8 Jun
2013
8 Jun
'13
11:50 a.m.
Adam Spiers asked:
I'd also be very interested to know about any
weaknesses in either of
these - please share!
There was an 'if you don't know what you're doing' at the start of the
warning but they're overly paranoid and change far too much.
They're particularly problematic if you set WP sites up for other people
- almost the first thing BWPS does is exclude user #1 from being able to
do anything. On sites with multiple users, they give a false sense of
security: WP has had a user privilege escalation exploit at least once a
year from the start and they are unlikely to protect against that.
Equally, if you're hosting somewhere you don't have exclusive control,
they don't even slow down someone else being able to own you.
But even for single user sites, apart from making life harder and
consuming resources unnecessarily, what do they do that a combination of
login security, intrusion detection and a backup strategy on the server
doesn't do?
What happens in practice is that people get scared by the blurb into
installing one - or worse, both! - then they tick all the 'oooh, you
must protect against this' boxes, find themselves locked out, and only
afterwards wonder why the bill to fix it all is so large.
Ian