I am about as big (read: little) of a fan of PHP as the next guy but how in the hell are these problems inherent to PHP? If I were to run COBOL code from untrusted sources on my server you can forget about security.

Why does WordPress allow people to run untrusted code?

You write:

"If I were to run COBOL code from untrusted sources on my server you can forget about security."

That is why there should be a warning about untrusted code. Are you trying to let WordPress off the hook? Their attitude toward security has been horrible and they should be called out on it. I quote myself:

What can they do? They can automate the test that Siobhan Ambrose does in the above article linked to by this thread. At the very least, WordPress can search a theme for Base64, so that when you try to activate the theme, you get a warning:

"These templates contain Base64, which may be masking malicious code. Do you wish to proceed?"

It doesn't matter if WordPress is written in PHP or COBOL, the team developing the software should make some attempt to address its many security flaws.

Please consider the odd use of the word "disrespectful" in this paragraph:

"It seems fundamentally disrespectful to users who are simply caught in the crossfire of a political power move their neither know or care about. PHP core has never shown any particular regard for its biggest apps, as evidenced by the above bug and others, so I’m not sure why we should go out of our way to promote their upgrade. PHP 6 sounds much more compelling."

http://ma.tt/2007/07/on-php/#comment-422760

That is Matt Mullenweg. Please note that his statement can be turned on its head. I could write:

"It seems fundamentally disrespectful to users to create software for them that has lots of fun features but no security."

The downvoting on Hacker News sometimes seems wholly random. I am curious who would down vote this above comment of mine. I'm looking at each sentence and trying to think what people are disagreeing with.

For instance:

"That is why there should be a warning about untrusted code."

What is the counter-argument, that WordPress should do nothing about the fact that the templates allow the execution of arbitrary code?

"It doesn't matter if WordPress is written in PHP or COBOL, the team developing the software should make some attempt to address its many security flaws."

What is the counter-argument, that WordPress has no responsibility for the security flaws in WordPress?

Very curious.

The downvoting is probably due to your tone, I read your comments and agreed with you but god why do you write like that - why do you keep quoting people with "You write" style opening lines? it sets the tones of your comments off in the most horrible light.

There are two different walls of text here and I'm not going to respond to both but your argument has gone from "PHP sucks" to "Wordpress sucks."

Basically my point is this: every bit of software you run on your web server is a security risk. You shouldn't run themes, or any code, really that come from sources you don't trust unless you audit it completely. I don't think the blame really lies with PHP or Wordpress in this case.

At no point did I say that PHP sucks. At no point did I say that WordPress sucks. I have suggested that the WordPress team is responsible for security risks in WordPress, regardless of what layer the risk may originate from. Again, I would quote the advice that Sam Ruby gave to Matt Mullenweg:

"Yes, you can argue that they brought this upon themselves; but it is worth noting that at this point you are along for the ride. When I’m in similar circumstances, I tend to consider the karma implications of cursing the driver."

That is good, and necessary, advice for any software project.

Different programming environments enforce security to different degrees, with different defaults. I'll here post some of the many criticisms that have been aimed at PHP over the years:

Andrew van der Stock writes:

--------------

For some time, I’ve been worried about the direction of PHP. As many of you know, I helped write XMB Forum and now help write UltimaBB. XMB in particular is an old code base, and UltimaBB, a descendant from XMB. I’ve done a lot to protect that code base from attack, and luckily, we’ve been missed despite some doozy and silly security issues. After writing PHP forum software for three years now, I’ve come to the conclusion that it is basically impossible for normal programmers to write secure PHP code. It takes far too much effort.

PHP needs a proper security architecture, and support for newbie programmers. PHP’s raison d’etre is that it is simple to pick up and make it do something useful. There needs to be a major push by the PHP Development team to take this advantage, and make it safe for the likely level of programmers – newbies. Newbies have zero chance of writing secure software unless their language is safe.

