WordPress Security

  • R

    (@rreisdasilvagmailcom)


    5 years, 4 months ago

    Hi Guys,

    I have been working on WordPress for a few years now and designed several websites they are not perfect but I try to have some care on security and performance, balancing iser needs and the type of website. A couple of weeks ago a system administrator where my last website was going to refuses to have the website in his server or even having it in another server and just using a subdomain to access it because it says it fails a set of tests he defined as being the standard for any website in his system (actually anywhere). This is a one page website with not even a contact form, so no user data is being asked.

    This level of requirements is a first to me.

    I tried to argue that what he was asking was not reasonable for a WordPress website (or any CMS, or anything really…) but he insists. The actual client needs his aproval to accept the website. I wanted to know if it is me who is going crazy or is this absurd.

    Part of the requirements are:

    * NO HTML errors/no warnings as measured using this: https://validator.w3.org/
    * NO CSS errors/warnings as measured using this https://jigsaw.w3.org/css-validator/
    * NO JavaScript inline
    * No CSS inline
    * Zero high/medium/low risk as measured using https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project

    The list continues but for now the first 4 fail aready and this is the issue. From my point of view this is not feasible and not possible to ensure it will continue like that on the medium/long term as the website stays online.

    Can I have your comments on this? any suggestions or help you can give me?

Viewing 2 replies - 1 through 2 (of 2 total)

  • The validators are not up to date, so that one is difficult.
    No inline javascript is easy. Don’t use analytics or services from other sites (like a signup form from an autoresponder). The JS that plugins and themes use is not inline usually.
    No inline CSS is easy. Don’t put any special CSS into your content. If you need something styled, use a class. Use a theme that uses html5 for gallery. Don’t use plugins or themes that put an image as a background image (using inline style).

    I’d say that these restrictions don’t really have much to do with security, but I can see that limiting what is in the page limits attack vectors. It’s probably not worth your time to try to meet the requirements.

    Thread Starter R

    (@rreisdasilvagmailcom)

    Yeah, that’s what I mean, in theory is easy. I create classes and put all css in a file, but then a regular user comes along and chooses to have some text in bold or some color and WordPress will create inline css.

    HTML errors, things like

    /wp-includes/css/dist/block-library/style.min.css?ver=5.2.2
    1 .wp-block-calendar table th Erro de valor : font-weight 440 n?o é um valor font-weight : 440

    also easy to solve, but also don’t think is reasonable going over all of them to clean all the code of all core/themes/plugins.

    And I agree that the requirements are what an ideal code/website should look like but they don’t seem to be something that can be kept given the constant updates and normal usage of a website.

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘WordPress Security’ is closed to new replies.