You are not logged in.
2012-08-27 21:26:41
- lucass
- Member
- beta
Security and performance
Hey guys
I’ve been playing with TXP for a while now and I’m loving it so far. I’m thinking of actually using it for a next project but not sure yet, mostly due security and performance issues – let’s say I’m designing a site for a well-known movie artist. It will get a very large amount of traffic, so my main concerns are security and performance.
Would you still recommend TXP in this case? Or should I go with another CMS?
Cheers
Offline
2012-08-28 04:39:40
Re: Security and performance
A lot of folks would probably like to stick one on this guy. I don’t think he has had a problem. There are other ‘high profile’ users.
Last edited by joebaich (2012-08-28 04:47:38)
Offline
2012-08-28 07:25:27
- philwareham
- Core designer
- sigma
- Real name: Phil Wareham
- From: Farnham, UK
- Website
Re: Security and performance
As CMSes go, Textpattern is one of the more secure ones. Also, due to it’s quite small footprint it doesn’t require a huge amount of server resources in order to run, which means it can handle a fair amount of traffic. So I’d say it’s a good match for what you want to do.
Might want to turn the user logging off though.
Offline
2012-08-28 11:06:16
Re: Security and performance
Textpattern websites become very heavy on resources easily. Tags have their shortcomings too. Saying that Textpattern has small footprint is like saying that an empty canvas is empty. Which is true, but.
joebaich wrote:
A lot of folks would probably like to stick one on this guy. I don’t think he has had a problem. There are other ‘high profile’ users.
I do hope they have patched it or something. That Textpattern install seems to be (well, is) rather old. That version they have there is affected by some serious security holes — unless it’s patched.
Last edited by Gocom (2012-08-28 11:09:55)
Rah-plugins | What? I’m a little confused… again :-) <txp:is_god />
Offline
2012-08-28 11:19:17
Re: Security and performance
Gocom wrote:
Textpattern websites become very heavy on resources easily.
Resident memory sizes of typical blog-style sites on a Debian 6 server for comparison:
- Textpattern 4.5.0-beta: 16…18 MB
- WordPress 3.4.1: 36…40 MB
Try wet_quicklink | Me | @rwetzlmayr | +Robert Wetzlmayr | Repos
Offline
2012-08-28 11:43:07
Re: Security and performance
I would be very surprising if Textpattern used even closely what WP uses. It would be some type of victory, I suppose.
For your typical plain boring blog-style page Textpattern doesn’t do more than fetch few rows from database, while WP — at which point did it process article contents and markup, oh…
Last edited by Gocom (2012-08-28 11:44:01)
Rah-plugins | What? I’m a little confused… again :-) <txp:is_god />
Offline
2012-08-30 08:01:18
- springworks
- Member
- epsilon
- Real name: Steve
- Website
Re: Security and performance
Gocom wrote:
I do hope they have patched it or something. That Textpattern install seems to be (well, is) rather old. That version they have there is affected by some serious security holes — unless it’s patched.
ExpressionEngine is running most of that site. There might be an old Textpattern login page showing, but view source shows all the signs of EE everywhere.
Offline
2012-08-30 10:06:51
Re: Security and performance
springworks wrote:
ExpressionEngine is running most of that site. There might be an old Textpattern login page showing, but view source shows all the signs of EE everywhere.
It doesn’t matter what runs the site. Textpattern is installed there, which means those very old security holes are there too which could compromise the server.
The site itself doesn’t need to be active. Old Textpattern versions listen to few HTTP POST parameters. These parameter can be accessed without authentication and can be used to run any server-side PHP code on the server. Works by simple running:
HTTP/1.1 POST http://example.com/textpattern someParam1=1&someParam2=<txp:php> /* some PHP code here */ </txp:php>
This is a very well known vulnerability first discovered and bought up years ago by Neal Poole. Was fixed in Textpattern v4.4.0. I’ve substituted the real field names to offer some false sense security. These fields are well known and can be found by looking at Textpattern’s changelog/changes or Neal’s blog for instance.
Last edited by Gocom (2012-08-30 10:30:52)
Rah-plugins | What? I’m a little confused… again :-) <txp:is_god />
Offline