Calling this a security model is probably a stretch, but the first thing I do when installing any web-facing software is determine which features I can remove, disable, or otherwise make unavailable. I’ll review: Dependencies, to see if I can avoid installing any. For example, I don’t need XML-RPC packages if I never intend to use features that depend on them, and won’t ever have them enabled or exposed. Plugins, add-ons, extensions, and extra themes which are moved, then deleted when confirmed they’re extraneous. Features which I disable in configuration files or the web UI (I don’t edit source files if I can help it though, so I don’t deviate from upstream and cause problems with updates). Endpoints I can block (or selectively expose) at the web server without breaking the core functionality of the software. Admittedly, “core functionality” is a load-bearing phrase. What one person might consider such, I may not. But being the sysadmin, I get to make this choice based on my…
No comments yet. Log in to reply on the Fediverse. Comments will appear here.