Encouraging steps towards security in Wordpress 2.5

Table Salt

Anyone who gets me liquored up knows that I’m not a fan of Wordpress. I think it’s great from a user (that is, the person writing the content) standpoint, but it has lagged behind severely in terms of security, and I don’t believe its popularity is the sole reason WP has been the subject of dozens of vulnerability reports every year. That being said, the WP 2.5 release appears to offer significant improvements in a couple areas: password hashes and cookie data encryption. From the WP blog:

Salted passwords — we now use the phpass library to stretch and salt all passwords stored in the database, which makes brute-forcing them impractical. If you use something like mod_auth_mysql we’ve created a plugin that will allow you to use legacy MD5 hashing. (The hashing is completely pluggable.) Users will automatically switch to the more secure passwords next time they log in.

Secure cookies — cookies are now encrypted based on the protocol described in this PDF paper. which is something like user name|expiration time|HMAC( user name|expiration time, k) where k = HMAC(user name|expiration time, sk) and where sk is a secret key, which you can define in your config.

These are good steps, and while I think they took way too long to happen, I’m glad they finally did. I do still feel that WP suffers from an architecture that makes it too easy to make input filtering mistakes, and I would strongly recommend a tool like WPIDS for all self-hosting Wordpress users.

  • Vidyut Luther
    04/02/2008 07:52:41 PM

    Heh, they said phpASS.. hehehhuhuhuh..

  • Matt
    07/14/2008 12:49:29 AM

    Going to check WPIDS. With all of the SQL injection/ hacking going on, it’s good to know that we can fight back.