Security overview¶
This explanation covers several security-related topics for the WordPress charm.
Secrets¶
Secrets required to operate the WordPress application are generated by the WordPress
charm using the Python’s secure secrets standard library. The following fields in the WordPress
configuration are generated by the charm:
auth_keysecure_auth_keylogged_in_keynonce_keyauth_saltsecure_auth_saltlogged_in_saltnonce_salt
Updates¶
For security and synchronization between Juju charm units, the WordPress charm does not allow automatic updates of the WordPress application itself.
Spam protection¶
The WordPress charm has built-in spam protection that can be activated by providing the
wp_plugin_akismet_key configuration option.
For more information about Akismet spam protection, see
Akismet’s website.
Risks¶
Application CVEs¶
WordPress can be vulnerable to new CVEs and may require updates to patch the CVEs. In case of an exposure to a CVE, it is recommended that you update your WordPress charm and rotate the secrets. See the rotate-secrets action in the how-to guide.
Plugins installation¶
The plugins that have been by the users via the Web UI are periodically deleted by the charm during the Juju hook events. There may be a risk of undesired plugins being installed for the duration of the charm until the next event.
Information security¶
By default, the WordPress charm configures the WordPress application to use the local container
storage for object data, including images and media files. This implies that any loss of data from
the underlying file system will result in a loss of data from the WordPress application. To
protect against this risk, you can configure the WordPress charm to store objects on an external
storage system by configuring wp_plugin_openstack-objectstorage_config.
This configuration makes the WordPress charm use the OpenStack Object Storage service as a backend
for storing object data.