Debian User Forums

[kedaha]

There are only a few wordpress themes which have been packaged for Debian; in the current stable repository there are:
twentyfifteen
twentysixteen
twentyseventeen

and the only plugins are
xrds-simple
shibboleth.

There are plenty of other wordpress themes out there but they're usually demos of premium versions and the same applies to the plugins too. There are security concerns also when installing from non-Debian sources.

It's possible to customise the themes packaged by Debian by creating Child_Themes, but it's not exactly the lazy man's option.

I just use the default packaged themes and customize them but, it'd be interesting to know —perhaps with a view to packaging them— what your favourite wordpress themes and plugins are, whether they be from the Debian repository or not but preferably wholly free ones rather than demos where the full range of features is only available on acquiring the premium versions.

Thank you for reading and for any comments.

[TonyT]

I write my own themes and plugins. Sometimes I use a free theme for clients.

There are security concerns also when installing from non-Debian sources

.
There is no security risk using themes and plugins from wordpress.org, there are thousands of them.
Themes and plugins don't get installed from debian sources anyway, they get installed from the wordpress admin section (domain.com/wp-admin) or by manually uploading and activating them.

[HuangLao]

Academia theme
WooCommerce
jetpack
wordfence
akismet
contact form 7
bbpress (for forum)
captcha
S2 member framework

and others......

[GarryRicketson]

I write my own themes and plugins. Sometimes I use a free theme for clients.

There are security concerns also when installing from non-Debian sources

.
There is no security risk using themes and plugins from wordpress.org, there are thousands of them.
Themes and plugins don't get installed from debian sources anyway, they get installed from the wordpress admin section (domain.com/wp-admin) or by manually uploading and activating them.

Maybe , maybe not,

From: http://thecyberrecce.net/2017/01/29/installing-wordpress-on-openbsd-6-0-with-httpd/
Conclusion

WordPress becomes insecure when adding plugins, which introduces the majority of new vulnerabilities. As such, attempt to avoid unnecessary plugins and themes and uninstall them once they are unneeded. Also enable auto-updates. There are quite further actions you can take to harden your WordPress install, and I’d recommend reading the reference at [1]. You can also review the database permissions you have granted to the “wp_user” in MariaDB, and possibly restrict them to simply INSERT/UPDATE/SELECT/DELETE instructions. Then test your installation with wp-scan, a great, free and open-source WordPress vulnerability assessment.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9603

I am not claiming or saying a WordPress site can not be kept secure, how ever
one should not just blindly assume , "There is no security risk using themes and plugins from wordpress.org, there are thousands of them."

There are , but most are documented and many have solutions , for example:

From : https://www.exploit-db.com/exploits/42172/1. Description:



SQL injection vulnerability in the WP Jobs plugin before 1.5 for WordPress
allows authenticated users to execute arbitrary SQL commands via the jobid
parameter to wp-admin/edit.php.
2. Proof of Concept:
http://[wordpress_site]/wp-admin/edit.php?post_type=job&page=WPJobsJobApps&j
obid=5 UNION ALL SELECT NULL,NULL,NULL,@@version,NULL,NULL-- comment
3. Solution:
A new version of WP Jobs is available. Update the WordPress WP Jobs to the
latest version.

Even at a WordPress site, says:

https://codex.wordpress.org/Hardening_WordPress
Themes / Plugins

The vulnerabilities most affecting WordPress website owners stem from the platform's extensible parts, specifically plugins and themes. These are the #1 attack vector being exploited by cyber criminals to hack and otherwise misuse WordPress sites.

These vulnerabilities are usually not introduced intentionally, they are a result of mistakes and oversights during development. Many plugin and theme developers are not highly versed in security, and so they are prone to inadvertently write vulnerable code. As vulnerabilities are discovered, developers usually address them by releasing updates. If a plugin is no longer being actively maintained however, it may remain vulnerable, and should no longer be used. It's important that you take an inventory of all the plugins the website uses and subscribe to the developer's mailing list to ensure you stay current with the latest updates. Avoid plugins that are not being actively maintained.

