Textpattern Forum

You are not logged in. Register | Login | Help

#1 2012-08-27 21:26:41

lucass
Member
Registered: 2012-07-07
Posts: 21

Security and performance

Hey guys

I’ve been playing with TXP for a while now and I’m loving it so far. I’m thinking of actually using it for a next project but not sure yet, mostly due security and performance issues – let’s say I’m designing a site for a well-known movie artist. It will get a very large amount of traffic, so my main concerns are security and performance.

Would you still recommend TXP in this case? Or should I go with another CMS?

Cheers

Offline

#2 2012-08-28 04:39:40

joebaich
Member
From: DC Metro Area and elsewhere
Registered: 2006-09-24
Posts: 477
Website

Re: Security and performance

A lot of folks would probably like to stick one on this guy. I don’t think he has had a problem. There are other ‘high profile’ users.

Last edited by joebaich (2012-08-28 04:47:38)

Offline

#3 2012-08-28 07:25:27

philwareham
Core designer
From: Farnham, Surrey, UK
Registered: 2009-06-11
Posts: 1,599
Website

Re: Security and performance

As CMSes go, Textpattern is one of the more secure ones. Also, due to it’s quite small footprint it doesn’t require a huge amount of server resources in order to run, which means it can handle a fair amount of traffic. So I’d say it’s a good match for what you want to do.

Might want to turn the user logging off though.

Offline

#4 2012-08-28 08:01:03

ruud
Developer emeritus
From: a galaxy far far away
Registered: 2006-06-04
Posts: 4,513
Website

Re: Security and performance

Make sure you server setup uses fast-cgi combined with an opcode cache, which increases speed for any PHP application (not just TXP).

Offline

#5 2012-08-28 11:06:16

Gocom
Developer
Registered: 2006-07-14
Posts: 4,476
Website

Re: Security and performance

Textpattern websites become very heavy on resources easily. Tags have their shortcomings too. Saying that Textpattern has small footprint is like saying that an empty canvas is empty. Which is true, but.

joebaich wrote:

A lot of folks would probably like to stick one on this guy. I don’t think he has had a problem. There are other ‘high profile’ users.

I do hope they have patched it or something. That Textpattern install seems to be (well, is) rather old. That version they have there is affected by some serious security holes — unless it’s patched.

Last edited by Gocom (2012-08-28 11:09:55)


Rah-plugins | What? I’m a little confused… again :-) <txp:is_god />

Offline

#6 2012-08-28 11:19:17

wet
Developer
From: Lenzing, Austria
Registered: 2005-06-06
Posts: 3,109
Website

Re: Security and performance

Gocom wrote:

Textpattern websites become very heavy on resources easily.

Resident memory sizes of typical blog-style sites on a Debian 6 server for comparison:

  • Textpattern 4.5.0-beta: 16…18 MB
  • WordPress 3.4.1: 36…40 MB

Online

#7 2012-08-28 11:43:07

Gocom
Developer
Registered: 2006-07-14
Posts: 4,476
Website

Re: Security and performance

I would be very surprising if Textpattern used even closely what WP uses. It would be some type of victory, I suppose.

For your typical plain boring blog-style page Textpattern doesn’t do more than fetch few rows from database, while WP — at which point did it process article contents and markup, oh…

Last edited by Gocom (2012-08-28 11:44:01)


Rah-plugins | What? I’m a little confused… again :-) <txp:is_god />

Offline

#8 2012-08-29 20:58:12

lucass
Member
Registered: 2012-07-07
Posts: 21

Re: Security and performance

Thanks guys!

Offline

#9 2012-08-30 08:01:18

springworks
Member
Registered: 2005-01-06
Posts: 161
Website

Re: Security and performance

Gocom wrote:

I do hope they have patched it or something. That Textpattern install seems to be (well, is) rather old. That version they have there is affected by some serious security holes — unless it’s patched.

ExpressionEngine is running most of that site. There might be an old Textpattern login page showing, but view source shows all the signs of EE everywhere.

Offline

#10 2012-08-30 10:06:51

Gocom
Developer
Registered: 2006-07-14
Posts: 4,476
Website

Re: Security and performance

springworks wrote:

ExpressionEngine is running most of that site. There might be an old Textpattern login page showing, but view source shows all the signs of EE everywhere.

It doesn’t matter what runs the site. Textpattern is installed there, which means those very old security holes are there too which could compromise the server.

The site itself doesn’t need to be active. Old Textpattern versions listen to few HTTP POST parameters. These parameter can be accessed without authentication and can be used to run any server-side PHP code on the server. Works by simple running:

HTTP/1.1 POST http://example.com/textpattern someParam1=1&someParam2=<txp:php> /* some PHP code here */ </txp:php>

This is a very well known vulnerability first discovered and bought up years ago by Neal Poole. Was fixed in Textpattern v4.4.0. I’ve substituted the real field names to offer some false sense security. These fields are well known and can be found by looking at Textpattern’s changelog/changes or Neal’s blog for instance.

Last edited by Gocom (2012-08-30 10:30:52)


Rah-plugins | What? I’m a little confused… again :-) <txp:is_god />

Offline

Board footer

Powered by FluxBB