Project Information

• Name of tool/project: Diff, Wikimedia Foundation site, Wikimedia Endowment
• Project home page: diff.wikimedia.org, wikimediafoundation.org, wikimediaendowment.org
• Name of team requesting review: Communications
• Primary contact: Chris Koerner, Sara Campos
• Target date for deployment: Already in production
• Link to code repository / patchset:

Publicly accessible repos, mirrored from prod:

• • https://github.com/wikimedia/diff-blog
  • https://github.com/wikimedia/wikimediafoundation-org
  • https://github.com/wikimedia/wikimedia-wordpress-security-plugin
• Link to scc output for general sizing of codebases (https://github.com/boyter/scc):

Description of the tool/project:
WordPress-based sites managed by the Wikimedia Foundation.

Description of how the tool will be used at WMF:
Various external and community-facing platforms for communication.

Dependencies

List dependencies, or upstream projects that this project relies on.

Has this project been reviewed before?

Please link to tasks or wiki pages of previous reviews.

Working test environment

Please link or describe setup process for setting up a test environment.

Access to dev environments can be provided.

• Diff - https://blog-wikimedia-org-develop.go-vip.net
• Wikimedia Foundation - https://wikimediafoundation-org-develop.go-vip.co
• Endowment - https://wikimediaendowmentnew-dev.go-vip.net

Post-deployment

Name of team responsible for tool/project after deployment and primary contact.

*Sara Campos, Chris Koerner

Since launching the Communications department-supported WordPress websites numerous years ago, we have made many alterations in configuration changes to the sites. Including consolidating many of our security settings into a single WordPress plug-in that is deployed across all sites. A recent, rather benign, issue (T422587) came up that indicated it a misconfiguration on our security settings. In light of this, and given that the landscape of the Internet has changed over the last 5 to 7 years*, we’d like to ask the security team to review our current WordPress-based sites and provide an assessment of their settings.

*Not to mention numerous updates to code via Plugins and configuration changes that have not been reviewed with a security-minded eye.