WordPress security overview

This explanation covers several security-related topics for the WordPress charm.

Secrets

Secrets required to operate the WordPress application are generated by the WordPress charm using the Python’s secure secrets standard library. The following fields in the WordPress configuration are generated by the charm:

• auth_key
• secure_auth_key
• logged_in_key
• nonce_key
• auth_salt
• secure_auth_salt
• logged_in_salt
• nonce_salt

Updates

For security and synchronization between Juju charm units, the WordPress charm does not allow automatic updates of the WordPress application itself.

Spam protection

The WordPress charm has built-in spam protection that can be activated by providing the wp_plugin_akismet_key configuration option. For more information about Akismet spam protection, see https://akismet.com/.

Risks

Application CVEs

WordPress can be vulnerable to new CVEs and may require updates to patch the CVEs. In case of an exposure to a CVE, it is recommended that you update your WordPress charm and rotate the secrets. See the rotate-secrets action in the how-to guide.

Plugins installation

The plugins that have been by the users via the Web UI are periodically deleted by the charm during the Juju hook events. There may be a risk of undesired plugins being installed for the duration of the charm until the next event.

Information security

By default, the WordPress charm configures the WordPress application to use the local container storage for object data, including images and media files. This implies that any loss of data from the underlying file system will result in a loss of data from the WordPress application. To protect against this risk, you can configure the WordPress charm to store objects on an external storage system by configuring wp_plugin_openstack-objectstorage_config. This configuration makes the WordPress charm use the OpenStack Object Storage service as a backend for storing object data.