Matt posted a small bit regarding the recent alert NetworkSolutions put up claiming that there was a vulnerability (not giving a link either, undeserved). Turns out that the issue had nothing to do with wordpress, and more to do with their file permissions. His aptly titled post, Secure File Permissions Matter raises a good point about security in general…. your site is as secure as your server, which is actually as secure as where your server is kept.
If you think about it, what stops someone from logging in locally to your server and grabbing your passwords stored on file? The answer is a secure data center. I recently read a confession on reddit (can’t remember the link) where a convicted hacker goes “public” and shares some of his experiences. One thing that really hit home is that when he prepares to attack a high value target, he often gets in by accessing an insecure pc of a user that has access to the actual target. See…. security is relative.
So when you think about website security, don’t just think about the website itself, think about other entry points too, online and offline. Unnecessary open ports, public phpMyAdmin access and so many other factors can leave you open to attacks.
The point of this post is just to show some support to the WP team for doing such a great job, and highlight that should your blog ever get hacked don’t jump to conclusions. NetworkSolutions did and are now looking pretty silly for doing so. By the way, they haven’t admitted being at fault in their blog, which ironically is powered by guess what?!
Compromised security could be due to a plethora of possibilities; insecure file permissions, an old server OS not updated to fix security loopholes, packet sniffers for unencrypted logins or even something as simple as leaving yourself logged in at a public PC. I’m not saying WordPress is perfect and there are no potential security holes, but then again you can’t say that for any piece of software, so give them a break and the benefit of the doubt!