Bedrock security concerns

milosz · December 15, 2022, 5:47pm

Hi everyone,

I would ask you about Bedrock security.

WordPress has great security team and dozens of pentesters and security experts from community. Everything works like a charm. As a community, we have many informations about testing WP security, we have also many security holes and fixes for them.

But what we exactly know about Bedrock’s security? Do we know anything about pentesting Bedrock’s part of code? Do we know anything about security policy about security testing, about testing required dependencies?

This is my security concern because I don’t have any information about it.

Thanks,
Milosz

swalkinshaw · December 16, 2022, 1:25am

Bedrock itself doesn’t have that much code, and most of it is calling WordPress APIs and setting WordPress constants. Of course that doesn’t mean that Bedrock couldn’t cause security issues; especially since Bedrock does have it’s own configuration layer.

Roots has never paid for an official security audit of Bedrock or done any official “pentesting”.

But since Bedrock is open source, I’d encourage you to audit the code, do your own testing, and then make a decision on whether to use it or not.