Security and performance

lucass · 2012-08-27 21:26:41

Hey guys

I’ve been playing with TXP for a while now and I’m loving it so far. I’m thinking of actually using it for a next project but not sure yet, mostly due security and performance issues – let’s say I’m designing a site for a well-known movie artist. It will get a very large amount of traffic, so my main concerns are security and performance.

Would you still recommend TXP in this case? Or should I go with another CMS?

Cheers

joebaich · 2012-08-28 04:39:40

A lot of folks would probably like to stick one on this guy. I don’t think he has had a problem. There are other ‘high profile’ users.

Last edited by joebaich (2012-08-28 04:47:38)

philwareham · 2012-08-28 07:25:27

As CMSes go, Textpattern is one of the more secure ones. Also, due to it’s quite small footprint it doesn’t require a huge amount of server resources in order to run, which means it can handle a fair amount of traffic. So I’d say it’s a good match for what you want to do.

Might want to turn the user logging off though.

ruud · 2012-08-28 08:01:03

Make sure you server setup uses fast-cgi combined with an opcode cache, which increases speed for any PHP application (not just TXP).

Gocom · 2012-08-28 11:06:16

Textpattern websites become very heavy on resources easily. Tags have their shortcomings too. Saying that Textpattern has small footprint is like saying that an empty canvas is empty. Which is true, but.

joebaich wrote:

A lot of folks would probably like to stick one on this guy. I don’t think he has had a problem. There are other ‘high profile’ users.

I do hope they have patched it or something. That Textpattern install seems to be (well, is) rather old. That version they have there is affected by some serious security holes — unless it’s patched.

Last edited by Gocom (2012-08-28 11:09:55)

wet · 2012-08-28 11:19:17

Gocom wrote:

Textpattern websites become very heavy on resources easily.

Resident memory sizes of typical blog-style sites on a Debian 6 server for comparison:

Textpattern 4.5.0-beta: 16…18 MB
WordPress 3.4.1: 36…40 MB

Gocom · 2012-08-28 11:43:07

I would be very surprising if Textpattern used even closely what WP uses. It would be some type of victory, I suppose.

For your typical plain boring blog-style page Textpattern doesn’t do more than fetch few rows from database, while WP — at which point did it process article contents and markup, oh…

Last edited by Gocom (2012-08-28 11:44:01)

lucass · 2012-08-29 20:58:12

Thanks guys!

springworks · 2012-08-30 08:01:18

Gocom wrote:

I do hope they have patched it or something. That Textpattern install seems to be (well, is) rather old. That version they have there is affected by some serious security holes — unless it’s patched.

ExpressionEngine is running most of that site. There might be an old Textpattern login page showing, but view source shows all the signs of EE everywhere.

Gocom · 2012-08-30 10:06:51

springworks wrote:

ExpressionEngine is running most of that site. There might be an old Textpattern login page showing, but view source shows all the signs of EE everywhere.

It doesn’t matter what runs the site. Textpattern is installed there, which means those very old security holes are there too which could compromise the server.

The site itself doesn’t need to be active. Old Textpattern versions listen to few HTTP POST parameters. These parameter can be accessed without authentication and can be used to run any server-side PHP code on the server. Works by simple running:

HTTP/1.1 POST http://example.com/textpattern someParam1=1&someParam2=<txp:php> /* some PHP code here */ </txp:php>

This is a very well known vulnerability first discovered and bought up years ago by Neal Poole. Was fixed in Textpattern v4.4.0. I’ve substituted the real field names to offer some false sense security. These fields are well known and can be found by looking at Textpattern’s changelog/changes or Neal’s blog for instance.

Last edited by Gocom (2012-08-30 10:30:52)

ruud · 2012-08-30 13:51:02

I’m not sure if any of you already did so, but I just used their contact form to sent them a warning about a possibly outdated, vulnerable TXP version installed on that website.

phpnotebook · 2012-09-03 14:24:30

I’d like to give my twopence on the matter of performance, while I’ve just set up the blog I’m quite pleased with the performance and that’s with hacking around (which has caused a performance drop). I host the blog on a windows server so you wouldn’t expect performance to be great but like I said I’ve had no problems with performance.

Textpattern CMS

Textpattern CMS support forum

#1 2012-08-27 21:26:41

Security and performance

#2 2012-08-28 04:39:40

Re: Security and performance

#3 2012-08-28 07:25:27

Re: Security and performance

#4 2012-08-28 08:01:03

Re: Security and performance

#5 2012-08-28 11:06:16

Re: Security and performance

#6 2012-08-28 11:19:17

Re: Security and performance

#7 2012-08-28 11:43:07

Re: Security and performance

#8 2012-08-29 20:58:12

Re: Security and performance

#9 2012-08-30 08:01:18

Re: Security and performance

#10 2012-08-30 10:06:51

Re: Security and performance

#11 2012-08-30 13:51:02

Re: Security and performance

#12 2012-09-03 14:24:30

Re: Security and performance

Board footer