Quote:
Originally Posted by Varius
Most third-party software has exploits for the simple reason they don't thoroughly test it.
When a software is free/open-source, or costs a minimal amount of money, their monetization usually comes from getting it to market faster than their competition and/or supporting the software.
They don't have the motivation to try every conceivable way to mess with their code; they are offering a blog tool or plugin, not securing a government registry tool (not to say those can't be exploited heh).
It may sound arrogant, but I'm with BestXXXPorn on this one; when it's an important project, where security is an issue, I make sure the code is tight and I'm more confident using my own code than popular third-party apps.
People say PHP is "more hackable" but that's false; the true reason is PHP is a "loose" language, so people that read a tutorial or two suddenly think they are programmers and program very sloppy, insecure applications.
Regardless, if your code is secure, that doesn't mean much if other ports/software on the machine are vulnerable. It just means you will only have to worry about more targeted hacks and not publicized wordpress holes.
|
Everything said in this post is helpful. But just to follow up on it......
But let me stress yet once again........on top of spending thousands of dollars/hours tightening up scripts
When using 3rd party applications, change common file names & "footprints" for the script (search able in the major engines). The less your site can be found by exploit scanners, the less likely you are 2 be hacked. P.S. Renaming the files will result in no real adverse effects in your SE rankings.
For instance, hackers will have a program submit the following to google in several formats....
powered by WordPress
Entries (RSS) and Comments (RSS).
or look for /wp-admin/ directories by ip subnets, well known to be owned by hosting companies......simply changing mundane file structures & footprints will leave you 100x less likely to have your blog (for example) scanned every time a new 0-day exploit hits
so yes...tighten your scripts, consult a security expert, BUT
ALSO learn to hide subtle indicators hackers use to find your site in the first place...typically site pwnage/blog spam etc. comes directly from a simple mass google lookup......sometimes simplicity beats over-thinking security
finally if you've been with your host for a few years & you're about to start a new site, ask them if they've obtained a new ip block recently, see if you can get 1 or 2 of the new stock for your newest sites
