Prev: New functional language - Fling
Next: Rado Integral Ladies Watch R20339712
From: Ignoramus25096 on 14 May 2010 21:19
I have been generally averse to running PHP based software on my
websites due to security concerns. I used mod_perl and wrote most of
the stuff myself (algebra.com).

This is not a jab at PHP, by the way. I think that there is relatively
little wrong with PHP (I do not want to get nitpicky), except that
there are some widely used PHP software packages that are a natural
target for hackers.

Anyway, my 9 year old son wants to have a blog and I want to set him
up with Wordpress.

My plan right now is to install it as a Ubuntu package, so that it
would get automatic updates (I update every night, usually).

My son would have a relatively limited set of privileges (creating
psts and deleting comments).

My question is, how realistically secure is this setup? How much am I
risking? The server in question runs Ubuntu Lucid.

Thanks

i
From: Sam on 14 May 2010 22:08
Ignoramus25096 writes:

> I have been generally averse to running PHP based software on my
> websites due to security concerns. I used mod_perl and wrote most of
> the stuff myself (algebra.com).
>
> This is not a jab at PHP, by the way. I think that there is relatively
> little wrong with PHP (I do not want to get nitpicky), except that
> there are some widely used PHP software packages that are a natural
> target for hackers.
>
> Anyway, my 9 year old son wants to have a blog and I want to set him
> up with Wordpress.
>
> My plan right now is to install it as a Ubuntu package, so that it
> would get automatic updates (I update every night, usually).
>
> My son would have a relatively limited set of privileges (creating
> psts and deleting comments).
>
> My question is, how realistically secure is this setup? How much am I
> risking? The server in question runs Ubuntu Lucid.

You have some valid concerns.

Create an account for your son on https://www.blogger.com/. Set up some
bookmarks that will let him quickly log on and start posting.

If you really want to use Wordpress, consider installing it on a server on
your LAN that's not directly accessible on your Internet. On your gateway
server/firewall, run a basic Apache and use mod_rewrite directives to proxy
a set of URLs limited only to the ones that retrieve the contents of the
blog to your internal server.

So, from the Internet, only those URLs that pull static content off the blog
will work. URLs for the login page, etc, will not be accessible.

From: Jerry Stuckle on 14 May 2010 22:17
Ignoramus25096 wrote:
> I have been generally averse to running PHP based software on my
> websites due to security concerns. I used mod_perl and wrote most of
> the stuff myself (algebra.com).
>
> This is not a jab at PHP, by the way. I think that there is relatively
> little wrong with PHP (I do not want to get nitpicky), except that
> there are some widely used PHP software packages that are a natural
> target for hackers.
>
> Anyway, my 9 year old son wants to have a blog and I want to set him
> up with Wordpress.
>
> My plan right now is to install it as a Ubuntu package, so that it
> would get automatic updates (I update every night, usually).
>
> My son would have a relatively limited set of privileges (creating
> psts and deleting comments).
>
> My question is, how realistically secure is this setup? How much am I
> risking? The server in question runs Ubuntu Lucid.
>
> Thanks
>
> i

PHP is no more or no less secure than any other language. It's the
programmers who make or break security, not the language.

If you want to know about any specific package, you should be asking in
the support structure for that package, not on PHP or Linux newsgroups.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(a)attglobal.net
==================
From: Ignoramus25096 on 14 May 2010 22:31
On 2010-05-15, Sam <sam(a)email-scan.com> wrote:
> This is a MIME GnuPG-signed message. If you see this text, it means that
> your E-mail or Usenet software does not support MIME signed messages.
> The Internet standard for MIME PGP messages, RFC 2015, was published in 1996.
> To open this message correctly you will need to install E-mail or Usenet
> software that supports modern Internet standards.
>
> --=_mimegpg-commodore.email-scan.com-2474-1273889289-0003
> Content-Type: text/plain; format=flowed; charset="US-ASCII"
> Content-Disposition: inline
> Content-Transfer-Encoding: 7bit
>
> Ignoramus25096 writes:
>
>> I have been generally averse to running PHP based software on my
>> websites due to security concerns. I used mod_perl and wrote most of
>> the stuff myself (algebra.com).
>>
>> This is not a jab at PHP, by the way. I think that there is relatively
>> little wrong with PHP (I do not want to get nitpicky), except that
>> there are some widely used PHP software packages that are a natural
>> target for hackers.
>>
>> Anyway, my 9 year old son wants to have a blog and I want to set him
>> up with Wordpress.
>>
>> My plan right now is to install it as a Ubuntu package, so that it
>> would get automatic updates (I update every night, usually).
>>
>> My son would have a relatively limited set of privileges (creating
>> psts and deleting comments).
>>
>> My question is, how realistically secure is this setup? How much am I
>> risking? The server in question runs Ubuntu Lucid.
>
> You have some valid concerns.

Thanks.

> Create an account for your son on https://www.blogger.com/. Set up some
> bookmarks that will let him quickly log on and start posting.

Well, there are two reasons why I decided against this approach.

1) SEO

His website is on a page http://firstname.lastname.com/. This is his
lifetime, permanent web address that he can carry around forever. I
want this to be page #1 for SERPs in his name. I want to do it now so
that it solidifies over the next several years.

2) He is too little yet to have a google account.

> If you really want to use Wordpress, consider installing it on a server on
> your LAN that's not directly accessible on your Internet. On your gateway
> server/firewall, run a basic Apache and use mod_rewrite directives to proxy
> a set of URLs limited only to the ones that retrieve the contents of the
> blog to your internal server.
>
> So, from the Internet, only those URLs that pull static content off the blog
> will work. URLs for the login page, etc, will not be accessible.
>

Maybe I should block any access to

http://firstname.lastname.com/blog/wp-admin/

to anything except localhost and our home LAN?

Would that be sufficient?

i
From: Ignoramus25096 on 14 May 2010 22:38

Here's my VirtualHost entry for his website.

<VirtualHost xxxxx:80>
ServerName firstname.lastname.com
DocumentRoot /his/directory/firstname.lastname.com
Alias /blog/ /usr/share/wordpress/
<Location /blog/wp-admin/>
Order deny,allow
Deny from all
Allow from 75.146.106
#Allow from 64.94.157.1
Allow from 127.0.0.1
</Location>

</VirtualHost>

I also disabled "Anyone can register" and set "Only registered users
can post comments".

i
 |  Next  |  Last
Pages: 1 2
Prev: New functional language - Fling
Next: Rado Integral Ladies Watch R20339712