I'm considering concrete5 as my main offering for customers but I need to know about security issues
Permalink
Are there or have there been any ongoing security issues or hack vulnerability issues with concrete5?
I truly need an honest assessment from the developers and creators and users of concrete5 before moving forward.
Thanks.
HN
I truly need an honest assessment from the developers and creators and users of concrete5 before moving forward.
Thanks.
HN
The only security breach I've known of in recent history was discovered to have been due to an old install of Wordpress or another platform, which provided the hacker enough privileges to compromise Concrete. In my experience Concrete has always been rock solid, and the core team has been very fast to respond if there are any real issues.
I think it's one of the greatest strengths of Concrete being open source, but still managed and directed. As they say, what's everyone's responsibility is no one's responsibility, so leadership on shaping and improving the core of Concrete has really led to a great product that's smart and that works, rather than community projects that don't go anywhere, or fork into a million directions.
I think it's one of the greatest strengths of Concrete being open source, but still managed and directed. As they say, what's everyone's responsibility is no one's responsibility, so leadership on shaping and improving the core of Concrete has really led to a great product that's smart and that works, rather than community projects that don't go anywhere, or fork into a million directions.
In the past six months... a several conrete5 sites were hacked not because of concrete5 security valnerbility but other factors as elyon explained.
One of the recent example was from one hosting company which I also use.
They stored the FTP password in the databse as plain text (NOT ENCRYPTED at all).
So the cracker found a ID and password to log-in to hosting company's customers' database, and stole the FTP passwords of its customers.
Because they have ID and password, they can log-in to FTP space of the web space NO PROBLEM.
Eventually, they went into the concrete5 and hacked it.
It was no tricks. They just replace the index.php file to redirect to a hacker's site.
They did it by using a regular FTP software. They didn't develop a special software to hack his/her site because they already had FTP passwords.
It was not because concrete5 was not secure.
It's like your car mechanic gave your car key to a thief.
No matter how good security system your car has, if your trusted car mechanic gave a key to a thief. The thief can steal your car...
So that was the very recent security compromise that a concrete5 user faced.
Of course, we are not pefect being, in the future, concrete5 may have security issue....
But what I remember, concrete5 hasn't had many security holes.
And I have never heard that concrete5 was hacked because of concrete5 security itself.
It was always the hacker got their way into the web server because of somebody else's screwed-up.
So I will say that you will have to pay attention to
- Make sure your computer don't get virus
- Don't use the same password to all of your accounts
- Make sure to change your FTP password regulary
- Don't use very simple "1234"-like password
- Try to use SFTP or FTPS (any encrypted data transfer)
- Don't tell your password to anybody as much as possible
I recently disabled FTP service on my server.
Now I'm only using SFTP to upload the data onto my server.
Again, if you didn't protect your password, no matter how secure concrete5 is, your concrete5 site will get bleached.
One of the recent example was from one hosting company which I also use.
They stored the FTP password in the databse as plain text (NOT ENCRYPTED at all).
So the cracker found a ID and password to log-in to hosting company's customers' database, and stole the FTP passwords of its customers.
Because they have ID and password, they can log-in to FTP space of the web space NO PROBLEM.
Eventually, they went into the concrete5 and hacked it.
It was no tricks. They just replace the index.php file to redirect to a hacker's site.
They did it by using a regular FTP software. They didn't develop a special software to hack his/her site because they already had FTP passwords.
It was not because concrete5 was not secure.
It's like your car mechanic gave your car key to a thief.
No matter how good security system your car has, if your trusted car mechanic gave a key to a thief. The thief can steal your car...
So that was the very recent security compromise that a concrete5 user faced.
Of course, we are not pefect being, in the future, concrete5 may have security issue....
But what I remember, concrete5 hasn't had many security holes.
And I have never heard that concrete5 was hacked because of concrete5 security itself.
It was always the hacker got their way into the web server because of somebody else's screwed-up.
So I will say that you will have to pay attention to
- Make sure your computer don't get virus
- Don't use the same password to all of your accounts
- Make sure to change your FTP password regulary
- Don't use very simple "1234"-like password
- Try to use SFTP or FTPS (any encrypted data transfer)
- Don't tell your password to anybody as much as possible
I recently disabled FTP service on my server.
Now I'm only using SFTP to upload the data onto my server.
Again, if you didn't protect your password, no matter how secure concrete5 is, your concrete5 site will get bleached.
when issues are brought to our attention (and it does happen from time to time) they are always quickly resolved in the beta version. If there's something overwhelmingly egregious (there hasn't been since the first month or so) then we'll do a sub-release patch.
Lots of folks use concrete5 for secure stuff like extranets including colleges and the National Guard. Yer in good company.
best