I'm no security guru and I'm looking for some basic info about blog software. I had WordPress and I was hacked. I am not certain whether it was actually because of WordPress or my host's FTP server, but I'd like to have what's most secure/affordable anyways. I was thinking about using Drupal but I found an article on this site that links to this list of vulnerabilities:
http://osvdb.org/search?search[vuln_title]=Drupal&search[text_type]=titles

Is there any free alternative to Drupal that is more secure? Is there a blog software alternative that is more secure and cheap (e.g. under $100 and preferably under $50)?

After reading through threads, it seems that new features in a blog tend to result in new vulnerabilities. For this reason, I wondered if there is any benefit to using an older version of Drupal or WordPress.

Are there any hosts that are more or less vulnerable than others? Is there a strategy to finding a secure host? Is there a preferable type of FTP server software that I should look for in a host?

Thank you.

'Movable type' is another major (free) blogging platform. It looks somewhat secure-ish.

Regarding new features introducing new vulnerabilities, I think it's still safer to use up to date software - otherwise you're at major risk from script kiddies. Remember to take into account the speed with which vulnerabilities get patched as well as how many there are.

Just keep Wordpress updated as much as you can. Once is falls behind an update it becomes a liability.

Security = Economics. It's that simple. You get what you pay for.

Build it yourself, it's the only way to be sure. Because no-one can make guarantees. If it ain't hosted dedicated, the chances you will be screwed increase dramatically if someone wants too. Steer away from FTP, and use SCP(SSH) only with your IP whitelisted.

That's a small start.

Thanks. It was interesting when you said you get what you pay for. I'm not sure if you only meant dedicated hosting and the investment of time to learn how to create one from scratch, or if you had some sort of alternate blog software that costs money in mind.

It seems that the security experts here always just lift a finger and find an XSS or injection vulnerability on virtually every website imaginable. Isn't there a form of blog software for sale that is coded by people like these forum users, who fixed every vulnerability they could spot? And only a ridiculously swift coder could ever find what the security specialists, like the ones on this forum, overlooked?



Edited 1 time(s). Last edit at 06/25/2010 09:24PM by slippery.

Actually I was planning to write such piece of software, only didn't find the time to do it. I wrote similar software for clients, and maybe I site down a weekend write something based upon what I already wrote. But it won't have a ton of features, like WordPress, simply because that takes too much time and I love simplicity :) but basic blogging will be possible.

But in the end custom (bespoke) coding will never be replaced by out of the box packages. Simply because the code you write is as secure as your server setup, think SSL admin login. If you blog on SSL, the connection is safe but you got a new problem. Since https != http, and https is in a chroot jail, you cannot write files (like images) from https to http, and so you need to lift security restrictions on https to have access to http. That kind of stuff you will ran into.

I would think that it isn't security experts you need to worry about - it's script kiddies. Thus all you need is software that gets patched quickly when vulnerabilities are discovered.

You could also just setup a blogspot account, and parse the rss to your own server and your database. Bit overhead, but the chances someone hacks Google just for your blog is seriously small.

@Skyphire that's plain nonsense - blogspot is awesome for creating poisoned test feeds because they allow everything. They don't filter based on GG's "usual" html filter.

Part of the trouble with blogspot is if that somebody owns it then they can access your gmail account too. Also it could get hit by a pretty nasty xss/csrf worm. On the bright side, they seem to take security seriously; I reported some xss and it was patched within 2 weeks.

Here's quite an off-the-wall suggestion, but how about learning security first, hardening the crap out of your install and then put up a blog? Seems to have worked for rsnake & id.. works better than letting others handle YOUR security.. I know.. call me silly.. :)

--thrill

---

It is not the degrees you hold, but the mind you possess. - thrill

Tru that.

thrill Wrote:
-------------------------------------------------------
> Here's quite an off-the-wall suggestion, but how
> about learning security first, hardening the crap
> out of your install and then put up a blog? Seems
> to have worked for rsnake & id.. works better than
> letting others handle YOUR security.. I know..
> call me silly.. :)


Is that a bit like suggesting someone learn to build a car engine because they're having problems with their engine? Or maybe learning to create a secure blog with login accounts is not as complicated as I think? I am certainly willing to research some basics.

Is there any reason to think that Drupal or Wordpress have a security advantage over the other? Mentioning blogspot is interesting. I updated WordPress not long before it was hacked. I suspect there was a new update available shortly after I updated and before I was hacked, so it didn't take long to get attacked after a vulnerability became known. I wasn't procrastinating or being lazy with updates. Maybe having my blog actually hosted by WordPress would make it be updated automatically and instantly? Does that sound like it would solve the problem of updates?

If you really want you're car to run, then learn how to fix it / how it works. If you don't do it yourself, then you are at the mercy of those who are likely to cut corners (web app developers and mechanics are actually great analogies).

If you're okay with your car occasionally breaking down, then just go to the shop and let someone else handle it. If you're okay with occasionally being hacked, then just use someone else's product out of the box.

-clayfox

the internets are broken, you need to know way way too much to safely offer services, or even brows for that matter.

Though the situation is unfortunate, thrill and clayfox are correct.

-id

I agree, it's tough to make any kind of guarantee. This is unlike most things in the mechanical world, because if your taillight snaps, you can still drive. If some piece of code fails, it could affect the whole server, or even a whole network, it's like porcelain. If it gets hit, it really shatters.

We are lazy. Someone should write some cool blog software specifically for security researchers. I am ashamed I use wordpress but I am lazy. You cannot secure wordpress because the code was written by many crazy devs who think single quotes are a good idea on HTML attributes. You can make it less insecure by:-

1. Disabling XMLRPC
2. Disable forgotten password feature
3. Whitelist the comment form.
4. Filter+Whitelist all GET/URL requests
5. Change the defaults

Then if someone wants to pwn you they will although most automated attacks should be caught

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Quote

I am certainly willing to research some basics.

And while I may not be a brain surgeon, I am certainly willing to research some of the basics and try to pass myself off as an expert on the subject just so I can get some click thru's on my blog. Plagiarism will save the day!

--thrill

---

It is not the degrees you hold, but the mind you possess. - thrill

@Gareth

I think many of us could pull it off. But I don't think it's a lazy issue, more an issue of getting dirty code and getting called out for it, in the sense of that it looks amateurish (because of strict coding and using less predefined functions) while in fact it isn't amateurish, because you step away from using predefined functions and handle every string yourself instead. Because a secure program doesn't look nice, if it's good. And then you get a ton of feature request and probably will end up like the rest.

it's nearly impossible to code something secure that has many lines of code, it has to be compact and only do what it's supposed to do. That is what I learned from designing electronic circuitry back in the day, that worked out best: keeping faults low by designing a circuit with less steps, and minimize the required steps do let it do what it's supposed to do. With such a meticulous approach, you can create secure software, that can even protect you against future/unknown attacks.

@Skyphire

Yeah I agree, as complexity increases so does insecurity.

One important difference that I have noticed while coding myself is that I make the same mistakes but I test my code often from the perspective of breaking it. This allows me to fix broken code before someone else finds it. The lesson I think is to teach devs how to break their own code.

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Yeah I think you would agree on the fact that coding a secure app takes so much time, mostly time you don't have, and in the end you are doing most of the work in your own time otherwise the software costs too much.

I ran into this multiple times. Then I have 2 choices.

I can code it up and hope it turns out okay, and I get paid. Or I design every single step very cautiously but then I am working in my own time, and getting paid less for it. Companies simply do not understand the value of secure apps.

In this case, ignorance is bliss as a developer.