Re: Bug#672695: wordpress: no sane way for security updates in stable releases

[Thomas Goirand <zigo@debian.org>]

On 05/13/2012 05:32 PM, Russell Coker wrote:
> There are lots of people who choose Wordpress because it seems to provide a 
> lot of features that other systems don't provide, which includes a significant 
> set of free themes and plugins which are available from Wordpress.org (not in 
> Debian).
>   
>From my experience, the less plugins you use, the safer you are
with wordpress. If you leave your users install whatever plugins
they want without running wordpress in a chroot, then it's a
security disaster, IMO.

I have countless examples of PHP files uploaded, then executed
to run pishing sites, spams, etc. So much that now I require
users to manually chmod +x all their PHP files before they can
run, as uploaded PHP files wont be +x by default (it's a nice
security safeguard anyway).

Thomas