# Worpress security warning

## mocsokmike

Hi,

for a user request I installed a wordpress on our corporate webserver. The package itself was in testing (~amd64 keyword), and after installing I ran webapp-config, which gave me this message:

 *Quote:*   

> !!!!!!!!!                 SECURITY WARNING                   !!!!!!!!!!!
> 
> Wordpress has had a history of serious security flaws. Any application
> 
> with less widespread use but the same amount of security issues would
> ...

 

It is not live yet. I want to investigate this warning message further.

The hard mask part is not true, so I was wondering if leaving this in webapp-config was not intentional?

Or should I stop using WP in our company?

I am new to WP, and not aware of its history of security issues. Please let me know your opinion about this webapp.

The version I installed is: www-apps/wordpress-4.9.8

----------

## bunder

All it means is that it might take a couple days for an updated ebuild when wordpress needs to push out a new version (which happens somewhat regularly) to fix security issues.  Since wordpress is one of the biggest CMS packages, it's a common target for bots exploiting security holes.  Wordpress internally tracks for new versions on the dashboard, so if they put out a new version and you don't have an ebuild yet, you might want to consider setting up an overlay where you can temporarily bump the packages yourself until the main portage tree catches up.

----------

## mocsokmike

Oh, that's OK. I will keep an eye on it.

Still, it is easier to use portage to update it automatically.

Thanks for the explanation!

----------

## Hu

In my opinion, it is extremely dangerous to run a Wordpress install that is accessible over the network to anyone to whom you would not entrust a local shell.  If the blog is run solely internally, it might be an acceptable risk.  (Remember that you must worry about every employee, and every bit of malware that might ride in on an employee's device.)  If the blog is exposed to the world, I would not do it.

----------

## mocsokmike

@Hu, can you elaborate? In our case, this site would be accessible from the Internet.

----------

## hdcg

Hi mocsokmike,

to give you an idea:

https://www.wordfence.com/blog/2017/04/march-2017-wordpress-attack-report/

https://sucuri.net/reports/2017-hacked-website-report

https://wpplugins.tips/wordpress-security-statistics/

Due to the wide use of Wordpress it is the number one any attacker's list and attacks are well supported.

Wordpress "supports" this by it's overhelming funcationality and a huge number of not always well maintained plugins.

I did once run a Wordpress site and the continous attack attempts made me switch to a more simple file based CMS.

My insights from this experienca are:

Prepare for continous support/monitoring of the site

Use a setup capable of performing self-updates (to be prepared for zero-day-exploits); I do not know whether the ebuild based setup supports this

Avoid plugins (at least ones of poor quality)

Look out for more security related Wordpress tipps

Best Regards,

Holger

----------

## mocsokmike

Thank you, Holger. This really made me think about using something else instead of WP.

I don't prefer being in the spotlight of hackers.

----------

## Hu

Wordpress has a history of severe security problems, including allowing remote users to obtain code execution on the system running the Wordpress install.  If your use case is exposing the content to the Internet, I would not trust Wordpress to do the job safely.

----------

## Muso

There are 1,107 Wordpress exploits on the ExploitDB.   There are guaranteed some being sold on the deepweb as well.

----------

