Malas prácticas de Securidad en WordPress

  • jm15502 · Member ·

    Hola, no entiendo por qué wordpress, conociendo que es una MALA PRÁCTICA DE SEGURIDAD:

    1. Envía el nombre de usuario y el password por correo, y en el mismo correo además!!!
    2. No pide resetear el password al primer uso
    3. No utiliza ssl (https) para las páginas de autenticación

    Soy especialista en seguridad informática y esas malas prácticas son demasiado conocidas y viejas para que aparezcan en wordpress.
    Son una puerta abierta al robo de identidad.

    ¿Por qué?

    1. NO SE ENVÍAN PASSWORDS POR CORREO. Los email, en su tránsito, quedan guardados en muchos lugares y pueden ser accesados por quienes menos nos imaginamos (administradores, auditores, operadores de salvas, espías oficiales o no…)
    2. EN CASO QUE NO HAYA OTRO MÉTODO, DEBE RESETEARSE AL INSTANTE (y no volver a mandarlo por correo, claro está)
    3. HTTPS (que es lo que aparece en el browser cuando se usa SSL) establece una sesión segura por donde pueden viajar contraseñas y/o datos bancarios (http://es.wikipedia.org/wiki/Hypertext_Transfer_Protocol_Secure)

  • vivianpaige · Member ·

    I have no idea what you are saying. This is an English forum.

  • andrew · Member ·

    I have some idea of what you’re saying. Some of it is about https, which makes me wonder whether you’ve read this:
    http://en.blog.wordpress.com/2008/09/16/protect-your-blog-with-ssl/
    I also wonder whether your blog is at WordPress.COM. You don’t provide a link to your blog.

  • jm15502 · Member ·

    In English…

    Thanks for the link Andrew, I’m really read it just now but however the SSL MUST BE THE DEFAULT option at least in the authentication pages.
    The other very bad practice is sending passwords by email. This is a awful practice and is highly discouraged by security specialists.
    I just show you 2 Google’s queries: passworsds best practices
    (‘http://www.google.com/search?num=50&hl=es&newwindow=1&q=password+best+practices&lr=’) and
    Never send the password by email (‘http://www.google.com/search?num=50&hl=es&newwindow=1&q=never+send+the+password+by+email&btnG=Buscar&lr=’ )

    I’m new in wordpress, so I have not a serious blog yet, if you want some personal reference you could browse ‘http://www.brainbench.com/transcript.jsp?pid=5798742’

    Vivian, are there some rule about language restrictions in this forum? Please, show me where, if not, try Babylon and be happy. By the way, your blog is great.

  • vivianpaige · Member ·

    jm15502 – you said you were new here. In that case, perhaps you are unaware that there are separate forums for separate languages. This is the English forum (note the two letter en at the beginning of the forum name).

    And as andrew pointed out, we don’t even have a clue as to whether you are hosted here. Given the number of queries that we get from wordpress.ORG users (who have their own forum), not providing a link to your blog will generally get your questions/comments ignored.

    As for your security concerns, if you are hosted here, you might want to send it to support via your dashboard or the link at the bottom. Volunteers in the forum can’t help you with that.

  • vivianpaige · Member ·

    Your language, BTW, looks like Spanish to me. That forum is located here http://es.forums.wordpress.com/

  • jm15502 · Member ·

    That’s a nice post Vivian, thanks for your guidance.

  • The topic ‘Malas prácticas de Securidad en WordPress’ is closed to new replies.