosts VPS Servers - Dallas VPS | Reliable, Affordable, Solid
  • Plenty of companies use wordpress but prefer html because it is simple and loads faster. However we do use wordpress on our blog.

    Great budget VPS hosting @ http://basshost.com

  • from my experience wordpress has a lot of loop holes for hackers. so for a company site it's not recommended.

  • There is absolutely nothing wrong with using WordPress for your company site - 14% of all sites on the Internet use it. In my non-LowEndBox lift I co-run a WordPress hosting platform aimed at high-end sites - we only do WordPress hosting. We host many many large companies and house-hold names running WordPress for their site CMS.

    The core WordPress project is probably one of the most secure CMS's out there as it is open source - anyone can see the code and spot vulnerabilities.

    Successful hacks on WordPress almost always occur via dodgy plugins that someone's downloaded, a hacked theme (most "free" themes found via Google have backdoors - don't download them an unofficial source) or from insecure server setup.

    If your company expects to actually win business via it's website, you might want to run it on something more than a low end box to ensure a level of quality that fits with the business.

    Thanked by 1LowEndAdmin
  • @dotben, really sounds like you're a fan boy as you're pretty much feeding them the party line.

    Just because it's open sourced doesn't mean that it's secure. As I noted up above, they had a reported security problem that went ignored for about 18 months:

    http://core.trac.wordpress.org/ticket/10415

    I'm also surprised to hear you put the blame on plugins when the latest security issue is just plain wordpress with no mention of any plugin:

    http://threatpost.com/en_us/blogs/hacked-wordpress-blogs-used-poison-google-image-search-080811

    And it's not the first time either:

    http://www.earnersblog.com/wordpress-hacked/

    As to the bit about only downloading from secure and official sites, I will point out that a number of plugins and themes downloaded from wp.org have contained questionable code, only being pulled after it's pointed out:

    http://wpmu.org/wordpress-security-101-8-tips-tricks-and-tweaks-to-secure-your-wordpress-website/

  • ztecztec Member
    edited August 2011

    I have over 60 wordpress installations running, from low traffic to high traffic, never got hacked. Using a lot of syndication plugins.

    Somebody warned me I should be careful and go for Drupal, still didn't act on it though.

  • drmikedrmike Member
    edited August 2011

    shrug Covering your ass and paying attention to required upgrades is the way to go. We still have nearly 200 wpmu installs although we've taken additional security measures above what Automattic has done.

    edit: Not being a target is a plus too. Easiest and quickest method of protecting your butt is to change the wording on the login and registration pages. (Not that I told you such a thing of course.)

  • @drmike yeah, well my company is a venture funded startup, hosting tons of big companies and employing a 5+ people. And we just do WordPress. So yeah, I guess I am a fanboy.

    I'm not familiar with your ticket in trac, but it looks like the variable you/McGurk posted is escaped when it is inserted into the database... Everything inserted into the database in WP Core is passed via $wpdb->prepare() which escapes input. WordPress coding standard is to intentionally NOT escape until the moment of db insertion - which may or may not match you own.

    I'm not sure how Al Gore's site was hacked but it looks like they used a well documented vector in old versions of Thesis theme - which again, is a plugin/theme 3rd party vector.

    Changing the wording on your registration and login pages is really very little "protection" because most scripts looking to exploit a WP site are going to sniff the relevant urls (/wp-admin/) and you need to keep those in tact in order for WP to work correctly.

    If you are interested in chatting more about WordPress security ping me ben AT wpengine dot com - you've helped a lot of people on here, DrMike, with LEB issues so let me know if I can be of assistance with your 200+ WPMU install.

  • Ben,

    dotben said: I'm not familiar with your ticket in trac, but it looks like the variable you/McGurk posted is escaped when it is inserted into the database

    I think what drmike tried to imply is -- that bug was discovered over 2 years ago (15 July 2009), and was only patched on 30 Nov 2010. Check the 2 changesets at the end of the comments. So throughout the whole time WordPress might be vulnerable if someone managed to craft SQL injection into $tb_ping.

    I know that it has already been resolved. However it does not demonstrate a good track record for WordPress regarding to security issues.

    I have to say that I've been running WordPress since 1.2, ran it on a dozen or so sites and I don't recall being hacked ever (I might just be lucky). I do use very minimum number of plugins though, usually upgrade to the latest version on the day they got released, make sure my wp-content/ directory is not writeable by PHP, etc. WordPress has also picked up their game significantly over the last 2 years -- WP sites used to be hacked left and right, but now they give you constant update alerts to nag you into keeping your core, plugins and themes up to date.