Think about Logo for a minute. Logo can do some interesting things, but it is not a commercially useful language because it cannot do much. But it is an excellent teaching language. PHP is like Logo – it’s a simple and easy way to get into serious web development. It is possible to write large applications in PHP, so it is useful at that level. But it is inherently unsafe as it can do far, far more than Logo.

There are so many ways to break PHP that it is impossible for even experienced security professionals like me to code in it securely all the time. There are nearly 4000 function calls, and many of them have unintended consequences or have been inappropriately extended by something else.

http://www.greebo.net/2006/01/04/php-insecurity-failure-of-l...

---------------

Tim Bray put together a collection of links regarding criticism of PHP:

http://www.tbray.org/ongoing/When/200x/2006/02/17/PHP

On that page, there is this from Dominic Mitchell:

"I’m in 100% agreement with you about the whole PHP thing. Every time I’ve looked at PHP, I’ve been unable to find out how they use placeholders in code that talks to the database. Yes, every database adaptor provides a quote function, but nobody uses it (consistently). And people wonder why PHP code is always full of security holes. It’s a real shame, as I can see that there’s a lot to like in PHP. But it really needs to clean its act up to appeal to people coming from other programming languages, instead of just people coming from dreamweaver. I actually heard David Heinemeier Hansson (sp?) talking about rails the other day. One of the key points he made is that it should be easy to do the right thing. That’s why Rails hits a sweet spot for me. But when you look at PHP, yes, it’s easy to code, but it’s not easy to do the right thing. That’s where it falls down."

The point that Hansson makes about Ruby is worth thinking about in the context of PHP security. Does PHP make it easy to write secure code? Does it help programmers do the right thing? The defaults in PHP, and the underlying assumptions of PHP, all tend in what direction?

Of those links, Jonas Maurus's post is also well worth reading:

http://maurus.net/resources/programming-languages/php/

Aristotle Pagaltzis sums up the underlying problem:

"All of these flaws are interconnected; the morass is simply the result of the language being a templating system that grew too big for its breeches. I don’t believe the problems can be corrected in any sensible fashion; PHP will always be a templating system, however much it may be straining against its clothes. And let me tell you, it’s still a great templating system! If all you need is to write a web app that consists of two pages, running four queries over a five-table database, there is nothing that will get you up and running faster."

http://plasmasturm.org/log/393/

And none of these posts you're referencing are at all relevant to the issue at hand (unless you're taking the position that PHP is Pure Evil as a language, which is an entirely separate issue)! ;-)

The question at hand isn't whether it's easy or hard for someone to write secure code in PHP (my opinion: it's not easy, but it's certainly possible). The issue brought up in the article is that a lot of the top search results for "Free Wordpress Templates" lead you to templates containing obfuscated code, some of it malicious. That isn't a language issue: as many people have pointed out to you, it's a consequence of running untrusted code.

Now, you can certainly debate whether or not this is a Wordpress issue. On the one hand, the Wordpress team could choose to write their own custom templating language that doesn't include the ability to do things like eval base64 strings. But if they did go down that path, they would also be severely restricting what theme developers are capable of doing (and that wouldn't solve any issues with JavaScript or any number of other subtle issues that malicious authors could introduce).

My personal take is that this is a case befitting the quote "with great power comes great responsibility." That is, the people running Wordpress blogs need to be aware of the risks when they install plugins or themes. The Wordpress team has built tools into Wordpress that encourage people to download and update plugins and themes from Wordpress.org, which is seemingly more legitimate than these random sites (I'm not sure if there's a formal evaluation process for plugins/themes submitted there). Beyond that though, I don't think it's the fault of the Wordpress developers if people choose, whether out of ignorance or carelessness, to download and install random themes from the Internet. I mean, I don't blame Microsoft if I go searching for "free [software name]" and end up downloading a virus. ;-)

"with great power comes great responsibility" is an idea that applies to the WordPress development team too. "Great power" is not how I would describe some random blogger who wants to start a blog about their dog. "Great Power" might be more applicable to Automattic. Certainly, if they want to leverage WordPress commercially, they have large responsibilities.

