Jump to content

Security updates logs

Studio TOMIS

Recommended Posts

I'm working on a website for a client using Processwire. The client had some questions concerning security that i'm not able to answer so i hope you guys can help me out. 

In general I was wondering if there are any logs about bug fixes and security updates. Has Processwire ever been hacked? And how will the security be guaranteed in the future? Since the platform is growing I might imagine so will the amount of attacks.

For instance one thing I noticed that the .HTACCES file changed between 2.7 and 2.6 was this because of security leaks or because of other reasons. 

Link to comment
Share on other sites

Hi, Mischa, and welcome.

Good reading on the subject (which you may have already seen) -

Very detailed info on change logs etc - https://github.com/ryancramerdesign/ProcessWire/

Has PW ever been hacked? Not that anyone AFAIK knows about.

Could it be? Front end security is your responsibility  ^_^  see https://processwire.com/api/variables/sanitizer/

What about back end? Well, ImageMagick has been found to have vulnerabilities recently, so there is always the possibility of zero-day vulns affecting PW, but that applies to every use of 3rd party libs.

(Not a complete answer, but I'm sure others will chime in!)

  • Like 5
Link to comment
Share on other sites

Has Processwire ever been hacked? 

Hi Mischa

Just wanted to chime in here in case this is a question coming from your client.

I don't know of any instances of PW being hacked but the reality is probably nothing is un-hackable. It all depends on the ambition and resources of the hacker Vs the robustness of the platform. 

I'm not trying to scare you here but when my client asks me "if PW has ever been hacked" it's good to set expectations. Unless you specifically wish to get into a situation where you're responsible for security, then don't be accountable for that.

if Microsoft, Sony, US Government still get hacked with a security budget of (probably) millions and a security team outnumbering yours, then it tends to illustrate that any online platform has the potential to be hacked. 

A thorough and regular backup agreement is your best asset here so at least if you do get hacked, you have some type of salvageable website until you identify the source of the hack.

Hacks can come in the form of hosting vulnerabilities, poor password storage practices, hacks via 3rd party modules or scripts, database exploits etc etc If any of these were targeted and your site was down, to your client it would all amount to the same thing "PW has been hacked". The reality is, a hacked PW site might be completely unrelated to PW and security.

Just for the record, I believe PW has an extremely positive security record

More importantly, I imagine if anything was found, there would be a very fast response from Ryan and Co.

  • Like 6
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Create New...