My favourite theme is the older default theme:
twentyfifteen, and it is still maintained, etc.

Version: 1.8

Last updated: June 7, 2017

Active Installs: 500,000+

[kedaha]

Thanks TonyT, HuangLao & GarryRicketson for your replies; most interesting!

@HuangLao: Isn't it academica, not "academia." I hadn't come across the wordfence plugin, in spite of its 2+ million downloads.
I'm in the process of overhauling my system and decided to apt-get install wordpress from jessie-backports:

Code: Select all

# apt-cache policy wordpress
wordpress:
  Installed: 4.7.5+dfsg-2~bpo8+1
  Candidate: 4.7.5+dfsg-2~bpo8+1
  Version table:
 *** 4.7.5+dfsg-2~bpo8+1 0
        100 ftp://ftp.stratoserver.net/pub/linux/debian/ jessie-backports/main amd64 Packages
        100 /var/lib/dpkg/status
     4.1+dfsg-1+deb8u14 0
        500 ftp://ftp.stratoserver.net/pub/linux/debian/ jessie/main amd64 Packages
        500 ftp://ftp.stratoserver.net/pub/linux/debian-security/ jessie/updates/main amd64 Packages

I also decided to keep the default file permissions, which are:

Code: Select all

# cd /var/lib/wordpress/wp-content/
root@xxxxxxxx:/var/lib/wordpress/wp-content# ls
index.php  languages  plugins  themes  uploads
root@xxxxxxxx:/var/lib/wordpress/wp-content# ls -l
total 28
-rw-r--r-- 1 www-data www-data    28 May 17 14:06 index.php
drwxr-xr-x 2 www-data www-data 12288 Aug 15 18:21 languages
drwxr-xr-x 4 www-data www-data  4096 Aug 19 07:07 plugins
drwxr-xr-x 3 www-data www-data  4096 Aug 19 07:07 themes
drwxr-xr-x 3 www-data www-data  4096 Aug 15 18:50 uploads
root@xxxxxxx:/var/lib/wordpress/wp-content# cd plugins
root@xxxxxxxx:/var/lib/wordpress/wp-content/plugins# ls -l
total 8
lrwxrwxrwx 1 root root   47 Aug 15 18:21 akismet -> /usr/share/wordpress/wp-content/plugins/akismet
drwxr-xr-x 2 root root 4096 Jun 23 21:51 call-now-button
lrwxrwxrwx 1 root root   49 Aug 15 18:21 index.php -> /usr/share/wordpress/wp-content/plugins/index.php
drwxr-xr-x 7 root root 4096 Aug  5 00:36 si-contact-form
root@xxxxxxxxx:/var/lib/wordpress/wp-content/plugins# cd ..
root@xxxxxxxx:/var/lib/wordpress/wp-content# cd themes
root@hxxxxxx:/var/lib/wordpress/wp-content/themes# ls -l
total 4
drwxr-xr-x 6 root root 4096 Jan 24  2017 simple-bootstrap
lrwxrwxrwx 1 root root   54 Jun  5 22:53 twentyseventeen -> /usr/share/wordpress/wp-content/themes/twentyseventeen

Well, you can see that, apart from the default theme twentyseventeen, which, by the way, I'm more than pleased with, I also have another theme named simple-bootstrap and two plugins, apart from akismet, which is there by default, namely: call-now-button and si-contact-form.
The additional theme, I downloaded from within the themes directory with wget and extracted there. I used the same method to enable the plugins.

@GarryRicketson: Regarding security, as can be seen from the above, both themes and plugins work fine when it's done this way without changing any of the default, secure file permissions consequent to the installation from the Debian repository.

it's interesting to read in /usr/share/doc/wordpress$ zcat README.Debian.gz:

#### Default themes and external servers

The themes shipped with Debian packages called wordpress-theme-twenty*
require to be able to download font and style sheets from external
Content Delivery Networks (CDNs) such as googleapis. This may or may
not be a problem but it may leak information about people visiting
your website.