And they do so, in the form of Wordpress.com. If what you want is a blog about your dog, you can have it for free with Wordpress software that you never have to manage the code for or pay for. I have a number of friends who use it and they couldn't be happier. In fact, there are plenty of other SaaS vendors out there who are equally happy to provide you with a place to write about your dog.

On the other hand, if you're running your own web application, you're responsible for it, just the same way you're responsible for your computer. As I said, I don't blame Microsoft if I download random software and that software does malicious things. Similarly, I don't blame Wordpress or Automattic if I download a random theme and it contains malicious code.

I can not follow what logic keeps you from blaming Microsoft for the security lapses in the Microsoft operating system. Of course they have cleaned up their act in recent years, but they had a solid 25 year run (both DOS and Windows) where they were absolutely notorious for poor security. They faced sharp criticism for the many flaws in their OS, and for the low priority that they gave to implementing something better. Do you want me to google some of the many articles on this theme? Here is one from a few thousand results that I could pick from:

http://sec-soapbox.blogspot.com/2007/03/why-is-windows-insec...

My criticism of the WordPress team follows the same logic as the criticism of Microsoft. Since Microsoft came up with an OS that had a lot of security flaws, it was reasonable for people to criticize Microsoft for those flaws. And since the WordPress team is producing software that also has flaws, it is reasonable to criticize the WordPress team for the flaws in the software they produce.

Ah, come on.

The only concrete charge you bring forth here is to the practise of using string concatenation for sql parameters. Since v. 5.1 (Which is something like 5 years old .. in Internetyears, that's one century), PDO has been the default db-access layer, and it supports bound parameters.

Oh, and I've seen plenty of unescaped string concatenation in Rails apps too. It's a developer issue - not a language issue.

Those problems are not inherent to PHP (directly), but to WP not using any sort of (intentionally capability-limited) templating system. A design flaw - because probably WP devs never considered templates would be provided by untrusted sources.

The (painful) solution is to throw away current templating approach, and use some template engine instead. A bit less painful solution would be a compiler from some restricted language to current PHP-based templates, and declaring current approach deprecated, warning users of problems and highly discouraging them from using any untrusted PHP code.

I don't think you can blame the templating system when the plugin system is vulnerable to precisely the same issues, namely arbitrary code execution—except, of course, that the attack profile is so much broader for plugins since people will only have one template running (or two if they're using a child theme), but typically, many plugins.

These problems are not inherent to PHP. As other people have pointed out, this is what happens when you run arbitrary code on your server. Even if you took away the base64 encoding and eval calls, people could still embed spammy links into the page.

That is exactly why WordPress needs to get serious about security. It's current attitude has been extremely slack. Their focus has been on releasing features that allow for a more pleasant user experience, rather than releasing features that enhance security. Above I compare the attitude of Microsoft to the attitude of Automattic. Justifiable criticism was aimed at Microsoft for promoting fun new user abilities, rather than security, in both DOS and Windows, for a long time. The same kind of criticism can be aimed at Automattic.

What can they do? At the very least, they can automate the test that Siobhan Ambrose does in the above article linked to by this thread.

Automate what test? Searching for calls to base64_encode? Five minutes after they do that, people will write their own base64-encoding functions. Security by blacklist is not security at all.

My friend, your comment is remarkably besides the point. If we can agree that the WordPress team needs to focus on security, then we are basically in agreement. The details of how to do this can hopefully worked out by the WordPress team. They have certainly been given good advice over the years, much of which they have tended to ignore. Perhaps they will begin to listen. Given the scale of WordPress's success, we must hope they reform their ways.

Ideally, at some point soon they will recognize some of the dangers that arise from using such an easy-to-set-up language as PHP, and they will recognize that they appeal to a largely non-technical audience, and they will start taking some responsibility for their choices, and their success.

> My friend, your comment is remarkably besides the point.

