One of the reasons I’m always so happy to attend conferences and technical events (the real ones – not the flashy, sponsor-driven ones designed just to sell products or services) is because I get to meet amazing people and always come away having learned something new.
I’ve been using WordPress since 2006 and have been managing hundreds of installations from a sysadmin perspective. Over time, I’ve noticed a clear pattern: most hacks and compromises happen through plugins or outdated installations. And often, these installations (and plugins) become outdated because they’ve been patched together so messily that updating them becomes nearly impossible – especially when the PHP version changes.
In March 2025, I attended a fantastic conference: OSDay 2025. I gave a talk on why I believe it makes perfect sense to consider the BSDs i
... mostra di piùOne of the reasons I’m always so happy to attend conferences and technical events (the real ones – not the flashy, sponsor-driven ones designed just to sell products or services) is because I get to meet amazing people and always come away having learned something new.
I’ve been using WordPress since 2006 and have been managing hundreds of installations from a sysadmin perspective. Over time, I’ve noticed a clear pattern: most hacks and compromises happen through plugins or outdated installations. And often, these installations (and plugins) become outdated because they’ve been patched together so messily that updating them becomes nearly impossible – especially when the PHP version changes.
In March 2025, I attended a fantastic conference: OSDay 2025. I gave a talk on why I believe it makes perfect sense to consider the BSDs in 2025, but many of the other talks were truly eye-opening.
To mark the launch of the BSD Cafe Journal, I’d like to share the link to a particularly interesting talk by Maciek Palmowski: “How we closed almost 1k plugins in a month — the biggest WordPress bug bounty hunt.”
What struck me right away was how much his analysis of WordPress security aligned with what I’ve seen over the years: WordPress, out of the box, is reasonably secure. It’s the plugins – often old, unmaintained, or poorly written – that make it vulnerable.
I highly recommend watching his talk. It’s definitely worth your time.
youtube.com/watch?v=Y3HsjvRAof…
The slides, the notes, and the text behind my presentation at OSDay 2025 in Florence, Italy - 'Why Choose to Use the BSDs in 2025.
Stefano Marinelli (IT Notes)
James Seward
in reply to Stefano Marinelli • • •@stefano@bsd.cafe When I took over operating a corporate WordPress install one of the first things I did was IP-limit access to wp-admin/ resources (there’s a few you have to allow-all for, or were back then) as a blanket mitigation for that kind of vulnerability. Not a complete defence, but it felt like a good start.
I’ve done similar for my snac instance - not that I think the code is insecure, but if you can’t reach the admin URL you can’t even try to credential-stuff it :)
`Da Elf
in reply to Stefano Marinelli • • •OMG This.
WordPress is groovy. FULL STOP
As a CMS it work flawlessly. You wanna do something interesting now you're in PluginHell.
I host a lot of WordPress too. I try not to butch because something something, food on my table something ...
I hate plugin authors.
And WP plugin code is an orgy of stupid.
The worst code I read in a day is a WordPress plugin. Guaranteed.
Arcticulate
in reply to Stefano Marinelli • • •While I do maintain Linux servers at work, I don’t maintain their Wordpress instance. I am however *using* it: I am part of a team which sometimes posts internal messages to a corporate-internal Wordpress blog which employees rely on to keep track of certain important events.
I totally agree about the plugins. In fact, we installed a plugin which itself is a plugin maintenance tool, a way to notify ourselves whether plugin X or Y have vulnerabilities, basically.