
Improving WordPress Password Security - mazsa
https://roots.io/improving-wordpress-passwords-security/
======
mgkimsal
"WordPress’ core team stance on bumping the PHP version requirement is two
fold:

1\. Too many WP users are still on old versions like 5.2 and 5.3 2\. They
don’t care about new "features""

If you really do power 20%+ of the websites out there, do you not perhaps have
enough influence to influence a change? I could almost buy this reasoning 6-7
years ago. "If we start requiring PHP 5.1... all our users might flock to
something else that still only needs 4.3! We better not push things too much".

A large segment of the hosting world caters to the wordpress user (casual and
professional) and they will jump to whatever requirements Wordpress puts out.
Where are they going to go? No one will want to upset this golden goose. WP,
make version 5.0 require PHP 7 and be done with it. People will upgrade. They
have no real choice - you've killed most any platform that might be a serious
competitor for the next several years.

~~~
kalenjohnson
You're absolutely correct. However, according to WP core devs, nothing should
ever be done to inconvenience the user. Moving to a new version of PHP when
apparently, user's who have websites don't even know the name of the language
their website is built in, should not be put off by having to upgrade this
strange thing.

I can't agree enough though, WP can be a huge driving force in making all
hosting providers utilize modern versions of PHP. However, instead of using
that weight to make a difference, they're completely content to hold PHP back.
All at the expense and detriment of the user, in the name of the user.

~~~
mgkimsal
"nothing should ever be done to inconvenience the user."

Having sites hacked due to old version of PHP is an inconvenience.

Why not just tell everyone to chmod 777 the entire website too, just so
they're not inconvenienced?

Tongue-in-cheek, of course, but there's a balance to be struck between
convenience and security, and I think they're somewhat on the wrong side.

I was really mixed on the 'auto-update' wordpress core stuff. While I get it -
it keeps some people up to date - it also means my system needs to be left in
a state where software can be altered, and that means it can be maliciously
altered too.

The "moving to a new version when they don't know the language" argument - I
don't buy it. Almost everyone I know who has wordpress installed who is not a
techie has a host that manages it, or presses a button on a control panel.
Pressing another button, or having the host do some more stuff - neither of
these are inconveniences that outweigh the security benefits - not just to
that site owner, but the rest of the internet.

~~~
technion

        Why not just tell everyone to chmod 777 the entire website 
    

I run a cron job on my hosting server that detects clients that have done
that. I alert several a week regarding the state of their security. I'm nearly
always told they followed some "Wordpress installation guide" they found
online and won't be changing it.

------
tomschlick
Wordpress really needs to move to git/github/gitlab. The fact that in 2016 all
of the plugins are part of a massive single svn repository is insane.

They would probably see a 10x improvement on contributions by moving to
github/gitlab almost overnight, potentially fixing these stupid issues.

As mgkimsal said, they should also take a hard stance and require PHP 7 for
version 5.0. The speed improvements alone would be worth it.

~~~
jlgaddis
People say the same thing about OpenBSD (WRT CVS) but, if it works just fine
for them, who's to say what they should (or "need") to use.

~~~
mgkimsal
"who's to say what they should use"

Those of us who have to clean up after it, and those of us who've had to deal
with spam and malware-infested wordpress sites interfering with our business.

Much like google/gmail, windows, and other large monopoly-like players,
wordpress is a huge impact on a lot of businesses; whether those businesses
are using wordpress or not, we still feel the impact (and yes, I am using it
for a couple projects as well - chmod 400 on pretty much the whole site unless
I'm doing updates).

------
ajsalminen
"Roots has long been critics of the out-dated PHP version requirements in
WordPress. They still have 5.2 as the minimum version which has been end of
life (EOL) since January 6th 2011."

This is ignoring the fact that distributions provide security updates for
older versions. Looks like RHEL5 includes PHP 5.1 and it's possible to get
support for it until 2020.

------
digitalengineer
It's even worse. Why can someone just keep trying to login on default WP
installation? Why can they try to guess usernames? First thing I install is:
[https://www.wordfence.com](https://www.wordfence.com)

~~~
snowwrestler
Does Wordpress still not have basic rate limiting on forms?

~~~
krapp
It does not.

------
nikolay
WordPress just needs to break compatibility and launch a new version with
different requirements (such as PHP 7+ and MySQL 5.7+) and leave a couple of
guys just doing security fixes for legacy versions. Now it's such a weird mix
of functions, globals, classes, and it's just terrible to have such a vastly
popular product being so poorly written and architected! Abusing MySQL to
store vast amounts of metadata in wp_options and other tables when NoSQL
databases have been available for years is outrageous!

~~~
teh_klev
> when NoSQL databases have been available for years is outrageous!

I work for a shared hoster, we host a ton of WordPress sites.

The problem here is that in shared hosting world MySQL is ubiquitous, along
with PHP. It's all you need to get your WordPress blog up and running. Adding
a dependency on a NoSQL datastore breaks that simplicity. Also which NoSQL
database do you target because not all of them are suitable for running in
these types of environments.

Also wp_options is, as the table name suggests, mostly just option settings
which are looked up by a known key "option_name" then the json-like blob is
read from the "option_value" field and parsed. There's very little or no
searching done for values inside that blob so you're adding NoSQL complexity
just to store key/value pairs. MySQL is a well known, well understood thing
and "just works" for apps like WordPress.

~~~
nikolay
This problem could easily be solved by adapters. You can have a default
adapter storing this into MySQL tables, but open it up for databases that are
designed to do just that effectively. Oh, well, WordPress doesn't even support
PostgreSQL, which alone can do both pretty effectively. There's os much
spaghetti code in WordPress that I always have a bad feeling pushing that code
to Production (with capital "P").

A lot of people praise WordPress for the great number of plugins and themes,
but the reality is that only 1% of those are quality code, forward-compatible,
following best practices, secure, and suitable for use and not just getting
something out of the door quickly. That's why WordPress needs rethinking and
most importantly - some sandboxing of themes at least because you can't even
allow a shared hosting to upload custom themes as most of them can hack your
entire infrastructure being plain PHP code.

I can't believe WordPress being such an archaic product, why they don't
support Smarty-based themes, which could be execution-safe.

------
anexprogrammer
Blimey, it's taken until now to get bcrypt in Wordpress?

What the heck took them so long?

~~~
jammycakes
What's more shocking is that not only are they not using bcrypt, they're still
using _MD5_.

Correct me if I'm wrong, but aren't there organisations being prosecuted in
some jurisdictions for having password security that weak?

~~~
anexprogrammer
Wouldn't surprise me, it's had lots of exposure with all the data leaks. I
last looked at passwords sometime in 2010 off the back of the infamous "use
bcrypt" post.

Just skimmed the WP ticket, what a horrible amount of effort to cover an edge
case of people regressing to a 4 years past dead PHP version.

------
The_Magistrate
Great article! I had no idea that Wordpress still deployed on such outdated
versions of PHP.

I moved away from Wordpress years ago, but it's always great to see the
community pushing to make everything more secure.

------
nikolay
So, just when well over one year ago Argon2 won the password hashing
competition [0], we still advice for bcrypt?

[0]: [https://password-hashing.net/](https://password-hashing.net/)