In what way? You don't seem to understand how useless black-list codescanning is, a competent malicious programmer will find ways around those in minutes.

> Ideally, at some point soon they will recognize some of the dangers that arise from using such an easy-to-set-up language as PHP

Dangers such as?

You write:

"Dangers such as?"

I find it hard to believe that you do not know the dangers. Please google "php sucks" or "php security" and you will discover thousands of articles that address what I referenced above when I wrote "the dangers that arise from using such an easy-to-set-up language as PHP".

I also just posted a long comment up above in this thread, where I post quotes from several articles that have described the insecurity and disorganization that PHP makes so easy to achieve. You can view it here:

http://news.ycombinator.com/item?id=2131602

Or, here is another:

------------

But PHP has more than a few security bugs: in many ways PHP is fundamentally flawed. The program, whose initials originally stood for Personal Home Page, was designed without much thought given to security. Many of the PHP features that make it really easy to write a Web application also make it really difficult to write one that's secure.

All of this matters just now because Stefan Esser, the founder of the Hardened-PHP Project and the PHP Security Response Team (which he recently quit), has threatened to make March the "month of PHP bugs." By that, Esser means that he is going to be releasing a series of security bugs in March that show the world just how unsecure PHP actually is.

What's driving Esser is both a desire to make PHP more secure and a good touch of anger and resentment at the current PHP developers who have taken many of his security patches and incorporated them into the program without giving Esser any credit. You can read more about his motivations in his blog entry and in the interview that he did with Security Focus.

How will this affect users of the Web? Well, a recent "Month of Bugs" project aimed at Apple identified a number of security problems that the company was apparently unaware of, but it didn't result in any serious worms or threats to Apple users. This month of PHP bugs might be a similar bust. On the other hand, Apple was able to push out a fix to these problems using the Mac OS Software Update feature. PHP has no such feature, and many ISPs run kind of elderly (and buggy) versions of the program.

http://www.technologyreview.com/blog/garfinkel/17538/

I'm a big fan of Stefan Esser, but this has no relevance to the discussion at hand. You're just regurgitating a lot of anti-PHP rhetoric.

The issue - obfuscated code in third-party templates - is hardly inherent in PHP. The same technique can be used in any other popular web language.

For example: http://api.rubyonrails.org/classes/ActiveSupport/Base64.html

Rails looks for files in specific locations to execute code, not arbitrary encoded strings.

Yes, it's possible to do, but much harder than eval'ing a string in the resource file.

> Rails looks for files in specific locations to execute code, not arbitrary encoded strings.

The examples from this article are all essentially malicious third-party code. No language will save you from that.

That is why WordPress should save you from that. The WordPress team has had an awful attitude about security. They encourage a culture of free templates shared widely, without much regard for warning users of the dangers. Most users of WordPress are non-technical, the WordPress team knows this and shows no particular concern about it. WordPress needs to get serious about offering some security checks.

Start checking templates and plugins for `base64_decode` and they'll just start using a new technique to hide these things. The solution is one they've already implemented - a trusted source for templates and plugins on WordPress.org, and the WordPress.com site for folks who really shouldn't be administrating a LAMP environment anyways.

There are several solutions that can be tried, and most of them have been mentioned in this thread already. There is whitelisting, various automated checks, trusted sources, encryption, warnings, attempts at education, etc.

None of these suggestions are worth a damn until the WordPress team acknowledges that WordPress security is a major problem, one that should be a top priority for them.

Security is a major issue and it is a top priority for us.

The examples from this article also obfuscate the malicious third-party code and execute it. Yes, the WordPress team should do more to prevent this sort of nonsense.

Wordpress grew out of b2, which was written in PHP. At the time LAMP was pretty much all there was. For the time their decisions were reasonable.

Woah there, Captain "Death to PHP". I dislike PHP as much as the next guy, but the end of your comment here is a bit out there. Absolutely none of those projects, even the ones written in Perl, were as easy to set up as WordPress was (and still is).