For most people, this is fine. However if it is a problem for you,
choose a theme that doesn't use external resources or try using a
plugin such as disable-google-fonts.

Finally, I also tried to package the simple-bootstrap theme, i.e., make a debian package which I then installed but, unlike extracting the downloaded file directly into the themes directory, it didn't work. But I'll continue with my packaging efforts and if I get stuck I'll have to consult the forums' packaging guy. Who might that be?

[TonyT]

GarryRicketson

Agreed, yes, there are some security risks using some plugins.
One of the great benefits of Wordpress is the large number of available plugins. However, I think that benefits the Web developer who does not know Wordpress functions and who does not want to spend time manually creating templates with custom functions. Some plugins, such as the lightbox based ones and other "necessary-for-the-specific-site" ones are well worth using.

All too often though I've had to do work at client sites that have degraded in performance due to 10 or twenty unnecessary plugins that their local admin installed.

--------------------------

I always install Wordpress manually by first creating the db and user, uploading all the WP unpacked files, then lastly uploading the edited wp-config.php, then using the WP built in installer at first visit to site. After setup and adjusting in the admin area, I ssh and rapidly set file permissions using:
cd /public_html (site root)

Code: Select all

find * -type d -print0 | xargs -0 chmod 0755 # for directories
find . -type f -print0 | xargs -0 chmod 0644 # for files

Then I just set wp-content/uploads to world writable. And if I'm not mistaken, WP will create the uploads dir and set its permissions automatically now.

--------------------------

That said, the plugins I use most are:
simple lightbox
mailchimp for wordpress
reveal ids (displays post and page IDs in admin area)
tinymce advanced

Most all else I need is accomplished by adding functions to the theme or child theme functions.php. And today I most always use a child theme or create one if not already made.

[TonyT]

Finally, I also tried to package the simple-bootstrap theme, i.e., make a debian package which I then installed but, unlike extracting the downloaded file directly into the themes directory, it didn't work. But I'll continue with my packaging efforts and if I get stuck I'll have to consult the forums' packaging guy. Who might that be?

Why bother trying to package a theme when all you have to do is put the theme in wp-content/themes and activate it from the WP admin area? I find it best to let Wordpress manage the installations of themes and plugins and let the server OS manage the installations of server packages such as apache, php, mysql, perl, etc. Get to know and use the built in Wordpress features and functions and life will be easier.

The best feature of Wordpress is its extensive documentation. Better than any other out there. Here are the ones I've used most:

https://codex.wordpress.org/Installing_ ... te_Install
https://api.wordpress.org/secret-key/1.1/salt/ (salt for wp-config.php)
https://codex.wordpress.org/Template_Tags
https://developer.wordpress.org/themes/ ... hierarchy/
https://codex.wordpress.org/Function_Reference
https://codex.wordpress.org/Roles_and_Capabilities
https://codex.wordpress.org/Child_Themes

[kedaha]

Why bother trying to package a theme when all you have to do is put the theme in wp-content/themes and activate it from the WP admin area? I find it best to let Wordpress manage the installations of themes and plugins and let the server OS manage the installations of server packages such as apache, php, mysql, perl, etc. Get to know and use the built in Wordpress features and functions and life will be easier.

That's the way I did it before after changing the file permissions but I like to experiment.
Why install from the latest tarball, from the upstream site rather than use the official package(s) from Debian?
Thank you very much for posting the Wordpress documentation; I'll be using and perusing it a lot.

[roiben]

https://wordpress.org/plugins/mobile-tabs/
LOOKS ALSO LIKE USFUL PLUGIN
https://he.wordpress.org/plugins/elementor/
ALSO VERY POPLUAR AND FREE
https://wordpress.org/plugins/wordpress-seo/
ONE OF THE BEST SEO PLUGINS AND FREE