    Drupal on the other hand -- while it might be good and does pretty much everything under the sun, it is a nightmare to upgrade. Way too complicated, and little compatibility between versions which means you have to source all the modules and themes again on each major version bump.

    Blog at LowEndBox.com.

  • I think what drmike tried to imply is

    There's been a couple of those over the years. I was in a hurry and just quickly posted what I could find right off. On many of the 0-day reports, you'll see mention that the reporter makes mention of contacting wp/automattic's security email, waiting upwards of a week for a reply and/or a fix, and finally publicly announcing what they've found just to get them to fix the issue.

    I don't recall being hacked ever

    I can count on less than one hand where we've had a run of installs on any platform where we've been hacked. (We do managed shared hosting and all of the installs, upgrades, etc.) Usually upgrades are done within 24 hours. After that we can run tails on the logs to see kiddie scripters trying to hack them.

    Ones and twos get hacked all the time. People with their crappy passwords....

  • I've just been playing about with a slightly different nginx configuration for wordpress, which appears to be working ok & a security improvement, restricting access to the admin.
    Tested with just the admin user created.
    Instead of

        location / {
            index index.php;
            if (!-e $request_filename) {
                rewrite ^(.*)$  /index.php last;
            }
        }
    

    I've changed this to

        location /wp-admin/css {
            index index.php;
            if (!-e $request_filename) {
                rewrite ^(.*)$  /index.php last;
            }
        }
        location /wp-admin {
            allow n.n.n.n;
            deny all;
            index index.php;
            if (!-e $request_filename) {
                rewrite ^(.*)$  /index.php last;
            }
        }
        location / {
            index index.php;
            if (!-e $request_filename) {
                rewrite ^(.*)$  /index.php last;
            }
        }
    

    Where n.n.n.n can be your static IP (if you have one), the subnet you're on from your ISP or the IP of the vps you're using as a vpn.

  • Try explaining what a static IP is to a soccer mom on a Time Warner cable modem that randomly changes not only Ip addresses but entire classes at any time. :P

    Then you have to take into account when they go visit their Aunt Jackie five states over.

    Plus all of our wp installs are wpmu installs, the largest up around 45k sites. No way to restrict to IP addreses with that.

  • If soccer mom uses her Time Warner cable modem as a business access to her Wordpress company site I would strongly encourage her to re-think about her business-plan.

  • drmikedrmike Member
    edited August 2011

    @skagerrak you're going to explain yourself, right? This isn't the main site. We back up what we say over here.

    To be honest though, we don't put our clients on WordPress.

  • Yes I think for the SUV-driving soccer moms who want to blog or run their side business' website, it is better to put them on a hosted service than a WordPress installation. I am not sure what @dotben does, but sounds like it's the kind of service his company provides.

    Or WordPress.com. Or BlogSpot. Or Squarespace, Tumblr, Posterous, etc.

    Blog at LowEndBox.com.

  • Yes I think for the SUV-driving soccer moms who want to blog or run their side business' website, it is better to put them on a hosted service than a WordPress installation.

    @drmike: That's what I tried to express ;-)

  • Even though I don't use WordPress, but in my sites I rarely update the script if I use one, that is the reason why 99% of time I stay under mercy of hackers/abusers of any level by using latest vulnerabilities to jump in smoothly! If I update as LEA says and better be the same day each update comes out, I'm sure 99% of such hacking to my site can be avioded.

    But luckily I keep regular backups else where, and I make sure they are safe. Keep a backup in my PC as well for the core website data which isn't too big in size.

    I think WordPress will be suited and also depending on the nature and content of your website. There are other CMPs than WordPress, I'm sure you can get CMP that is already built specifically to suit companies,e-commerce..and etc, but probably Wordpress can do as well.

    ☻☻ VPS ☺ as of now:- 384-256-128-512x2 ☺☺

  • dotbendotben Member
    edited August 2011

    LowEndAdmin said: I am not sure what @dotben does, but sounds like it's the kind of service his company provides.

    Yeah, I've intentionally not mentioned the name of my company - not wanting to plug - but we start at $50/month for CDN'd/premium support orientated accounts (and go up to $k's/month).

    At $50 we're mostly b2b but we do have some individuals. Many small businesses such as doctor offices or law firms have no on-site tech people so the $50 to square off all technical and operational burden is a value to them. We also host the blogs of a lot of Internet startups, large retailers, etc.

Sign In or Register to comment.