ASP, Zope... Java? Part of why WordPress exists is so people don't have to concern themselves with high level frameworks/setups.

You can blame all of WordPress's issues on the language it's written in, but that's a bit of a red herring. WordPress is the largest blog engine in terms of overall deployment; MoveableType (and others) have had their own share of security vulnerabilities, but WordPress sees it more due to their massive install base. Most other blog frameworks and engines tend to benefit from "security through obscurity".

While PHP is a flawed language, yes, it's certainly not the core issue here. Anything done in this article could be pulled off in another blog engine with relative ease, especially considering this is people who don't really program and are installing/running arbitrary code.

You write:

"Woah there, Captain 'Death to PHP'."

I can not imagine what would cause you to write this. I use PHP in almost all of my work. All of my major websites are written in PHP. However, I do try to take security seriously. The small regard that the WordPress team has shown for security is unacceptable.

To point out that the WordPress team had language options in no way implies that I disagree with the language they chose, it simply shows that their choice was a conscious choice over which they must take responsibility. I was responding to a comment that implied that the WordPress team had no power to make a choice other than what they made.

I am curious, too, that you would criticize what I wrote, yet you offer no criticism of "At the time LAMP was pretty much all there was." The sentence I was responding to was flatly, factually wrong.

You write:

"Absolutely none of those projects, even the ones written in Perl, were as easy to set up as WordPress was (and still is)."

That is one of the problems that arises naturally from the use of PHP - it is easy to set up. As such, you end up with a lot of non-technical people using it. And that is one of the biggest reasons why special attention should be paid to security -- the fact that WordPress is the kind of software that appeals to a crowd that is largely non-technical.

It is curious that someone would downvote this. Up above jacques_chester wrote:

"At the time LAMP was pretty much all there was. For the time their decisions were reasonable."

At no point did I suggest that their choice was unreasonable. However, I have suggested that they made a choice, that is, a conscious decision, and one where they had several options. Like any human being who makes an uncoerced decision, they have a responsibility for the decision they have made. In creating the WordPress software, the WordPress team must take responsibility for for any flaw in WordPress, regardless of what layer that flaw arises from. Again, I would quote the very good advice that Sam Ruby gave to Matt Mullenweg:

"Yes, you can argue that they brought this upon themselves; but it is worth noting that at this point you are along for the ride. When I’m in similar circumstances, I tend to consider the karma implications of cursing the driver."

The statement that ""At the time LAMP was pretty much all there was" is simply wrong -- flatly and factually incorrect. There were options. But the WordPress team built WordPress using PHP. I see nothing wrong with that decision, but having made it, the WordPress team must accept all the consequences of that decision.

The underlying issue is the poor security in WordPress. The team in charge of WordPress has not shown a great concern for security. We must criticize them for giving security such a low priority. They need to change their attitude.

> The statement that ""At the time LAMP was pretty much all there was" is simply wrong -- flatly and factually incorrect.

I could have qualified it better, certainly. "At the time LAMP was the dominant platform and almost every shared host offered LAMP and only LAMP, a condition which has only in the past 3 years begun to change".

> The underlying issue is the poor security in WordPress. The team in charge of WordPress has not shown a great concern for security. We must criticize them for giving security such a low priority. They need to change their attitude.

And I do. Some of the bugs that get closed are astonishing. Wordpress is developed without automatic tests, security fixes are never backported (you always have to upgrade -- getting new features that might have new bugs -- to get the fix), the focus of effort is almost exclusively on new features and not on closing issues in the tracker (though this seems to be improving).

I think the availability of PHP in shared hosting plans was the main factor. Perl was almost as ubiquitous, although a lot of Windows based shared hosting plans didn't support it. Any host that had MySQL had PHP.

You are being downvoted because you are blaming PHP for problems created by Wordpress. This has absolutely nothing to do with PHP and everything to do with running untrusted code, which many other people have pointed out.

> No, you misread me.

If one person "misreads" you, it's their problem. If everyone "misreads" you, it's your problem.